In WG discussion of draft-vvv-tls-cross-sni-resumption-00, tracking implications came up. While that draft does expand the set of servers that can cross-resume, it's not a new issue. For instance, on the Web, if https://a.example and https://b.example both include a subresource to a common https://tracker.example, TLS session resumption may be used to correlate activity across the two sites.
We should have some text in mentioning that servers can correlate connections that resume, and recommend clients partitioning their session caches to align with their desired correlation boundaries.
In WG discussion of draft-vvv-tls-cross-sni-resumption-00, tracking implications came up. While that draft does expand the set of servers that can cross-resume, it's not a new issue. For instance, on the Web, if https://a.example and https://b.example both include a subresource to a common https://tracker.example, TLS session resumption may be used to correlate activity across the two sites.
We should have some text in mentioning that servers can correlate connections that resume, and recommend clients partitioning their session caches to align with their desired correlation boundaries.