huitema
commented
6 years ago Plausible solution is to add a STEK key to the server context. Key would be picked at random when the server start, or could be configured from the API. The classic solution is to use AEAD encryption, but this requires a different initialization vector for each ticket. A ticket counter might work, or the combination of ticket counter and time of day.
But just imposing a single solution does not seem right. server farms may require some coordinated ticket assignment. Some environments may prefer a data base solution rather than STEK. It seems more plausible to provide a default solution, but let knowledgeable implementations provide their own version of the ptls_encrypt_ticket_t structure.
Using NULL encryption now. That's really just a place holder. There are several plausible strategies. It might be good to provide hooks so different servers can deploy different logic.