On Mon, Oct 10, 2016 at 1:49 PM, Watson Ladd <watsonbl...@gmail.com> wrote:
> > The problem is with poorly-behaved senders and attackers resending > 0-RTT data. Receivers should be able to ensure side-effectfull > operations are not carried out by 0-RTT data. Making 0-RTT silent in > APIs transforms an interoperability issue into a silent security > issue. This is not a good idea. > +1. FWIW, Patrick McManus made a pretty eloquent and convincing case in Berlin that the web is substantially broken without retry logic in the browsers, that naturally make application-level replay mitigation a necessity. But I don't think (nor do I think he claimed) that the same is true of all protocols or systems that might use TLS. So while 0-RTT-obliviousness may be okay for browsers in particular given the other constraints under which they operate, it is probably not good to bake that into the API for the general case. Kyle
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
