- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Wed, 28 Jun 2017 23:00:26 +0300
- To: Benjamin Kaduk <bkaduk@akamai.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Jun 28, 2017 at 02:02:33PM -0500, Benjamin Kaduk wrote: > On 06/26/2017 12:44 PM, Martin Thomson wrote: > > Thanks for your thoughts Ben, > > > > On 26 June 2017 at 08:32, Benjamin Kaduk <bkaduk@akamai.com> wrote: > > > > >> In section 2, I'm not sure that we need to mention the TLS-native > >> strateg(ies) (item 4). > > I think that it's important to mention, if only because a lot of the > > other defenses rely on that point you made earlier about reducing the > > potential billions down to something more manageable. It's especially > > relevant when you are worrying about leakage through side-channels. > > Well, I hope that TLS ends up mandating something that is not the > potential billions, in which case it's less of an issue here. Of course, > if TLS does not make such a mandate, we could still do so here ... Well, the stuff to ensure that you don't get billions (or millions) of replays is only SHOULD in the current proposal at TLS WG... > >> (Token binding is one thing that comes to mind, as the > >> requests would need to be regenerated with the proper bindings; > > Ahh, 0-RTT token binding is a horror. This is why generally the > > "start over" thing is important. I think that the best way to > > Yes. I don't have any suggested text right now that would emphasize > this more, but there may be room for improvement in this area. I think tokbind mandates strict global anti-replay for 0-RTT token binding. Because there would be an attack otherwise. -Ilari
Received on Wednesday, 28 June 2017 20:01:04 UTC