On 29/03/16 11:29, Martin Thomson wrote: > https://github.com/tlswg/tls13-spec/pull/437 > > In short, have the client report the time since it received the > configuration. Then have the server reject early data if the time > doesn't match. > > I think that this is a relatively easy change to make. Now, your > exposure to replay is much less. > > It's not ironclad, since the server needs to account for a round trip, > but I think that would could probably get the window down to > single-digit seconds.
In an offlist exchange with Martin, I suggested allowing finer granularity than 1s, e.g. 1ms. I'm not sure how practically useful that would be, but I don't think it'd constitute much of a new fingerprinting risk (as the ticket bytes identify all the genuine 0rtt requests from the same client anyway) and it might provide some clients and servers with a way to reduce the possible harm even more. Cheers, S. > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
