Please forgive me for this naive question, but is there a specific incentive for using “SHOULD” instead of “MUST" only enable 0-RTT application data upon explicit opt-in by the application... My fear is that, even with RFC 2119 terminology, 0RTT will likely be the cause of many problems in the future and that being extra careful here is important… :)
Best, Benjamin > On Jun 13, 2017, at 6:12 PM, Andrei Popov <andrei.po...@microsoft.com> wrote: > > Correct, I’m planning a separate API surface for 0-RTT, as OpenSSL did. > > WRT RFC language, perhaps a reasonable compromise would be to say that a TLS > implementation SHOULD only enable 0-RTT application data upon explicit opt-in > by the application? > > This is more flexible and may involve separate APIs, new off-by-default flags > in the existing APIS, whatever else makes sense for a particular TLS > implementation… > > Cheers, > > Andrei
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
