On Mon, Mar 14, 2016 at 12:32:51PM -0700, Eric Rescorla wrote: > > As far as I can tell, there's no protocol difference between "stateful" and > "stateless" resumption. > You use the same techniques (a replay cache) and the question is merely > whether the server > actually maintains one.
Agreed. If the server maintains replay cache, one gets replay limited to one per 0RTT connection even with DH-0RTT. And without server replay cache, one gets near-infinite replay per 0RTT connection, no matter what client does (other than 0*$VERYLARGE=0). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
