Request for comment: the session ticket protection scheme for distributed TLS sessions.
Xue-Lei Fan
XUELEI.FAN at ORACLE.COM
Thu Oct 29 03:40:34 UTC 2020
The PNG may be too large to open from some mail system. Here is the PDF version. BTW, I also made an update on the use of AEAD algorithm with additional data.
Thanks,
Xuelei
-------------- next part --------------
A non-text attachment was scrubbed...
Name: distributed_credential_protection.pdf
Type: application/pdf
Size: 95691 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20201028/b2267999/distributed_credential_protection.pdf>
-------------- next part --------------
> On Oct 23, 2020, at 8:58 AM, Xuelei Fan <Xuelei.Fan at Oracle.Com> wrote:
>
> Hi,
>
> I'm working on the JEP to improve the scalability and throughput of the TLS implementation, by supporting distributed session resumption across clusters of computers.
>
> TLS session tickets will used for session resumption in a cluster. To support distributed session resumption, a session ticket that is generated and protected in one server node must be usable for session resumption on other server nodes in the distributed system. Each node should use the same session ticket structure, and share the secrets that are used to protect session tickets. More details, please refer to the JEP:
> https://bugs.openjdk.java.net/browse/JDK-8245551
>
> It is a essential part of the implementation that we need to define a session ticket protection scheme. The scheme will support key generation, key rotation and key synchronization across clusters of computers.
>
> The attached doc_distributed_credential_protection.md is a markdown file, which may not easy to read. So I attached a rendered picture as well.
>
> Please let me know if you have any concerns. Any comments are welcome.
>
> Thanks,
> Xuelei
> <distributed-credentials.png><doc_distributed_credential_protection.md>
More information about the security-dev
mailing list