On Thu, Jun 1, 2017 at 8:22 PM, Eric Rescorla <e...@rtfm.com> wrote: > I've just gone through this thread and I'm having a very hard time > understanding what the actual substantive argument is about. >
I believe at this point we mostly disagree on what specific scenarios are and are not a concern that should be solved by TLS layer. Replay/retry distinction might be at core for some disagreements. Let me lay out what I think we all agree on. > > 1. As long as 0-RTT is declinable (i.e., 0-RTT does not cause > connection failures) then a DKG-style attack where the client > replays the 0-RTT data in 1-RTT is possible. > Correct. > 2. Because of point #1, applications must implement some form > of replay-safe semantics. > Correct. > > 3. Allowing the attacker to generate an arbitrary number of 0-RTT > replays without client intervention is dangerous even if > the application implements replay-safe semantics. > Correct, and the specific number is highly situational. > > 4. If implemented properly, both a single-use ticket and a > strike-register style mechanism make it possible to limit > the number of 0-RTT copies which are processed to 1 within > a given zone (where a zone is defined as having consistent > storage), so the number of accepted copies of the 0-RTT > data is N where N is the number of zones. > Correct. Session caches are inherently bound to a single zone. > 5. Implementing the level of coherency to get #4 is a pain. > Yes. > 6. If you bind each ticket to a given zone, then you can > get limit the number of accepted 0-RTT copies to 1 > (for that zone) and accepted 1-RTT copies to 1 (because > of the DKG attack listed above). > > Correct. -- Victor.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls