On Thu, May 04, 2017 at 04:35:10PM -0700, Watson Ladd wrote: > 0-RTT is opt-in per protocol, and what we think of per application.
Yes. > But it isn't opt-in for web application developers. Once browsers and > servers start shipping, 0-RTT will turn on by accident or deliberately > at various places in the stack. It should be up to servers whether a request is allowed with 0-rtt. If the server doesn't allow a given 0-rtt request and causes the client to do one round trip, does it matter that the client tried with 0-rtt? What can an attacker do? Can they replay that 0-rtt request? Surely not, since the server didn't take it. And presumably other servers in the same cluster will make the same decision. > In conclusion I think there is some thought that needs to go into > handling 0-RTT on the web, but it is manageable. I don't know about > other protocols, but they don't have the same kinds of problem as the > web does with lots of request passing around. Given the benefits here, > I think people will really want 0-RTT, and we are going to have to > figure out how to live with it. Yes. In particular there has to be a way, either in-TLS, or at the application layer, to force an extra round-trip to confirm that the 0-rtt data was not an unintended replay. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
