On Sun, Mar 13, 2016 at 3:41 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote:
> > Hiya, > > On 13/03/16 14:01, Eric Rescorla wrote: > > > > This is not an accurate way to represent the situation. Those WGs can > safely > > move from TLS 1.2 to 1.3 *as long as they don't use 0-RTT*. > > I agree your 2nd sentence but not your 1st. > > I also think it is prudent to assume that implementers will turn on > replayable data even if nobody has figured out the consequences. That may well be true, but I don't believe that it allows us to make progress. We already know that there are conditions in which 0-RTT is unsafe. That's why the specification has extensive caveats around its use. Therefore, either we (collectively) can: - Not specify it at all. - Specify it and provide warnings that people should only use it in certain circumstances and attempt to delineate these circumstances. In my original message, I proposed that we restrict the use of 0-RTT to settings where it has been explicitly profiled. Your response seems to be that people will turn it on even if we do so. But if that's your position then there's no point in doing any analysis because we already know that there are cases where it's not safe, which is why we are warning them against using it in those cases. In any case, I'm a little surprised by your assertion in a previous message that WGs expect us to do this analysis. That's not been the relationship we've have with WGs in the past; rather, we document the properties we are providing and they have to determine whether those properties are appropriate. Perhaps we could start by actually sponsoring some of those reviews. Given that HTTP is the primary customer for 0-RTT, perhaps Mark or Martin would be willing to start a review there? -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
