On Tue, Jun 28, 2016 at 07:01:51PM +0200, Hubert Kario wrote: > On Thursday 23 June 2016 18:53:39 Ilari Liusvaara wrote: > > > > Sticking 0-RTT data into ClientHello also has the following problems: > > - One needs to mangle ClientHello (strip an extension on receiver side) > > to obtain hash suitable for key derivation for 0-RTT. To do it any > > other way either doesn't work, or are cryptographically quite risky. > > - It bloats ClientHello, something you rather not bloat, especially > > with DTLS. > > here's a crazy idea: > > - introduce a new extension which has meaning of "more data follows" > - if the server finds it, it expects another Handshake Protocol message > from the client > - the client sends a new "ClientHelloExtension" message that includes > additional data, in practice it's continuation of the extension list > (just let's use 3 byte length fields in the structure) > > the obvious downside is, that TLSv1.2 servers do not support it now
And that is the killer. Remember, what we are discussing is a feature that server has to explicitly enable: Clients aren't going to use it uninvited. TLS 1.2 is going to be around for a long time (unfortunately). Including bad implementations with serious issues. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
