RFR[13] Release Note for Stateless Resumption

Anthony Scarpino anthony.scarpino at oracle.com
Mon Jul 8 16:06:13 UTC 2019


On 7/8/19 8:30 AM, Xuelei Fan wrote:
> Hi,
> 
> A couple of comments.
> 
> In the release note, "For TLS 1.3, stateless tickets use the existing 
> PSK resumption extension in RFC 8446[2]. TLS 1.3 will revert to the 
> session cache if the server property is false. "
> 
> In CSR, "For TLS 1.3, stateless tickets use the existing PSK resumption 
> extension in (RFC 8446), which require no properties or settings."
> 
> The above two parts of information are not consistent.

Correct, however, while 1.3 uses the existing ticekt mechanism for 
stateless and stateful without a property setting.  However the contents 
of that ticket do depend on the property.

Initially the CSR was more clear about that, but I think as it got 
edited in review that information was removed as it described the 
property and handshake message relationship more.

Tony

> 
> 
> ----
> RFC 5077[1]
> RFC 8446[2]
> [1]: https://tools.ietf.org/html/rfc5077
> [2]: https://tools.ietf.org/html/rfc8446
> 
> Just a very personal preference. May not need the cite references for 
> RFCs, which are well known.
> 
> ----
> "With less session information cached, some session information may not 
> be available."
> 
> I did not get the idea.  These words may be confusing and misleading. 
> All session information should be available once the session is 
> established.  I may just remove this sentence.
> 
> ----
> TLS 1.2
> 
> "TLS 1.2" are mentioned multiple times.  The NST extension applies to 
> TLS 1.0 and 1.1 as well.  We may want to mention TLS 1.0/1.1 as well.
> 
> 
> Maybe, we can just copy the "Specification" section in the CSR as the 
> release note.
> 
> Thanks,
> Xuelei
> 
> 
> On 7/8/2019 8:01 AM, Sean Mullan wrote:
>> Fixed a couple of typos. Although it says "This feature is enabled by 
>> default.", I think you should also say what the default values of the 
>> 2 properties are, just to make it clear how it is enabled by default.
>>
>> Looks good otherwise.
>>
>> --Sean
>>
>> On 7/2/19 5:43 PM, Anthony Scarpino wrote:
>>> Hi,
>>>
>>> I needs a release note review of the Stateless Resumption work
>>>
>>> https://bugs.openjdk.java.net/browse/JDK-8227105
>>>
>>> thanks
>>>
>>> Tony




More information about the security-dev mailing list