Bill Cox <[email protected]> writes: >> Most server admins won't be reading the TLSv1.3 spec. They're going to >> see "shiny feature added specifically in this version that makes it >> faster!" with *maybe* a warning that there are risks, which they'll >> dismiss because "if it was so insecure, they wouldn't have included it >> in the protocol in the first place." Unless 0-RTT can be fixed, it >> looks like an attractive nuisance. > > I agree. Instead of dropping 0-RTT, I think we should make it easy for > admins to learn about what is involved in using 0-RTT in ways we believe > are secure. [snip]
I agree with a slight tweak in wording here, Bill. I think that we /should/ drop the parts of 0-RTT where we are not confident that an admin who blindly enables functionality in TLS 1.3 will not end up harming themselves. More generally, I strongly believe that TLS 1.3 should not provide options which we think should be restricted to "admins who know what they're doing". These end up hurting us down the line (cf EXPORT cipher suites.) I think we should ship the parts of 0-RTT that we believe are intrinsically safe for (the vast majority) of the internet to enable and use on day 1. Sincerely, -- Harlan Lieberman-Berg ~hlieberman _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
