Re: [TLS] Security review of TLS1.3 0-RTT
Eric Rescorla <ekr@rtfm.com> Fri, 02 June 2017 00:22 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DCC5129AF3 for <tls@ietfa.amsl.com>; Thu, 1 Jun 2017 17:22:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Upyv5PIibhM0 for <tls@ietfa.amsl.com>; Thu, 1 Jun 2017 17:22:54 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CF72129AE3 for <tls@ietf.org>; Thu, 1 Jun 2017 17:22:54 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id l14so27087351ywk.1 for <tls@ietf.org>; Thu, 01 Jun 2017 17:22:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rQkhvt4EJYWfEUYq6o2KLTRjIlW5iiyrgp9Mg9B5KAM=; b=0le9+7YoGvHJ5qg1kp1OgwQOuS+5zShGWExEkMbtWCo+ebQR1itP71icNMVJy3qW1Z sirUD/Ve/6G6TphDfRU1u5qKCwflEomG/ct04a+Ph9J4oeV30hAS7poa82VJwYP/f/rz dwUcwmsnnBgAZH2Euc+3O9u8ArnQk+JkJ60XqPizf7bh7HihiFATfw76TjkoDS6p0Fyt 5h+2gIqjT4CPZAym9hKM7tE8Wu+ymsiYoWI4TbNzWmmFoZf4EqCML8B0Kmhh+NqGkoOq 7vTptvCsOjmDsOYAKHG2Er44NO0Rnil619kzGuqM0LX0CCpsGuXb5vmD0tYnqJB3b92Q zWMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rQkhvt4EJYWfEUYq6o2KLTRjIlW5iiyrgp9Mg9B5KAM=; b=Semxrn1P8K783n1CrsTcO2ttCeMxBm/k29kVqSu8eHij/S6SLNn2ilXTRu2eQJL4Ex JEr3dNJYWFGSxMfmQfeuuGPCetHWy8/Ju6ji0U/3avLNqfrDEHW/lWnCs3tXECYp50hI 7kX5oDsxgTj9gAOhGzDygcmPtgrMmt54Zug77x8F6rEoHIYDpITuBrgy9Bo+emP5g5AV jt7uVrDCfypapWJ4l70uNvA9aZzvKnB6fO4Tcrpx3tjAmdTux3jnnmUl9QKGUZObQkd4 1kGxlC4MiIyj9Wh6IfcWWtEK5gDHyjobYKnY3/6+7eXI5KfPUjMr52KCDuxd/j13tQb4 VK4A==
X-Gm-Message-State: AODbwcA3k9bLlZXbW09ncz6GcfiLe0PRxq+4kkZpi6Rqpu7gWakS4SAS 2cCvZ0dgqlxNBhlR3ww6C9Gu1ZDS5gjrexk6lA==
X-Received: by 10.129.104.69 with SMTP id d66mr3585836ywc.74.1496362973508; Thu, 01 Jun 2017 17:22:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.106.137 with HTTP; Thu, 1 Jun 2017 17:22:12 -0700 (PDT)
In-Reply-To: <CAAF6GDfZr_zEuttf2zQhJ9vv2T-e1Mzb3G09_auLReftSJveeg@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CAAZdMacpJ-qoQt2pDBjTq6ADwmRKOHXTHDyDTzb+g2gYPvtZzQ@mail.gmail.com> <CAAF6GDdobkQh9_iqX1oU_BO9O2aK2_7Cbaper0AY4qEGYXAcvA@mail.gmail.com> <CAAZdMaeTdcgdCj26kVuq6-0EX1nmehvJJCq+YzB-4r84aRjhuA@mail.gmail.com> <CAAF6GDesLzMDN_LVYr6sFU8Z04jpXhFZphOAet-0JPsFF56Oig@mail.gmail.com> <CAAZdMadDctG0sMyDV49+8UUiagqQpi0bSehtQuKPELMU-+Gg5g@mail.gmail.com> <CAAF6GDfZr_zEuttf2zQhJ9vv2T-e1Mzb3G09_auLReftSJveeg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 01 Jun 2017 17:22:12 -0700
Message-ID: <CABcZeBMMth+Sbo0JW_oQYh80y1xaE8gSOdWr9tL+pYmxO4DbRQ@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: Victor Vasiliev <vasilvv@google.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11490b9a7dd4f00550ef2713"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-UhafuP3eESyEU68hh7MY4avrIs>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jun 2017 00:22:57 -0000
I've just gone through this thread and I'm having a very hard time understanding what the actual substantive argument is about. Let me lay out what I think we all agree on. 1. As long as 0-RTT is declinable (i.e., 0-RTT does not cause connection failures) then a DKG-style attack where the client replays the 0-RTT data in 1-RTT is possible. 2. Because of point #1, applications must implement some form of replay-safe semantics. 3. Allowing the attacker to generate an arbitrary number of 0-RTT replays without client intervention is dangerous even if the application implements replay-safe semantics. 4. If implemented properly, both a single-use ticket and a strike-register style mechanism make it possible to limit the number of 0-RTT copies which are processed to 1 within a given zone (where a zone is defined as having consistent storage), so the number of accepted copies of the 0-RTT data is N where N is the number of zones. 5. Implementing the level of coherency to get #4 is a pain. 6. If you bind each ticket to a given zone, then you can get limit the number of accepted 0-RTT copies to 1 (for that zone) and accepted 1-RTT copies to 1 (because of the DKG attack listed above). Colm, Victor, do you disagree with this summary? -Ekr On Thu, Jun 1, 2017 at 4:59 PM, Colm MacCárthaigh <colm@allcosts.net> wrote: > > > On Thu, Jun 1, 2017 at 1:50 PM, Victor Vasiliev <vasilvv@google.com> > wrote: > >> I am not sure I agree with this distinction. I can accept the difference >> in >> terms of how much attacker can retry -- but we've already agreed that >> bounding >> that number is a good idea. I don't see any meaningful distinction in >> other >> regards. >> > > It's not just a difference in the number of duplicates. With retries, the > client maintains some control, so it can do things like impose delays and > update request IDs. Bill followed up with an exactly relevant example from > Token Binding where the retry intentionally has a different token value. > That kind of control is lost with attacker driven replays. > > But even if we focus on just the number; there is something special about > allowing 0 literal replays of a 0-RTT section; it is easy for users to > confirm/audit/test. If there's a hard-guaranteee that 0-RTT "MUST" never be > replayable, then I feel like we have a hope of producing a viable 0-RTT > ecosystem. Plenty of providers may screw this up, or try to cut corners, > but if we can ensure that they get failing grades in security testing > tools, or maybe even browser warnings, then we can corral things into a > zone of safety. Otherwise, with no such mechanism, I fear that bad > operators will cause the entire 0-RTT feature to be tainted and entirely > turned off over time by clients. > >> >> Sure, but this is just an argument for making N small. Also, retrys can >> also >> be directed to arbitrary nodes. >> > > This is absolutely true, but see my point about the client control. > Regardless, it is a much more difficult attack to carry out. That is to > intercept and rewrite a whole TCP connection Vs grabbing a 0-RTT section > and sending it again. > > >> >> >>> What concerns me most here is that people are clearly being confused by >>> the TLS 1.3 draft into mis-understanding how this interacts with 0-RTT. For >>> example the X-header trick, to derive an idempotency token from the binder, >>> that one experimental deployment innovated doesn't actually work because it >>> doesn't protect against the DKG attack. We're walking into rakes here. >>> >> >> Of course it doesn't protect against the DKG attack, but nothing at that >> layer >> actually does. >> >> This sounds like an issue with the current wording of the draft. As I >> mentioned, I believe we should be very clear on what the developers >> should and >> should not expect from TLS. >> > > Big +1 :) > > >> So, in other words, since we're now just bargaining about the value of N, >>>> operational concerns are a fair game. >>>> >>> >>> They're still not fair game imo, because there's a big difference >>> between permitting exactly >>> one duplicate, associated with a client-driven retry, and permitting >>> huge volumes of replays. They enable different kinds of attacks. >>> >>> >> Sure, but there's a space between "one" and "huge amount". >> > > It's not just quantitive, it's qualitative too. But now I'm duplicating > myself more than once ;-) > > >> Well in the real world, I think it'll be pervasive, and I even think it >>> /should/ be. We should make 0-RTT that safe and remove the sharp edges. >>> >> >> Are you arguing that non-safe requests should be allowed to be sent via >> 0-RTT? >> Because that actually violates reasonable expectations of security >> guarantees >> for TLS, and I do not believe that is acceptable. >> > > I'm just saying that it absolutely will happen, and I don't think any kind > of lawyering about the HTTP spec and REST will change that. Folks use GETs > for non-idempotent side-effect-bearing APIs a lot. And those folks don't > generally understand TLS or have anything to do with it. I see no real > chance of that changing and it's a bit of a deceit for us to think that > it's realistic that there will be these super careful 0-RTT deployments > where everyone from the Webserver administrator to the high-level > application designer is coordinating and fully aware of all of the > implications. It crosses layers that are traditionally quite far apart. > > So with that in mind, I argue that we have to make TLS transport as secure > as possible by default, while still delivering 0-RTT because that's such a > beneficial improvement. > > >> I do not believe that this to be the case. The DKG attack is an attack >>>> that allows >>>> for a replay. >>>> >>> >>> It's not. It permits a retry. The difference here is that the client is >>> in full control. It can decide to delay, to change a unique request ID, or >>> even not to retry at all. But the legitimate client generated the first >>> attempt, it can be signaled that it wasn't accepted, and then it generates >>> the second attempt. If it really really needs to it can even reason about >>> the complicated semantics of the earlier request being possibly >>> re-submitted later by an attacker. >>> >> >> That's already not acceptable for a lot of applications -- and by enabling >> 0-RTT for non-safe HTTP requests, we would be pulling the rug from under >> them. >> > > Yep; but I think /this/ risk is manageable and tolerable. Careful clients, > like the token binding case, can actually mitigate this. I've outlined the > scheme. For careless clients, like browsers, they can mostly ignore this; > since they retry so easily anyway, it's no worse. > > But there is *no* proposed mitigation for replayable 0-RTT. So I don't > think that's manageable. Just trying to make a data-driven decision. If > someone presents an alternative mitigation (besides forbidding replays), > I'll change my mind. > > >> Throttling POST requests is fine -- they shouldn't go over 0-RTT, since >> they >> are not idempotent. Throttling GET requests in this manner goes at odds >> with >> RFC 7231. >> > > Throttling GET requests happens all of the time and is an important > security and fairness measure used by many deployed systems. 0-RTT would > break it. That's not ok. > > I don't think it is at odds with RFC 7231 ... which also defines the 503 > status code. > > > Incidentally, guarantee C does solve the throttling problem -- if you get N >> replays, you get promise of 1/(N+1) throttled resource available to you. >> Deployments which do this with GETs may want to deploy the measures to >> make N >> very small. Also, since they already keep track of the state for >> throttling >> purposes, they might add a strike register on top of that. >> > > One could implement a strike register like that, in the same way as a > coordinated throttling system, they have some things in common. Though it > crosses layers. > > I'm all for bounded replay protection, with the bounds being 1 ;-) >>> >> >> Why not 2? What is the difference between 1 and 2? 2 and 3? 3 and 24? >> None >> of the proposed attacks distinguishes 1 replay and N replays in >> qualitative >> ways (as opposed to giant semantic leap between 0 and 1 replay); only in >> how >> much damage you can do, or how much information you can extract from the >> side >> channel. >> > > You keep discarding my points about client control and focusing just on > the number; but there quantitative and qualitative differences. That kind > of argument isn't very productive and doesn't move us forward. But I've > answered above too. > > -- > Colm > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Daniel Kahn Gillmor
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Peter Gutmann
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Jeffrey Walton
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Hannes Tschofenig
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Timothy Jackson
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Watson Ladd
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Peter Gutmann
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Erik Nygren
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Erik Nygren
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Derrell Piper
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT David Benjamin
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Dave Garrett
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Yoav Nir