On Thu, May 04, 2017 at 11:14:01PM -0500, Benjamin Kaduk wrote: > On 05/04/2017 07:18 PM, Watson Ladd wrote: > > On Thu, May 4, 2017 at 4:58 PM, Nico Williams <n...@cryptonector.com> wrote: > >> In particular there has to be a way, either in-TLS, or at the > >> application layer, to force an extra round-trip to confirm that the > >> 0-rtt data was not an unintended replay. > > One can always reject... unless I am misunderstanding the suggestion. > > I'm pretty sure Nico still wants data-dependent reject, which is not > workable in the general case. (See the discussion of reverse proxies.)
What I want? I'm saying that 0-rtt requires much care. Specifically it requires any of: - replay caching - not allowing 0-rtt for non-idempotent data (there are several ways to "not allow" 0-rtt in this case) Take your pick. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
