On Thu, May 04, 2017 at 11:01:02PM +0300, Ilari Liusvaara wrote: > On Thu, May 04, 2017 at 03:12:41PM -0400, Erik Nygren wrote: > > On Wed, May 3, 2017 at 11:13 PM, Eric Rescorla <e...@rtfm.com> wrote: > > > 1. A SHOULD-level requirement for server-side 0-RTT defense, explaining > > > both session-cache and strike register styles and the merits of each. > > > Many of the discussions I've been in seem to have concluded that we should > > always be assuming that 0-RTT data can and will be replayed, and > > applications and application protocols need to design and use it > > carefully, accordingly. > > The problem is, the amount of replays is so great even non-idempotency > that is normally of no consequence becomes a major problem. It isn't one > or two or three replays, it could be _millions_ of replays.
Adaptive fallback to full handshakes. > Almost nothing is idempotent enough, unless extremely carefully designed, > and very few things are. GETs of static data are. > There are loads of GET endpoints there that don't have any wild non- > idempotent behaviour, but still aren't idempotent enough. Yes, this is true. But the idea is that one should not enable 0-rtt for servers that have such behavior. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
