On Fri, Mar 25, 2016 at 12:24:32PM -0700, Eric Rescorla wrote: > On Fri, Mar 25, 2016 at 12:23 PM, Colm MacCárthaigh <c...@allcosts.net> > wrote: > > > > An implementation would have to be willing to sacrifice replay protection, > > some cryptographic safety and forward secrecy for the 0RTT data. I'm sure > > there are implementations that would sacrifice these things to get lower > > latency more cheaply, but should they be encouraged? > > > > The issue isn't encouraged. It's whether we should design the protocol so > that it cannot be implemented any other way.
Also, implementing protocol that it can't be done another way isn't trivial (aside from limiting session IDs to some small size or something line that... If one has enough space to offload state, one can just ignore state updates, making things replayable... -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
