Re: [TLS] 0-RTT in DTLS 1.3

Hanno Becker <Hanno.Becker@arm.com> Mon, 24 May 2021 04:19 UTC

Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E0AC3A1617 for <tls@ietfa.amsl.com>; Sun, 23 May 2021 21:19:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=Kj5HG7Vy; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=Kj5HG7Vy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gkjqFOXgojpP for <tls@ietfa.amsl.com>; Sun, 23 May 2021 21:19:19 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50084.outbound.protection.outlook.com [40.107.5.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB5EF3A1614 for <tls@ietf.org>; Sun, 23 May 2021 21:19:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rBO7SXfAiyRdNbTnSYP5xz8jxD1zDd8ZpZHEKBaGp/E=; b=Kj5HG7Vy16lpDdEB5OB6a74z9WOuxmk/hWgURbh0XRsVyBvD7SBR+tXQBlLuaZNEJu/t50O0dVhc8MRXvISc8LDcT0ERZ2dUPPRgO33Ajmbx8TNP/8PBMd3ZhOA4yCxOgnJGRB4H8DEi8I9FmQHQuJQTkXZtJlre1yUJKwgWYBk=
Received: from AM6PR08CA0038.eurprd08.prod.outlook.com (2603:10a6:20b:c0::26) by VI1PR08MB2912.eurprd08.prod.outlook.com (2603:10a6:802:1a::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.26; Mon, 24 May 2021 04:19:15 +0000
Received: from VE1EUR03FT013.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:c0:cafe::55) by AM6PR08CA0038.outlook.office365.com (2603:10a6:20b:c0::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.24 via Frontend Transport; Mon, 24 May 2021 04:19:15 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT013.mail.protection.outlook.com (10.152.19.37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.25 via Frontend Transport; Mon, 24 May 2021 04:19:14 +0000
Received: ("Tessian outbound 3c5232d12880:v92"); Mon, 24 May 2021 04:19:14 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: b678a94308f378bf
X-CR-MTA-TID: 64aa7808
Received: from e1d3bd20fd65.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 3F10E468-5D69-4670-BA19-034AFD57A817.1; Mon, 24 May 2021 04:19:08 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id e1d3bd20fd65.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 24 May 2021 04:19:08 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aPZAfJd4CrRWuhwQvzPhhEgzEw/OkPI/fj2IDWCQMbNzv3Kq8W/aHfWBSWlMh/myHMWvDKouCDHRWUc68LXkXMW8wUuzW9AVYIUcMeSnlOUDBGsiL3lNrW4QbjCa9EwtdLZyy7EGGl92VwJKIr5vH9Pz1BpqJ8invijI11D5IfRIksTDbQgjKinaBsdJJkPMOsvRUNw46djSPojWmLvfngvRtvccFOVJpGwKpz60Nk6ISdFF0U0uspTQzuzoA16wJMLEPu8vw34jn3yfmkxdLBAexWddr/T3/RQ7oJhZLF0I2qe8gMIQ1//Y5lCbZG1zyLFcTLN1NYbLuMlKEEl38Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rBO7SXfAiyRdNbTnSYP5xz8jxD1zDd8ZpZHEKBaGp/E=; b=cKth7kjJtyoDImw/qnfl+cx7oVWU1OWmPAKTKkWepuXz4/TMyTZAk3R0XVLfGgtQYRreQF2g7Mnb/WzLH3Wn3flkie5ANHpcs4QdeofC7jVC68gVqiRoGJ8ZQfMWLIq/+/MrxrbeG/aYF6MZcZZZ9wXYBvWlVaIiU0R3pjze98eMidoG69nAPx2QfUOfMapeuuJyomKxOpKba6aujTGb+TgYA75ZnvjcCkKOpcNP8RNefSGlxUqf9oDp+af7AsKefrFkgPoQBTN46CknEyC7U2m8ahkKP4ccqycwkZLp3UkuifSM02Xx/CQxqia0DkCn4CLPG+O2mDVCSmLEKqdyeA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rBO7SXfAiyRdNbTnSYP5xz8jxD1zDd8ZpZHEKBaGp/E=; b=Kj5HG7Vy16lpDdEB5OB6a74z9WOuxmk/hWgURbh0XRsVyBvD7SBR+tXQBlLuaZNEJu/t50O0dVhc8MRXvISc8LDcT0ERZ2dUPPRgO33Ajmbx8TNP/8PBMd3ZhOA4yCxOgnJGRB4H8DEi8I9FmQHQuJQTkXZtJlre1yUJKwgWYBk=
Received: from PAXPR08MB7169.eurprd08.prod.outlook.com (2603:10a6:102:207::5) by PAXPR08MB7042.eurprd08.prod.outlook.com (2603:10a6:102:1da::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.23; Mon, 24 May 2021 04:19:07 +0000
Received: from PAXPR08MB7169.eurprd08.prod.outlook.com ([fe80::2ce6:1720:d8d7:cc6d]) by PAXPR08MB7169.eurprd08.prod.outlook.com ([fe80::2ce6:1720:d8d7:cc6d%6]) with mapi id 15.20.4150.027; Mon, 24 May 2021 04:19:07 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] 0-RTT in DTLS 1.3
Thread-Index: AQHXT5aLwV27l0Usl06DlAK6J9Pij6rxv5EAgABHeRc=
Date: Mon, 24 May 2021 04:19:07 +0000
Message-ID: <PAXPR08MB716920F1FE015A77EA09FF679B269@PAXPR08MB7169.eurprd08.prod.outlook.com>
References: <PAXPR08MB7169693DFFA1D93B35B8D9039B279@PAXPR08MB7169.eurprd08.prod.outlook.com>, <a2bae4a5-66b8-49db-8fb5-3993f593e64a@www.fastmail.com>
In-Reply-To: <a2bae4a5-66b8-49db-8fb5-3993f593e64a@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: lowentropy.net; dkim=none (message not signed) header.d=none;lowentropy.net; dmarc=none action=none header.from=arm.com;
x-originating-ip: [81.153.223.88]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 45b11ccf-179a-4951-142a-08d91e6b174d
x-ms-traffictypediagnostic: PAXPR08MB7042:|VI1PR08MB2912:
X-Microsoft-Antispam-PRVS: <VI1PR08MB29121AD32D85AC2A128319509B269@VI1PR08MB2912.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:8882;OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: HFbFhUs4Zdv3jGS4nlMnOhqLpTHTHkztw3xuSXoP0hSKq6wBN2XmMfjvq2G1v5lQyeET/eqjfSlALoanOeCmvEHs2DfTvGsBKuL+i/Fgt7HDbwLmg9X1ElmvxEPAQ3mC7JeJZMm+Yx57GW/fcnZ5Oh20BOw9KrtvFnpIL6x7YjpYqg0oPvHMlueEp0G7wCQxs+PVGgPvxm7Yr3Q58eMCJuN+x/b4nyScQVMOfeAfCGb0lQs44BNNeQko9AeXSvjn3op4WgRBCfvdN4CF295mJwJ/XL6+yiTWojs1vEitCCLappl9Z+oJORJ5zXJ3qchsVzwnVQQme5k04qpdk5vloE1BckTEfZQe6iyOD+itpUAMfUXK4IKrlZoE1+cjRFubrmT8l+EBMRZqZiLZf7sBpXRy6UQc3wOjAAkUcqdMblmvYGlPUkx2/4/WMZTe+ykaHYQHLf3rwAeAP20E+X+Cc1OLYYjZ6gVf/9kMekdwQz6EOTAvP7IIfRlGBcCQulgXjjyQy2ItR+14x4Bbs243pq3EM3y/sibXPReqVm9bL1/S+ZQ/lgm3agbAEznGXB8Mc5T7h7QXB/cSD4Su8kyHo1w0G7oKQVPE8uzIsoVVbIwTQqbZF62Fy2I8nSZTKTePIMiHYZc8ASUlQ+RzFWAlViyGW4h7O8Cpymxc1XVcS6R8ZF7BixRfUlCEC4GiwdJnWP0Jm0Q3FhMqImzRyME8+g==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PAXPR08MB7169.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(346002)(376002)(366004)(136003)(396003)(2906002)(53546011)(6506007)(5660300002)(110136005)(186003)(33656002)(316002)(7696005)(71200400001)(19627405001)(76116006)(8676002)(122000001)(478600001)(966005)(38100700002)(66946007)(64756008)(66446008)(66556008)(66476007)(83380400001)(86362001)(55016002)(52536014)(8936002)(26005)(166002)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?+qy2q5YDlOc8ZaqLPWaXaDKwl5JbpAYiYeRjXXuyMR3zm4pMuM9aT7TM37vo?= =?us-ascii?Q?FZtXVS0mWR1lcajdusiqAyodekaw9Yf5sTzH70x5ue+b74C+++MsKeqeqyzM?= =?us-ascii?Q?3pYymniiv1mQzOQcmZKq/m7ktLc0xlltr0eiUAm031JwMjiPKiWZUBLKzDK3?= =?us-ascii?Q?Df2B+VlfajlOv8fu2eiEU2iNhdJJBX345tozvmQNb1yyckA2Y5MpuQUCisRz?= =?us-ascii?Q?l4DHQYYAWX4uFL+AwMSyF6oFSSTVWbiPKkeDF8hOZ+y2dqga1tQ6mqDwGCX1?= =?us-ascii?Q?fKiz2Fppt7llOJOWgmG3aRFJ64zb8YqO2X+PC+Cv0R9uNQlo6WmYLxpFZ6gp?= =?us-ascii?Q?GZVtJRqhXNuzET97TWdL9mJYnGL7HVdEzCb7RFz08UtRCx7fz379p1kL1+2k?= =?us-ascii?Q?xqvVu1PeDuXeOt2Et2Nv8v37mdMfUilJoG+v4bwyXGzMuWdymL3NxHV5o9oq?= =?us-ascii?Q?ZJRloNoA8ezzQCjpfK9zHbbxTj3/uQVsxGlT5KP/1CO3yXRmXlaCmVCBgcCQ?= =?us-ascii?Q?aXKBlkLt/iaLCNBNosPJV9fchV2yHl8QG0YJqrS+dwP78DiyFcsIfGzp9vAx?= =?us-ascii?Q?COZeqeWEwqSwEuEGTNiJcf5+lQ2hmZBNcZHYdqyiiIRvBGgswpY3LkBK7nmR?= =?us-ascii?Q?Y/9zuiSQJkauFOO2XVTpoHagxATVftGzDYDGOGN5Jd8xbYvBh/TKbR9oSkeR?= =?us-ascii?Q?TWhYSj2hysCgZKdOWNV5wN4cbjP6fPt9BjtVP/1j/QUyrhf0nwuTPRw3xXch?= =?us-ascii?Q?wpS4AJrQdf7ztiJFhTbCVzihpGD2ZAXeB4mgXATyWrqO7qyPoEYBT90nH6nV?= =?us-ascii?Q?ukgu7dackg1B52iBi8vERM70ITPM3hlcQ+VPmw+jReMzwWUT4Q+v2npUcYwp?= =?us-ascii?Q?oYP61ZarDHzcFhETpFzPydW76DlzxTrV8kH1Fv3gqidlAMIJGWcrv+i18AdF?= =?us-ascii?Q?qlPiiYlUYFDblUZtgl36T9VReeKnFIDLUWlrEp8/XXYuB/YARWBbIJ2hv4iQ?= =?us-ascii?Q?D+u7YVrCg5YT4c+e9DuzEhCIqqh91PpL9PNAkjrT6esEawH8z0Lzy9PevOa2?= =?us-ascii?Q?x7TvGOtEhIB7MpVoJWbhmvl0tXM1PZRVkpoLFNi6UEPi4yFYQGERSujSMrCk?= =?us-ascii?Q?edAt3ZtvKRZm1REk4Q5jKvu1gCm2MYN07HZoC9AzfCu531TY6cLkwAH5inMY?= =?us-ascii?Q?KZ4UEiv9rIokv3dw5d/gKxJrtqF9cbi+matrqJR3KQnnQKsfAqLKXU1fYOsr?= =?us-ascii?Q?FJ8r3obteR5+8VMXlVLg6EHY/yvP12TVruStkVh0EeAguoSMAs+2lo73YnBo?= =?us-ascii?Q?SaA=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_PAXPR08MB716920F1FE015A77EA09FF679B269PAXPR08MB7169eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB7042
Original-Authentication-Results: lowentropy.net; dkim=none (message not signed) header.d=none; lowentropy.net; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT013.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: da2f5795-59b6-4355-4644-08d91e6b12a0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: /D7xNxoYTd+qGHFTX+HwJiEFogHgqyjkr1SWCQzq4qBrgkPEi9byB9lTu9nFvJsP2YZyJKNYkl+qw/QPqG5ji189snp0J5u2ThfGab6iBiRLeiVtcfdPveRPljUrOS+xuBUi0I0zXeEjPoJm7GZz/CssFM5Gwz39D0GWWNSlZW72M72LQSC/6nFeRMvXqSD9B+ZoFNzufC4kcixNtcuSQQ7LoPnZOSTHH5xLA9vwXqpQqrqaMILNWy4TNOOfUcEQO+3B7RHaGjPg0lY//Km2SM2u7zv35ojG3qufKyCY4039+qDnWHP3VGPquT/rm64NY/fLKmxEIY7AzsmOND7ubqLjXN3xByNtNhqHu/zm9vO4kYdOtRNHD1XYW93a49AidguzZhsb54oaX3Nkf9y/h2coGklN1n8s0JEpzRvrJemoZrM5VYzM43rxPeN48QsiLSVl4m1uGBxoQXXrIe6zQxjzvQJVlFEcXnG+FaqTlE00V1MLyQvnat4iwcC3jUBgb5fmJRUcyxQkragruE7k6XQevLHI3fueOD19+wgg1v9Ns7hOjDa6MTCPC2cjwiuFx/Oypg15Kdy/beMpHXa9GzufZhmHux30Qo29wHHsriypDJrq71QzDG7DQ5WHIcb2D3UaMu+0wDbcfpzuR0pjgMXmYkwP8U8H2TUsM0pprs9tod2r0c7HSr+hTAevQVvEOxAAG14GGp3e8NCsdPSMcVIeDjtEde7qQUOTdLdDBpe85J5xx8+oG08HKEbRiSqHdMseSIiPjGxx0nzpBWNj9w==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(346002)(376002)(39850400004)(396003)(136003)(46966006)(36840700001)(82740400003)(356005)(53546011)(166002)(70206006)(7696005)(70586007)(8676002)(186003)(81166007)(6506007)(83380400001)(966005)(316002)(478600001)(8936002)(110136005)(55016002)(336012)(52536014)(33656002)(19627405001)(82310400003)(26005)(9686003)(5660300002)(2906002)(36860700001)(47076005)(86362001); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 May 2021 04:19:14.9197 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 45b11ccf-179a-4951-142a-08d91e6b174d
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT013.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB2912
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ih_cbeMus6_hAtngaI8BXjgIPp0>
Subject: Re: [TLS] 0-RTT in DTLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2021 04:19:25 -0000

Hi Martin,

> TLS already says that HRR automatically causes 0-RTT to be rejected.  "Early data is not permitted after a HelloRetryRequest." (RFC 8446, Section 4.1.2)

Yep, that's clear - my question was whether the DTLS 1.3 Spec should contain an explicit
reminder of that, e.g. when it claims that cryptographic material is uniquely identified
by epochs. This wouldn't be true if you could send 0-RTT after an HRR, in which case
you'd end up with an overloading of epoch 1.

Cheers,
Hanno
________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Martin Thomson <mt@lowentropy.net>
Sent: Monday, May 24, 2021 12:57 AM
To: tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] 0-RTT in DTLS 1.3

On Sun, May 23, 2021, at 16:05, Hanno Becker wrote:
> 1) In DTLS 1.3, it would seem common for the server to send an HRR for
> the sake of return routability checking. TLS 1.3 forbids the use of
> 0-RTT after an HRR. So, 0-RTT can't be used in DTLS 1.3 if the server
> requires return routability checking -- is this understanding correct?
> Should this be stated more explicitly?

This is not the model that QUIC uses.  Binding return routability information into session tickets allows 0-RTT to be used, albeit at some risk.  Managing that risk might take a few forms, the most common being limiting the total amount of response data and limiting the period over which 0-RTT is accepted (more than the 7 days).

> 2) Not allowing 0-RTT after an HRR, or rather not allowing 0-RTT
> *twice*, seems important for DTLS 1.3 as we'd otherwise overload epoch
> 1. Is this worth stating?

TLS already says that HRR automatically causes 0-RTT to be rejected.  "Early data is not permitted after a HelloRetryRequest." (RFC 8446, Section 4.1.2)

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.