On 06/28/2017 03:00 PM, Ilari Liusvaara wrote: > On Wed, Jun 28, 2017 at 02:02:33PM -0500, Benjamin Kaduk wrote: >> >> Well, I hope that TLS ends up mandating something that is not the >> potential billions, in which case it's less of an issue here. Of course, >> if TLS does not make such a mandate, we could still do so here ... > Well, the stuff to ensure that you don't get billions (or millions) of > replays is only SHOULD in the current proposal at TLS WG... Yeah, I have a comment staged about that on that PR; just not done reviewing the whole thing yet. >>>> (Token binding is one thing that comes to mind, as the >>>> requests would need to be regenerated with the proper bindings; >>> Ahh, 0-RTT token binding is a horror. This is why generally the >>> "start over" thing is important. I think that the best way to >> Yes. I don't have any suggested text right now that would emphasize >> this more, but there may be room for improvement in this area. > I think tokbind mandates strict global anti-replay for 0-RTT token > binding. Because there would be an attack otherwise. > > Right. Well, either that or just don't do 0-RTT token binding at all (my preference), but there may be enough demand for it to get rough consensus there. -Ben
Received on Wednesday, 28 June 2017 20:51:39 UTC