Re: Review of draft-thomson-http-replay-latest

On 4 August 2017 at 17:43, Ilari Liusvaara <> wrote:
> - Handle immediately
> - Wait for ClientFinished
> - Reject immediately
> And first and last two interpretations must not be mixed for the same
> request.

This is the consistency that I was looking for, thanks for restating this.

FWIW, I also have convinced myself that both reject and delay can be
used interchangeably to get the same basic correctness guarantee we're
looking for.

> However, that there should not be 0-RTT strike registers at HTTP level
> does not imply that there should not be HTTP-level request strike
> registers, but those strike registers need to span both 0-RTT and 1-RTT
> in order to combat retries, not just replays.

I share this view.  TLS does what it can to prevent replay, but the
ultimate defense (if you ever want to handle 0-RTT, or ever really) is
to have anti-replay/de-duplication at the level of the request.

Received on Friday, 4 August 2017 07:58:50 UTC