Ar Dé Domhnaigh 13 Márta 2016, scríobh Eric Rescorla <e...@rtfm.com>: > > > 1. Nothing requires applications to use this feature at all. First, servers > need to advertise it and are free to (a) not offer clients the ability to > send > 0-RTT data and (b) refuse to accept it if clients send it. Moreover, > everyone > I know of who is considering building a 1.3 library intends to provide > that data to the server via a separate API, so the server will have to work > to get it. >
security is very difficult to judge and measure - but speed is very easy. This sets up a sort of "race to the bottom" where providers may feel pressured to respond and enable an unsafe feature; because the speed benefit is more apparent than the loss of security. There's a real trade off; we should favor the s in tls :) - Colm -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
