Bernard Aboba <aboba(_at_)internaut(_dot_)com> writes:
In the extreme case (client gets different server every time, and none
of the servers can understand tickets generated by other servers), it
will degrade to normal TLS (full handshake done every time).
From what I can see, the Ticket structure does not uniquely identify the
ticket type or ticket version, so that there is no easy way for the server
to determine what type of ticket has been submitted to it, or whether the
client is using the recommended format or not. The server checks the mac
in the last 20 octets, and if this is valid, then it decrypts the
encrypted_state. However, if the client were using the same mac, but a
different ticket format, the mac could check out, but the StatePlaintext
would not match. A Ticket Type/Version field would make it clear to the
server whether it is handling a Ticket of known type.
I'm not sure I understand this, Bernard. The client doesn't need
to know anything about the ticket format or get to decide
anything about the mac. It's just the server talking to itself.
Ietf mailing list