Looking at PR #468: - It isn't at all obvious how to use it for stateless rejection. - It is even less obvious how to recover (not causing non-retryable fault) from bad cookie (e.g. expired) remembered from previous connection.
There are some tricks for both, but with latter, the 255-byte cookie space can become quite cramped... I think it would be easier if either: - Cookies could not be remembered across connections. - HRR and EE cookies had separate slots those go to in CH. (Of course, neither of those solves the "failed 0-RTT" case...) Also, some clients do burst connects, where multiple TLS connections are connected in parallel. Through quite frequently these would be pure-PSK, keyed off one master GDHE-CERT connection. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
