Re: HTTP profile for TLS 1.3 0-RTT early data?

Hi Mark,

On Thu, May 11, 2017 at 10:23:12AM +1000, Mark Nottingham wrote:
> If an origin doesn't have robust retry/replay protection in place for
> non-idempotent requests, it seems operationally simpler and safer for them to
> disable 0RT, rather than refusing it on a request-by-request basis. That's
> the discussion I think we should have here...

That's exactly the situation I'm facing for now with haproxy. A few
users have asked us to support 0RTT and by lack of way to 1) decide
which requests are really safe, and 2) tell the client it must replay
them using 1RTT, for now I refused to enable it. The load balancer
and the origin server will have a different view of the acceptability
of 0RTT, and all the chain must be able to accept or reject them, and
let the client retry.

I tend to think that a 4xx status code would make sense and would be
useful to pass the verdict back to the client. For example we could
return "418 not idempotent".

Willy

Received on Thursday, 11 May 2017 05:34:23 UTC