[gnutls-devel] GnuTLS | Update docs for session ticket key rotation (!768)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Thu Oct 11 17:40:07 CEST 2018
Ander Juaristi commented on a discussion on doc/cha-gtls-app.texi:
> A server supporting session tickets must generate ticket encryption
> and authentication keys using @funcref{gnutls_session_ticket_key_generate}.
> Those keys should be associated with the GnuTLS session using
> - at funcref{gnutls_session_ticket_enable_server}, and should be rotated regularly
> -(e.g., every few hours), to prevent them from becoming long-term keys which
> -if revealed could be used to decrypt all previous sessions.
> + at funcref{gnutls_session_ticket_enable_server}.
> +
> +GnuTLS will rotate these keys regularly. The key rotation interval can be specified with
> + at funcref{gnutls_db_set_cache_expiration}. Every such interval, new keys will be generated from the initial keys
> +that were first established using @funcref{gnutls_session_ticket_enable_server}. This is
I've rephrased it. I think it's clearer now.
```
A server supporting session tickets must generate ticket encryption
and authentication keys using @funcref{gnutls_session_ticket_key_generate}.
Those keys should be associated with the GnuTLS session using
@funcref{gnutls_session_ticket_enable_server}.
Those will be the initial keys, but GnuTLS will rotate them regularly. The key rotation interval
can be specified with @funcref{gnutls_db_set_cache_expiration}. Every such interval,
new keys will be generated from those initial keys. This is a necessary mechanism
to prevent the keys from becoming long-term keys
and as such preserve forward-secrecy in the issued session tickets. If no explicit key rotation interval
is provided, GnuTLS will rotate them every 18 hours by default.
```
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/768#note_108145999
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20181011/e4b82a9e/attachment.html>
More information about the Gnutls-devel
mailing list