On 7 March 2017 at 08:43, David Benjamin <[email protected]> wrote: > To clarify, our interpretation of the spec was that it is the encrypted > data, not unencrypted data.
Well, clearly we disagree. To be clear, I don't mind much if it's the encrypted data, though we'd need to also agree if the count included the authentication tag (yes, probably) and the record header (I don't know). You appear to be conflating two things: 1. The amount of data that a server might have to hold on to when it accepts 0-RTT. The original reason Filippo suggested this feature was so that it would be possible for their servers to hold 0-RTT data until the handshake was complete. 2. Records that do nothing other than waste server time. Into this category we can place records with only padding or very little actual data, extra key updates, CertificateRequest, and - the one you highlight here - early data that is ignored. My interpretation was that the first the only thing that needed tight bounds, the second could be quite fuzzy and could come down to things like current server load and DoS mitigation strategies. We really need to agree on the right answer here. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
