On 23/02/16 22:37, Hugo Krawczyk wrote: > > (In particular, if these semantics may be based on stuff that happens > outside TLS, as Karthik and Watson were pointing out, then maybe we really > put a "Surgeon General" warning on 0.5 data of equal size to that of 0-RTT.)
That, and/or also do a significant amount of work to consider other application uses of TLS that aren't well represented by folks who participate in the development of TLS1.3. And also oddities like EAP-TLS about which I at least am mostly ignorant but where I'd bet there's "fun" to be had with 0rtt. And we have to do that recognising that regardless of what the RFC says, if developers can improve performance by calling tls_send0() and not tls_send(), they will do the former. IOW, if we are going to define dangerous implements, (e.g., with replayable data) then I think the onus is mostly on us to know what bad effects those might have before we've done a good job. (We can try do that at IETF LC, but doing so isn't common and is often messy if we end up surprising folks.) Cheers, S.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
