On 06/04/2017 02:08 PM, Bill Cox wrote: > My feeling is that when talking to stateless 0-RTT servers, browsers > should send only idempotent HTTP requests, and accept > less-than-perfect FS. I also feel they should avoid attempts at > client auth over 0-RTT. However, when talking to servers that prevent > replay (but not re-transmission) I think browsers should be free to > send any HTTP requests over 0-RTT, and also attempt client auth. The > security properties of 0-RTT data are still different, but for > browsers, where it does not matter whether the re-transmission is in > the browser or TLS layer, the security seems equivalent to me.
I think we're at a point where multiple people have expressed what their (subjective) feeling on the desired behavior is, and those feelings are not in agreement. So, some more concrete reasoning and deductions seem required in order for such contributions to be useful towards reaching consensus. -Ben P.S. It seems pretty well established that a client will not in general have a good idea whether it's talking to a server that prevents replay or is stateless.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
