This is an exploration of what it might take to bootstrap 0RTT without a prior TLS connection.
https://tools.ietf.org/html/draft-thomson-tls-offline-config-00 There are two important lessons I've learned from this: 1. authentication is important (and hard to get right) 2. TLS implicitly includes a bunch of stuff in the server configuration, these are explicitly manifest here as extensions to the server configuration On this latter point, I believe that this identifies the additional state that needs to be considered as part of a server configuration by clients. These are implicitly included in the regular 0RTT setup and don't get entered into the 0RTT handshake hash. I don't think that's a problem, but it might be worth thinking about some. For instance, if a CertificateRequest alters how the client behaves for a second connection, should that be covered by the handshake hash for that connection? Similar concerns might apply to cipher suite selection and supported groups. For an offline configuration, the entire configuration is included both under a signature and as part of the handshake transcript for the new connection. That means that the certificate is covered twice. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
