Re: [quicwg/base-drafts] Require RFC8470 (#2433)

Martin Thomson <> Thu, 07 February 2019 02:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3F33D130FB7 for <>; Wed, 6 Feb 2019 18:13:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -12.553
X-Spam-Status: No, score=-12.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O7Zl1r5semVf for <>; Wed, 6 Feb 2019 18:13:35 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 768F0130FAB for <>; Wed, 6 Feb 2019 18:13:35 -0800 (PST)
Date: Wed, 06 Feb 2019 18:13:34 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1549505614; bh=0ejst909wzkNW/y9bEVn7JxUKgELHi2isDAZrSq5gIU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=WcBCzMJuiyCj6605vBLDBI/N/e93JHl9yE3tyQxAi1KyvHYSniMDxktqEqPfrocGX iSMxf3tcuMiosOEZeyiZ4Df0S6NZZp1OGeNxelGCCI9AEv490VSEFLvfAxhZ1j34Zj /WLqlmtgAsgt4+fmVHhOgPuISIKeZ7ev51ZaVh70=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2433/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Require RFC8470 (#2433)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c5b944ea080b_72cd3f9b02ad45bc1219b8"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Feb 2019 02:13:37 -0000

martinthomson commented on this pull request.

This supercedes what I added in #2355. 

Not sure that we need the exposition, given the risk of getting things subtly wrong though.

> @@ -234,6 +234,17 @@ SETTINGS frame. After the QUIC connection is established, a SETTINGS frame
 ({{frame-settings}}) MUST be sent by each endpoint as the initial frame of their
 respective HTTP control stream (see {{control-streams}}).
+## Early Data and HTTP/3
+QUIC provides a facility for early data during the first flight of packets sent
+by the client.  Early data is not subject to the same security guarantees as
+data sent after the handshake completes.  In particular, this data can be
+replayed by an attacker able to capture the packets and the server will not know

This isn't entirely true.  Capturing and replaying packets is not sufficient, or even necessary for an attack.  I would instead point at TLS 1.3 and the discussion about what can happen there than try to repeat it.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: