rdroms
commented
7 years ago Thanks for the explanation on the session reuse bullet. Russ, Paul and I were musing about whether this was a requirement two weeks ago, so I should have realized that was what was intended! I suggest the following edit, since the TLS 1.3 spec refers to this as session resumption.
OLD o The solution must be able to decrypt when a TLS session is reused. This may involve the use of a TLS decryption appliance. NEW o The solution must support traffic decryption after TLS session resumption. This may involve the use of a TLS decryption appliance.
I changed “must be able to decrypt” to “must support traffic decryption” since the specification permits monitoring resumed sessions, but we don’t describe how to do it in this spec.
From Tim Polk:
I do not understand this requirement. Should this be “detect” instead of “decrypt”? o The solution must be able to decrypt when a TLS session is reused. This may involve the use of a TLS decryption appliance.