On 4 May 2017 at 09:16, Colm MacCárthaigh <c...@allcosts.net> wrote: >> We've historically done a lot to >> secure applications at a single point, and we're almost at the end of >> what we can reasonably do for them at this layer. We need to think >> more hollistically and acknowledge that applications need to take some >> responsibility for their own security. > > No we don't. Servers can prevent replay.
I was responding to an overly broad statement you made. In the discussion you also talk about timing side-channels and other ways in which information can leak. Nothing we do at the TLS layer will prevent those from being created in applications. Also, it might pay to remember that this is part of a larger context. Applications routinely retry and replay; if they didn't, users would. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
