On Wed, May 3, 2017 at 8:13 PM, Eric Rescorla <e...@rtfm.com> wrote: > I made some proposals yesterday > (https://www.ietf.org/mail-archive/web/tls/current/msg23088.html). > > Specifically: > 1. A SHOULD-level requirement for server-side 0-RTT defense, explaining > both session-cache and strike register styles and the merits of each. > > 2. Document 0-RTT greasing in draft-ietf-tls-grease > > 3. Adopt PR#448 (or some variant) so that session-id style implementations > provide PFS. > > 4. I would add to this that we recommend that proxy/CDN implementations > signal which data is 0-RTT and which is 1-RTT to the back-end (this was in > Colm's original message). >
This all sounds great to me. I'm not sure that we need (4.) if we have (1.). I think with (1.) - recombobulating to a single stream might even be best overall, to reduce application complexity, and it seems to be what most implementors are actually doing. I know that leaves the DKG attack, but from a client and servers perspective that attack is basically identical to a server timeout, and it's something that systems likely have some fault tolerance around. It's not /new/ broken-ness. > Based on Colm's response, I think these largely hits the points he made > in his original message. > > There's already a PR for #3 and I'll have PRs for #1 and #4 tomorrow. > What would be most helpful to me as Editor would be if people could review > these PRs and/or suggest other specific changes that we should make > to the document. > Will do! Many thanks. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls