Regards, Brian
On 10/16/21 6:30 PM, Tim Wicinski wrote:
This is a good point Ben. I'll catch up with Brian and discuss, but I'd also like to hear from the working group and DNS-over-QUIC authors where they feel this should live. tim On Fri, Oct 15, 2021 at 4:49 PM Ben Schwartz <bemasc= [email protected]> wrote:On Fri, Oct 15, 2021 at 2:51 PM Christian Huitema <[email protected]> wrote:* Details on usage of 0-RTT with XFR QUERY, issue https://github.com/huitema/dnsoquic/issues/99 by Martin Thomson. The current text is wrong, because 0-RTT resumption includes carry over of the authentication negotiated in the previous connection. We may want to not consider XFR Queries as replayable, and ask servers to wait until the handshake is complete before processing them. * Details on the 0-RTT mitigation text, issue https://github.com/huitema/dnsoquic/issues/102 by Martin Thomson. The current text is based on the original analysis done by DKG years ago, which pointed out the risks of replaying 0-RTT packets at attacker chosen times. That attack is largely mitigated by the replay protection in TLS 1.3, which is mandatory to implement. 0-RTT packets can only be replayed within a narrow window, which is only wide enough to account for variations in clock skew and network transmission.Need to update the text and account for that.This seems like another good reason to move the 0-RTT discussion into the 0-RTT draft. I've opened a copy-and-paste PR here: https://github.com/ghedo/draft-ghedini-dprive-early-data/pull/4 I would appreciate clearer guidance from the chairs on where the 0-RTT text should live. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
