Re: [quicwg/base-drafts] Describe interaction between QUIC and TLS regarding saved 0-RTT state (#2947)

Martin Thomson <> Thu, 10 October 2019 23:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 76E7F120137 for <>; Thu, 10 Oct 2019 16:58:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 54Os_8xT8IPa for <>; Thu, 10 Oct 2019 16:58:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5D9F61200C1 for <>; Thu, 10 Oct 2019 16:58:11 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8A9D7A04F3 for <>; Thu, 10 Oct 2019 16:58:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1570751890; bh=prLvDBgxygnYXixJmmMZoQS4mtbWARgQXw1TwMHr4zY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=K+OCLpWXuUjyw/BW8Ngu6p+5Ij/fdCH+uAsfCi22XTJSXFmcWEPfzDWqkDXDpr51K BZArrLSnHpTKqbf4GeVFNpLSOTSvEnxcV3JuXZhjNISgjR2zSuUmaCexRsDlHg7ZF4 bDRJbqrOIxluqbevzgnGcoAuHWdX4d+8cGMVQXsc=
Date: Thu, 10 Oct 2019 16:58:10 -0700
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2947/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Describe interaction between QUIC and TLS regarding saved 0-RTT state (#2947)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d9fc5927b577_1ab53fd0508cd95c103345"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 Oct 2019 23:58:14 -0000

martinthomson commented on this pull request.

> @@ -644,6 +647,27 @@ A client MAY attempt to send 0-RTT again if it receives a Retry or Version
 Negotiation packet.  These packets do not signify rejection of 0-RTT.
+## Validating 0-RTT Configuration
+When a server receives a ClientHello with the "early_data" extension, it has to
+decide whether to accept or reject early data from the client. Some of this
+decision is made by the TLS stack (e.g., checking that the cipher suite being
+resumed was included in the ClientHello; see Section 4.2.10 of {{!TLS13}}). Even
+when the TLS stack has no reason to reject early data, the QUIC stack or the
+application protocol using QUIC might reject early data because the
+configuration of the transport or application associated with the resumed
+session is not compatible with the server's current configuration.
+QUIC requires additional transport state to be associated with a 0-RTT session
+ticket. If stateless session tickets are used, this information must be stored
+in the session ticket. Application protocols that use QUIC might have similar

That would be fine.  The use of "must", implying "MUST", is a little too strong.

I would probably say that the choice of location (NEW_TOKEN vs NST) is an implementation-dependent one.  Implementations might want to use NST as that has better fate-sharing and they might not want to concern themselves with path validation for 0-RTT (or to allow a limited amount of 0-RTT in the case the token is bad).  Or, they could insist on a token and strong path validation, so moving the larger state necessary for 0-RTT into the token makes more sense.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: