Re: [TLS] 0-RTT and Anti-Replay

Nico Williams <> Mon, 23 March 2015 08:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0AAC81A00BF for <>; Mon, 23 Mar 2015 01:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Vk_rz3IPYx4P for <>; Mon, 23 Mar 2015 01:34:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 65C9B1A0084 for <>; Mon, 23 Mar 2015 01:34:41 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 2C3D42005D005; Mon, 23 Mar 2015 01:34:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=ADMiEs0JwCSni9 0bngz+fEt8Vuk=; b=Oy0nbUM4fxWQNmy6n8dqFocQUl0qnEte58+gMA9Yws7+8H 945xieiKnnCADOvRJaf2DV5rNGQajPpGvENfnZcJLFwapyWUFPEwbr2/3aPA85D7 aep/DfW4NMFzwYmWSInLpgwIbOFe/xZRZ30iDgbi92M6BY1idOpudsbw95ad4=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id D09AB2005D004; Mon, 23 Mar 2015 01:34:40 -0700 (PDT)
Date: Mon, 23 Mar 2015 03:33:09 -0500
From: Nico Williams <>
To: Martin Thomson <>
Message-ID: <20150323083308.GL21267@localhost>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] 0-RTT and Anti-Replay
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Mar 2015 08:34:42 -0000

On Sun, Mar 22, 2015 at 08:35:34PM -0700, Martin Thomson wrote:
> For HTTP, I think we can use that first flight for idempotent queries
> quite easily and (at worst) the HTTP/2 connection preface.

But TLS can't know what's happening at the application layer, so it had
better be the case that the 0-RTT data is clearly denoted to the app as
"had better be idempotent".  I.e., this becomes an API issue.  The name
of the method would have to be indicative of danger.

0-RTT data is acted on at great risk.  It's OK to use it for negotiation
purposes where the integrity of the negotiation will eventually be
confirmed (else the connection fails).  For things like "launch
missiles" it is a very bad idea to act on the command before
authenticating it and determining that it's not a replay.  When we don't
know the nature of the data, we must assume it can't be sent without
authentication and replay protection.