27   Problem in session resumption report

Created: 17 Jul 2023

Status: Approval (Future Improvement)

Part: Part 3 (2023, Edition 2)

Links:

Page: 35

Clause: 8.6

Paragraph: 1

Issue

Add an event for session than can not be resumed

Proposal

A security event shall be raised for "Session could not be resumed; validity time of the session ticket is expired."

Discussion Created Status
- Approved during WG15 Meeting 10/2023, based on previous FDIS comment resolution discussion
- Proposal accepted 		19 Oct 23 Approval (Future Improvement)
Moved the addition in clause 7.4.4 as suggested directly after the paragraph starting with "If session resumption is performed based on the session identifier ..."

Adopted text in clause 8.6 as proposed to simplify the description to:
"If the lifetime of the session ticket (NewSessionTicket) is expired, the TLS client and server perform a full handshake. In this case a security event shall be raised ("notice: Session could not be resumed as session ticket lifetime expired. Performing a full TLS handshake instead)." 		19 Oct 23 Discussion (red)
I am OK with adding the additional text to section 7.4.4. However, I would consider placing the additional paragraph at another place in section 7.4.4. Perhaps it is better to place the additional paragraph directly after the paragraph starting with "If session resumption is performed based on the session identifier ..."

I am also OK with adding additional text in section 8.6. However please consider reformulating the text. In TLSv1.3 the only way to do session resumption is with the NewSessionTicket. In this case, I would not start the addiontal text with "if session resumption is based on TLS session tickets ...". I think you can simply write "if the lifetime of the NewSessionTicket is expired ..." 		08 Aug 23 Discussion (red)
Proposal according to FDIS comment resolution 26 Jul 23 Discussion (red)
Accepted in FDIS comment resolution an WG15 meeting in May 2023 19 Jul 23 Accepted
Note: The previous comments was related to TISSUE 26.
------------------------
TISSUE 27 was accepted during FDIS comment resolution and was not included in the final IEC 62351-3 Ed.2.

Proposal to add the following to clause 7.4.4 (TLS 1.2):
If session resumption is done based on session tickets (as of RFC 5077), and the lifetime of the session ticket is expired, the TLS client and server shall perform a full handshake. In this case a security event shall be raised ("notice: TLS Session could not be resumed as session ticket lifetime has expired. Performing a full TLS handshake instead)").

Proposal to add the following to clause clause 8.6 (TLS 1.3):
If session resumption is done based on TLS session tickets (as of RFC 8446), and the lifetime of the session ticket is expired, the TLS client and server perform a full handshake. In this case a security event shall be raised ("notice: Session could not be resumed as session ticket lifetime expired. Performing a full TLS handshake instead)").

Note that both security events need to be added to Table A.1
17 Jul 23 Triage
This comment was partly accepted during FDIS comment resolution and not included in the final IEC 62351-3 Ed.2.

Proposal:
Add information about the negotiated ciphersuite to successful TLS session establishment security event in the ExtraInfo field in section 6.1

Note that the negotiated ciphersuite needs to be added to the ExtraInfo field in in Table A.1.
17 Jul 23 Triage

 

Privacy | Contact | Disclaimer

Tissue DB v. 23.12.13.1