On Wed, Sep 30, 2020 at 10:17:53PM +1000, Martin Thomson wrote: > The costs you describe are trivial. And we limit replay with a binding > to remote address, and a short timer. But the benefit is mostly down > to reduced code variations. We also implement DTLS where this is > properly useful.
You need a replay cache system if you're going to allow 0-rtt and the 0-rtt part of the application protocol is sensitive (e.g., it sends passwords, or missile launch commands). Replay caches are hard enough to get right when you're clustering servers. Nico -- _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
