- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 23 Mar 2016 16:12:58 +1100
- To: Subodh Iyengar <subodh@fb.com>
- Cc: Mike Bishop <Michael.Bishop@microsoft.com>, Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
> On 23 Mar 2016, at 1:33 PM, Subodh Iyengar <subodh@fb.com> wrote: > > @Mike Bishop there are some proposals for 0-RTT to include the client timestamp in the client nonce to limit the retryability of 0-RTT which are still being discussed on the TLS mailing lists. This is still an open question. > > > If we’re talking about a pattern of DELETE, PUT, GET, the fact that every separate action is idempotent doesn’t save us from a replay of the DELETE after the PUT > > That's an excellent point, and probably something the application can only determine to be safe. Ideally if an application determines an action to be safe (with a new flag) then it should be safe to retry the same request 5 months from now, although browsers should do a best effort not to do that and TLS 1.3 should also limit the time of 0-RTT to something reasonable. Yes. 6.3.1 says: "For example, a user agent that knows (through design or configuration) that a POST request to a given resource is safe can repeat that request automatically." The challenge is how to give the UA that knowledge; it sounds more like a Fetch <https://fetch.spec.whatwg.org> flag (and maybe corresponding API in XHR, HTML forms, etc.) than something here. It's even harder for a sequence of requests; that really is application-specific. Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Wednesday, 23 March 2016 05:13:29 UTC