> On May 3, 2017, at 9:15 PM, Martin Thomson <[email protected]> wrote:
>
> Let's get the fallacy out of the way. TLS 1.3 provides protection
> against replay attacks, just not if you decide to use 0-RTT.
Amen.
> I realize that there is a real risk that this distinction will be lost
> on some, but I can fairly confidently say that it isn't lost on those
> who are considering its use in various protocols. For instance, I've
> spoken to someone who is looking at XMPP seriously and the advice
> there is pretty close to *don't* use 0-RTT.
One obvious use case for 0-RTT is DNS queries. The query protocol is
idempotent, and latency matters. So for DNS over TLS, 0-RTT would be
a good fit. TLS session caches are not attractive on the DNS server
given the enormous query volumes, but STEKs would be a good fit.
--
Viktor.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
