Re: [TLS] Security review of TLS1.3 0-RTT
Colm MacCárthaigh <colm@allcosts.net> Fri, 02 June 2017 06:21 UTC
Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAD6F12956B for <tls@ietfa.amsl.com>; Thu, 1 Jun 2017 23:21:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gnn8yObJYnPm for <tls@ietfa.amsl.com>; Thu, 1 Jun 2017 23:20:59 -0700 (PDT)
Received: from mail-yb0-x236.google.com (mail-yb0-x236.google.com [IPv6:2607:f8b0:4002:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D84441294E6 for <tls@ietf.org>; Thu, 1 Jun 2017 23:20:58 -0700 (PDT)
Received: by mail-yb0-x236.google.com with SMTP id r66so15702991yba.2 for <tls@ietf.org>; Thu, 01 Jun 2017 23:20:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=QVYT7VS3ZhAy/REUNCxEmXX2O8qpajyFDX8VcmMAlaE=; b=wl2s74k8loDQW8lfYnjtbWNTzZgg6lanSnzSQoCVu3ZNZUHnsX++Bv9MxaDCe7UO3z 42sNYyIW+ACqn2xu6Q6OFvfS/H6JZRf7C5sLRtW3Q2LXjhcdMNANCFl2Y0cipxg45kU8 RP8YK7pVhZCZU5B3FvVk1f9sqJRYAC03mw2nQUBF3HDYKzrNv+OksCW9E2AgDXSmHKMR XRCdAznDbWE5O6PHxrMEEsRLC4NvL6mXu/qeWUq7XUvIDCGnXvTplq+kZK5tUBvnWnYG nLQlFaZksu2Y2FmaEWqw/I8JfhDTO1FtuKZfkCV6HeBx6ZG37qE37mvNH4oNzpRUDmlq Qcdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=QVYT7VS3ZhAy/REUNCxEmXX2O8qpajyFDX8VcmMAlaE=; b=t3fxkiuZpqnkzQbo0IxoLVxVY+RYL0NDcfCw8ZX5GTB494y56eqbd0bECgbI8nv2NS 2vWMwiUgkYefmd4TdSfKWAEOI6hMhWe3h0Yyf1MTnvsjWqlwc2U5a0SNNjFUtOaoXC/x 3pb5lyNZshemjFzvwbxxSFPw2SuWDZRNA5BIkvg2guCjzrQi8TwDJrhY6TdWtdiTlTHY qxEm7YRQE7K8DnUOxelviG8NqbSVJyLL12tLMW5QQTyrBh8mYuJ4UQeh7HUQ/Xwv1G8H CLSb4FG4X/J66d245IWOqB+7XhSntjs3cSiGW+Taz62PoxT0zMHifGPX63CfAJakSvJL +djg==
X-Gm-Message-State: AODbwcAD+q2oS3A+0ON/enaDFAZ5v0vD1YucasHsFw5wYMKkkb5st4Sg /pgm8hP1IdH0R4ZUD7U72GpZriEQLdc0
X-Received: by 10.37.170.98 with SMTP id s89mr21231935ybi.19.1496384457824; Thu, 01 Jun 2017 23:20:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.93.70 with HTTP; Thu, 1 Jun 2017 23:20:56 -0700 (PDT)
In-Reply-To: <CABcZeBMMth+Sbo0JW_oQYh80y1xaE8gSOdWr9tL+pYmxO4DbRQ@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CAAZdMacpJ-qoQt2pDBjTq6ADwmRKOHXTHDyDTzb+g2gYPvtZzQ@mail.gmail.com> <CAAF6GDdobkQh9_iqX1oU_BO9O2aK2_7Cbaper0AY4qEGYXAcvA@mail.gmail.com> <CAAZdMaeTdcgdCj26kVuq6-0EX1nmehvJJCq+YzB-4r84aRjhuA@mail.gmail.com> <CAAF6GDesLzMDN_LVYr6sFU8Z04jpXhFZphOAet-0JPsFF56Oig@mail.gmail.com> <CAAZdMadDctG0sMyDV49+8UUiagqQpi0bSehtQuKPELMU-+Gg5g@mail.gmail.com> <CAAF6GDfZr_zEuttf2zQhJ9vv2T-e1Mzb3G09_auLReftSJveeg@mail.gmail.com> <CABcZeBMMth+Sbo0JW_oQYh80y1xaE8gSOdWr9tL+pYmxO4DbRQ@mail.gmail.com>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Thu, 01 Jun 2017 23:20:56 -0700
Message-ID: <CAAF6GDc8-B=O1fwHcQz0D9aD7Xwai4SgVb9uEThNzr9SC4qFrg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Victor Vasiliev <vasilvv@google.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c19ad5c0f06f20550f428b9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/p8Wn1djEM5xf8eKEf64CI14-HMo>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jun 2017 06:21:01 -0000
On Thu, Jun 1, 2017 at 5:22 PM, Eric Rescorla <ekr@rtfm.com> wrote: > I've just gone through this thread and I'm having a very hard time > understanding what the actual substantive argument is about. > > Let me lay out what I think we all agree on. > This is a good summary, I just have a few clarifications ... > 1. As long as 0-RTT is declinable (i.e., 0-RTT does not cause > connection failures) then a DKG-style attack where the client > replays the 0-RTT data in 1-RTT is possible. > This isn't what I call a replay. It's a second request, but the client is control of it. That distinction matters because the client can modify it if it needs to be unique in some way and that turns out to be important for some cases. 2. Because of point #1, applications must implement some form > of replay-safe semantics. > Yep; though note that in some cases those replay-safe semantics themselves actually depend on uniquely identifiable requests. For example a protocol that depends on client-side-versioning, or the token-binding case. > 3. Allowing the attacker to generate an arbitrary number of 0-RTT > replays without client intervention is dangerous even if > the application implements replay-safe semantics. > Yep. > 4. If implemented properly, both a single-use ticket and a > strike-register style mechanism make it possible to limit > the number of 0-RTT copies which are processed to 1 within > a given zone (where a zone is defined as having consistent > storage), so the number of accepted copies of the 0-RTT > data is N where N is the number of zones. > This is much better than the total anarchy of allowing completely unlimited replay, and it does reduce the risk for side-channels, throttles etc, but I wouldn't consider it a proper implementation or secure. Importantly it gets us back to a state where clients may have no control over a deterministic outcome. Some clients need idempotency tokens that are consistent for duplicate requests, this approach works ok then. Other kinds of clients also need tokens that are unique to each request attempt, this approach doesn't work ok in that case. That's the qualitative difference. I'd also add that the suggested optimization here is clearly to support globally resumable session tickets that are not scoped to a single site. That's a worthy goal; but it's unfortunate that in the draft design it also means that 0-RTT sections would be globally scoped. That's seems bad to me because it's so hostile to forward secrecy, and hostile to protecting the most critical user-data. What's the point of having FS for everything except the requests, where the auth details often are, and which can usually be used to generate the response? Synchronizing keys that can de-cloak an arbitrary number of such sessions to many data centers spread out across the world, seems just so defeating. I realize that it's common today, I've built such systems, but at some point we have to decide that FS either matters or it doesn't. Are users and their security auditors really going to live with that? What is the point of rolling out ECDHE so pervasively only to undo most of the benefit? Maybe a lot of this dilemma could be avoided if the the PSKs that can be used for regular resumption and for 0-RTT encryption were separate, with the latter being scoped smaller and with use-at-most-once semantics. 5. Implementing the level of coherency to get #4 is a pain. > > 6. If you bind each ticket to a given zone, then you can > get limit the number of accepted 0-RTT copies to 1 > (for that zone) and accepted 1-RTT copies to 1 (because > of the DKG attack listed above). > Yep! Agreed :) -- Colm
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Daniel Kahn Gillmor
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Peter Gutmann
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Jeffrey Walton
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Hannes Tschofenig
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Timothy Jackson
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Watson Ladd
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Peter Gutmann
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Erik Nygren
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Erik Nygren
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Derrell Piper
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT David Benjamin
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Dave Garrett
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Yoav Nir