On 05/04/2017 02:39 PM, Nico Williams wrote: > On Thu, May 04, 2017 at 03:12:41PM -0400, Erik Nygren wrote: >> On Wed, May 3, 2017 at 11:13 PM, Eric Rescorla <e...@rtfm.com> wrote: >>> 1. A SHOULD-level requirement for server-side 0-RTT defense, explaining >>> both session-cache and strike register styles and the merits of each. > The SHOULD should say that the server-side needs to apply a replay cache > OR fallback onto a full exchange when the 0-rtt data payload involves a > non-idempotent operation.
You seem confused on this key point. The server commits to accepting or rejecting *all* early data, *before* it can look inside and see what it is (in particular, whether or not it is idempotent). > >> Many of the discussions I've been in seem to have concluded that we >> should always be assuming that 0-RTT data can and will be replayed, >> and applications and application protocols need to design and use it >> carefully, accordingly. > Correct. See the above text about idempotency. > > Which is why we (try to) make such a big deal about having an application profile -- to write down what is actually idempotent. -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
