* What if the server receives data with the 0-RTT boundary spanning an HTTP/2 frame? Is that a 0-RTT request? 1-RTT? Invalid? It appears safe to treat such data as 0-RTT; only the application can make this call, and it needs info from the TLS stack to make this call.
* We could say that the application profile should modify the protocol to reject such cases. Now, we’re taking on complexity in every protocol specification and parser. It would of course be preferable (some would argue, necessary) to secure 0-RTT application_data at the TLS layer, but so far we’ve failed to come up with a way to do so. * Our problem is a server wishes not to process some HTTP requests (or other protocol units) at 0-RTT and needs to detect this case. So check a boolean signal for whether the connection has currently passed the 1-RTT point before any unsafe processing. I think this would be a valid implementation of #3. There may be other implementation options that make more sense for a different TLS API or a different application protocol, so I’d rather not put a specific implementation option in the RFC. Cheers, Andrei
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
