RFR[13] Release Note for Stateless Resumption

Xuelei Fan xuelei.fan at oracle.com
Mon Jul 8 15:30:37 UTC 2019


Hi,

A couple of comments.

In the release note, "For TLS 1.3, stateless tickets use the existing 
PSK resumption extension in RFC 8446[2]. TLS 1.3 will revert to the 
session cache if the server property is false. "

In CSR, "For TLS 1.3, stateless tickets use the existing PSK resumption 
extension in (RFC 8446), which require no properties or settings."

The above two parts of information are not consistent.


----
RFC 5077[1]
RFC 8446[2]
[1]: https://tools.ietf.org/html/rfc5077
[2]: https://tools.ietf.org/html/rfc8446

Just a very personal preference. May not need the cite references for 
RFCs, which are well known.

----
"With less session information cached, some session information may not 
be available."

I did not get the idea.  These words may be confusing and misleading. 
All session information should be available once the session is 
established.  I may just remove this sentence.

----
TLS 1.2

"TLS 1.2" are mentioned multiple times.  The NST extension applies to 
TLS 1.0 and 1.1 as well.  We may want to mention TLS 1.0/1.1 as well.


Maybe, we can just copy the "Specification" section in the CSR as the 
release note.

Thanks,
Xuelei


On 7/8/2019 8:01 AM, Sean Mullan wrote:
> Fixed a couple of typos. Although it says "This feature is enabled by 
> default.", I think you should also say what the default values of the 2 
> properties are, just to make it clear how it is enabled by default.
> 
> Looks good otherwise.
> 
> --Sean
> 
> On 7/2/19 5:43 PM, Anthony Scarpino wrote:
>> Hi,
>>
>> I needs a release note review of the Stateless Resumption work
>>
>> https://bugs.openjdk.java.net/browse/JDK-8227105
>>
>> thanks
>>
>> Tony



More information about the security-dev mailing list