- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 4 Aug 2017 17:58:28 +1000
- To: Ilari Liusvaara <ilariliusvaara@welho.com>
- Cc: Kazuho Oku <kazuhooku@gmail.com>, Victor Vasiliev <vasilvv@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 4 August 2017 at 17:43, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > - Handle immediately > - Wait for ClientFinished > - Reject immediately > > And first and last two interpretations must not be mixed for the same > request. This is the consistency that I was looking for, thanks for restating this. FWIW, I also have convinced myself that both reject and delay can be used interchangeably to get the same basic correctness guarantee we're looking for. > However, that there should not be 0-RTT strike registers at HTTP level > does not imply that there should not be HTTP-level request strike > registers, but those strike registers need to span both 0-RTT and 1-RTT > in order to combat retries, not just replays. I share this view. TLS does what it can to prevent replay, but the ultimate defense (if you ever want to handle 0-RTT, or ever really) is to have anti-replay/de-duplication at the level of the request.
Received on Friday, 4 August 2017 07:58:50 UTC