On Thu, Jun 01, 2017 at 11:20:56PM -0700, Colm MacCárthaigh wrote: > > Maybe a lot of this dilemma could be avoided if the the PSKs that can be > used for regular resumption and for 0-RTT encryption were separate, with > the latter being scoped smaller and with use-at-most-once semantics.
The problem here is that the scoping rules can be impossible for the client to understand (there is possibly anycast involved!) And also, more serious problem: I thought that server could send tickets that can't be used for 0-RTT. And this was true a few drafts back, but now it seems to have gotten lost (at least I can't find the appropriate requirements). This is a problem, because it forces any server that implements tickets to deal with at least ignoring 0-RTT (trial decryptions!). Which is complexity that I rather not have in servers that don't truly implement 0-RTT. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls