On 23 February 2016 at 11:24, Wan-Teh Chang <w...@google.com> wrote: > It seems sufficient to just ban client authentication in replayable > DH-based 0-RTT. Why remove DH-based 0-RTT altogether?
On the grounds that it is more complex to analyze, build, and test. And given that deferring the feature does no significant harm to those who want it. I acknowledge that persistence of secrets on clients is a material difference between that an PSK-based 0-RTT. I just don't think that it's a good enough reason to pay for what is a relatively expensive feature. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
