Currently the draft specifies that the ALPN must be "the same" as in the 
connection that established the PSK used with 0-RTT, and that the server must 
check that the selected ALPN matches what was previously used. I find this 
unclear if
1) the client should select and offer one (and only one) application protocol
2) the client can offer multiple protocols, but use the most preferred one 
offered for 0-RTT data
3) the client must send the exact same ALPN extension as in the previous 
connection, but must use the ALPN previously selected by the server (even if it 
was not the client's first offer).

To clarify this we can instead
* allow the client to offer whatever ALPN extension it wants
* define that the 0-RTT data uses the client's most preferred application 
protocol offer (and the server must pick this ALPN if it accepts 0-RTT), 
similar to using the first PSK offer if multiple are offered
* recommend that the client uses the same application protocol that was used on 
the previous connection.



TLS mailing list

Reply via email to