W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: Retry safety of HTTP requests

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 23 Mar 2016 14:12:49 +1100
Message-ID: <CABkgnnUVKm1QhVoHz47ibW0SHupHWbjJkoZD7TEoYh=qQS6Ahw@mail.gmail.com>
To: Mike Bishop <Michael.Bishop@microsoft.com>
Cc: Mark Nottingham <mnot@mnot.net>, Subodh Iyengar <subodh@fb.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 23 March 2016 at 13:21, Mike Bishop <Michael.Bishop@microsoft.com> wrote:
> Idempotency is useful against short-time replay, like just resending until
> you get a response.  However, 0-RTT would permit replay seconds, minutes, or
> more later, no?

As Subodh notes, there is a suggestion (one that hasn't been
implemented) of including timestamps in the 0-RTT.  That would limit
replay to a very narrow window.  That window would only widen to allow
for a errors in estimating the round trip time, and any amount that
two clocks might drift relative to each other.  I would hope that this
would be seconds, probably something like 2s.

The open question part (at least to my mind) includes: who writes the
PR; and which endpoint estimates the round trip time.
Received on Wednesday, 23 March 2016 03:13:16 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 23 March 2016 03:13:19 UTC