David Benjamin wrote our section on 0-RTT backward compatibility to be a little bit lenient about server deployment. On consideration, I think that a simpler set of rules are better:
1. If the server advertises support for 0-RTT, then it implies a commitment to support TLS 1.3 for the duration of that advertisement. 2. Therefore, if the client attempts 0-RTT, then it should reject a ServerHello with TLS 1.2 or older. https://github.com/tlswg/tls13-spec/pull/502 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
