On 30 March 2016 at 12:45, Kyle Nekritz <knekr...@fb.com> wrote: > The time since the client hello was sent/received can still be used if it is > stored after opening the connection.
Only if we introduce an inconsistency by asking for different handling in different circumstances. I agree that in many cases, NewSessionTicket is generated in response to something in the client's first flight, but that's not a guarantee. > It's also important exactly where and when the server checks the timestamp. > If the timestamp is solely checked upon receipt of the client hello, an > attacker can slowly trickle replayed 0-RTT data to the server, which somewhat > defeats the point of a very narrow replay window (with a 1 second window, the > connection must be opened with 1 second, but the application data could > actually get delivered minutes later). If you want to handle the pathological cases, feel free to propose mitigation. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls