On Tue, Dec 18, 2018 at 12:45:22AM -0600, David Benjamin wrote:
> An earlier iteration even placed the retry on the same connection, which
> makes the analog clearer. (Doing it in the same connection is rather a
> mess, so we bounce to a new one.)
Any concern about the possibility that the reason the key did not
work was that the particular server had unexpected keys, but
reconnecting might land on a different server, with yet another set
of keys? (Which is to say that I am concerned, but perhaps you're
not?).
Also connection re-establishment has considerable cost, additional
TCP roundtrips on top of the extra TLS roundtrips.
Is the HRR idea being explored in the parallel thread not viable?
[ That'd be fine by me, one less thing to worry about, but it did
seem worth exploring at first blush... The suggestion of using it
as a fallback when there are either no keys in DNS, or they don't
work also seems like it could be viable. ]
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
