> +1 but I think we can go further here and specify 0RTT in such a way that it > only works when the server maintains state, and so that any given 0RTT ticket > may only be used once (to preserve forward secrecy as much as possible within > the constrains of 0RTT).
Do you envision clients only having one resumption handshake at a time? I was under the impression that TLS 1.2 clients typically open multiple resumption handshakes in parallel, and that TLS 1.3 clients would want to do the same. > > -- > Colm _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
