Do not reuse PSK identities (TLS 1.3 session tickets)

[nervuri]

Lagrange does reuse them, which is not allowed by the TLS 1.3 spec:

https://datatracker.ietf.org/doc/html/rfc8446#appendix-C.4

Clients SHOULD NOT reuse a ticket for multiple connections. Reuse of a ticket allows passive observers to correlate different connections.

To check this easily, you can open gemini://tlsprivacy.nervuri.net/json/v1, then refresh repeatedly while noting the contents of the psk_identities array. The same identity value is reused across connections and the obfuscated_ticket_age is incremented with the number of (milli)seconds that have passed between each connection. The major web browsers use a different PSK identity every time.

[skyjake]

Has something changed here vs. the previous discussion? As far as I can see, in the context of Gemini, setting a 10 minute maximum time for session reuse mitigates potential tracking issues sufficiently.

Also, "SHOULD NOT" does not equate to "is not allowed"?

[nervuri]

Has something changed here vs. [the previous discussion](https://gitlab.com/gemini-specification/protocol/-/issues/23)?

Ah, damn! I wrote: "To prevent prolongation attacks, clients must not allow server-initiated renewal of session identifiers." But the paper says: "We recommend that a server-initiated renewal of a session identifier must not lead to a prolongation of client-side expiry dates." I messed up there, I should have just quoted the paper. I'll correct it. So, the idea is that "10 minutes" represents a session lifetime. A session can and should use multiple tickets, as the spec advises. It's just that the client should count 10 minutes since the start of the session, not since it received the last ticket from the server.

Also, "SHOULD NOT" does not equate to "is not allowed"?

My bad. Still, it's good to follow this recommendation, the reasoning behind it is sound.