(Trivial optimization warning) Just perusing my draft and noticed that NSS pads a 0-RTT handshake, which is not that surprising given that it's fairly beefy (it will get even larger in -18). Since a 0-RTT handshake will break servers that don't at least superficially understand TLS 1.3, maybe we could avoid pading in this case. Is there any reason we shouldn't include that advice in the draft?
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls