On 5/21/2017 7:28 PM, Colm MacCárthaigh wrote: > > > On Sun, May 21, 2017 at 3:47 PM, Eric Rescorla <e...@rtfm.com > <mailto:e...@rtfm.com>> wrote: > > > > ... > > I'm happy to write this up as part of the first two techniques. > I'd be > interested in hearing from others in the WG what they think about: > > 1. Requiring it. > 2. Whether they still want to retain the stateless technique. > > > I'm for requiring it, and for removing the stateless technique ... > because it prevents the side-channel and DOS attacks and those seem > like the most serious ones (and also, the new ones). > > So far each case where we've thought "Actually stateless might be ok > in this case" ... like the example of DNS ... turns out not to be safe > when examined more closely (in DNSes case it would compromise privacy > because caches could be probed).
I would much rather see this specified within TLS than within the application. Specifically, I would not like to see application making statements that they can only use 0-RTT if the TLS software that they use does implement "at most once" limitations on 0-RTT tickets. You know, pretty much like those security sections that explain than a careless application will be safe if it runs over IPSEC. Maybe with some RFC 6919 language. -- Christian Huitema
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls