- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 8 Dec 2017 11:56:43 +1100
- To: David Benjamin <davidben@chromium.org>
- Cc: Victor Vasiliev <vasilvv@google.com>, Willy Tarreau <w@1wt.eu>, Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>, mnot <mnot@mnot.net>
On Fri, Dec 8, 2017 at 11:28 AM, David Benjamin <davidben@chromium.org> wrote: > Thus, If you are okay performing that action without replay protection, then > you're cool with any arrangement. If you are not okay performing that action > without replay protection, then *none* of your servers should do so. This > can be achieved, on a per-server basis in several ways: > > 1. Don't turn on 0-RTT. > 2. If (1) is too much because you want 0-RTT in other cases, delay > processing. > 3. If (2) is too much because you don't like buffering, send a 425. That's a good point and one we don't capture properly. The point about consistency needs to be on classification, not reaction. I've opened a PR that tries to capture this, though I omit any dependency between steps. https://github.com/httpwg/http-extensions/pull/446
Received on Friday, 8 December 2017 00:57:07 UTC