On Jun 21, 2016 5:44 PM, "Martin Thomson" <martin.thom...@gmail.com> wrote: > > On 22 June 2016 at 10:27, Watson Ladd <watsonbl...@gmail.com> wrote: > > Isn't 0-RTT refusable? Why not treat 1.2 negotiation as a refusal? > > The problem isn't that you get a 1.2 ServerHello, it's what happens > after that. The server is going to choke on your 0-RTT data when it > receives that instead of the client's second flight. If it doesn't, > it's probably passing your 0-RTT ciphertext to the application as > plaintext and that's even worse.
Why isn't 0-RTT an extension in the Client Hello to deal with this? > > I don't expect people to update their 1.2 implementations to be able > to ignore 0-RTT data.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
