Re: [TLS] Security review of TLS1.3 0-RTT
Eric Rescorla <ekr@rtfm.com> Wed, 03 May 2017 03:19 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD8C129BF8 for <tls@ietfa.amsl.com>; Tue, 2 May 2017 20:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mV5aoJF2okId for <tls@ietfa.amsl.com>; Tue, 2 May 2017 20:19:51 -0700 (PDT)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26729129C60 for <tls@ietf.org>; Tue, 2 May 2017 20:17:47 -0700 (PDT)
Received: by mail-yw0-x232.google.com with SMTP id 203so78982751ywe.0 for <tls@ietf.org>; Tue, 02 May 2017 20:17:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Eji5ZrkwxOmCKOzwKaYLG9eZEDMaPk35CqGNjMIZ24o=; b=ivz5J6XPP933mpdtBUrFRYB0c70w8BBckDYNQ0+gq59g21GAwImTedqM1tLOkz/BL3 M105xHKAec6iUsSRH+MeDlp8sGNK6/b3eEUR3t8vn5tRHCgV2BJ2XZzjtqTv3nkq3kwL aBQ/cbj7kpm5ttbky7Q2LV4e9j9cSq1t91n5zio05sJu9eQdDoCB2gcH3PLIIf66tqKT D/TPdiDiICRLh9e3/dJNHr/pnarDzgjuZyQ71z22t3hIkbtkE3F9k3p+h+dDVhDBhuAI +xSR+4ExUUfoV1Cycz1hQQg2fKmz+JC15k7qGN1ZH9Vqm8QWKnJ0Sk/xrsFc/CE2BccC YKLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Eji5ZrkwxOmCKOzwKaYLG9eZEDMaPk35CqGNjMIZ24o=; b=UFvJeix8hHHJJRhBzTwJkddbKLeu4FLcg56ms4vw8dpk9mgM6S9efUMWV/28UMg3xO dJOea77efgo41mDHNrfz50AX7EXNyqcbcPA6VRCjoTTDJ1ykimLGVTzQk7liGEBQXQN/ hT7HlqzgxmSC0vLAB+Viyaq6ek+sVKgPhZ58oCrWGFGcRt426P2BL0Skrb9omPEGEZCs c4p6H+CDpZV824Pur0iTlhACCXJl69x60y0KAJc/X9HsHtSzo2R1byB3fA2K/73SODgG JrB5RPzVTTmrecx5PX/ElPw6H8/dqe/4zW58vSfPonz/K7OCucEvlX/hiuwd1H+6QRCq CfBw==
X-Gm-Message-State: AN3rC/5QAuZBb7QlpbpVKMrQnuID5zGasgSWDjQyT7p/9RfxSuXU/3iK Hw0QJjPMcSSdGu7UIhY8Mym0RSfP5AdYgag=
X-Received: by 10.129.52.141 with SMTP id b135mr27442030ywa.85.1493781466206; Tue, 02 May 2017 20:17:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.113.7 with HTTP; Tue, 2 May 2017 20:17:05 -0700 (PDT)
In-Reply-To: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 02 May 2017 20:17:05 -0700
Message-ID: <CABcZeBPP1j5O_4d=fjN4XF65OSgg=8YSRFbs3-PKTGNQZXwvNw@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11408984aaaf0b054e961926"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/etdZvSQFyGmTt_2oXEH9nu1gPbY>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 03:19:54 -0000
Colm, Thanks for your review. Interesting stuff. Scrolling ahead to the recommendations, I see you have: * Require implementations to robustly prevent Ticket re-use for 0-RTT. This seems like a good idea. I think it's arguable that we got a bit nihilistic about this, and as you say, you can do a pretty good job of reducing replay within a given data center using some local anti-replay mechanism. I would tend to think that a strong SHOULD is what you want here, as a MUST is going to be a lot more like a 6919 MUST (BUT WE KNOW YOU WON'T). I'll start preparing a PR on this. Here are the points I plan to make: - There are a series of attacks involving lots of replays (cherry-picking your draft) - Implementations cannot completely prevent replay but can do a lot to limit it using the following techniques (focusing on strike register and single-use cache). I understand from your document and our previous conversation that you believe single-use tokens are easier to implement on the server side, but I'm not sure I really follow your argument. If you want to provide some short text on that that we can all agree on, then I think we could incorporate this as well. * Partial mitigation for Gilmor attacks: deliberately duplicate 0-RTT data This seems like some sort of extra-grease, but I'm kinda skeptical that anyone is going to do it. Perhaps it would be useful to add it to draft-ietf-tls-grease? * Require TLS proxies to operate 0-RTT transitively I've read this several times but I have to admit I don't understand it. Do you think you could rephrase? The following doesn't appear in your recommendations, but I think you also think we should: * Adopt something like PR#998 to make each PSK_id correspond to a different PSK even when they are issued on the same connection. This seems straightforward, and I think we would also want to add some text in security considerations describing the security implications of the use of session-cache style PSKs to those of ticket-style PSKs, especially when this technique is used. * Require that clients only use tickets once. For the reasons Viktor indicated, I tend to think this is inadvisable. As you indicate, there are two implications of ticket reuse: - It leaks some of ticket_age If the server wants to support it, it - needs to not have a single-use session cache, so that threatens PFS. As discussed on the list, the ticket_age issue is principally a linkage issue, and the ticket is inherently linkable [0]. WRT the PFS issue, the server can always implement a single-use cache if it wants to, and if the server is doing ordinary tickets (which I understand you don't like, but I don't think we are going to ban), then the PFS situation seems unchanged. I have considered whether we should have a way for the server to say "only use this ticket once" but I'm not sure how that helps as the server can just unilaterally forget the tickeet. * Remove ticket_age This doesn't seem like a good idea: if you are implementing a strike register, you want to use ticket_age to help distinguish "fresh" from "unknown state". I.e., the ticket_age + the ticket issue time allows you to determine approximately when a CH was sent, and any CH that is significantly older or newer than now is forced back into 1-RTT. -Ekr [0] With that said, it wouldn't honestly be that hard to Derive-Secret() a mask off of the PSK at the same time we derive the early data key, if we really wanted to. On Tue, May 2, 2017 at 7:44 AM, Colm MacCárthaigh <colm@allcosts.net> wrote: > On Sunday at the TLS:DIV workshop I presented a summary of findings of a > security review we did on TLS1.3 0-RTT, as part of implementing 1.3 in s2n. > Thanks to feedback in the room I've now tightened up the findings from the > review and posted them as an issue on the draft GitHub repo: > > https://github.com/tlswg/tls13-spec/issues/1001 > > I'll summarize the summary: Naturally the focus was on forward secrecy and > replay. On forward secrecy the main finding was that it's not necessary to > trade off Forward Secrecy and 0-RTT. A single-use session cache can provide > it, and with the modification that ekr has created in > https://github.com/tlswg/tls13-spec/pull/998 , such a cache works for > both pre-auth and post-auth tickets, and it allows clients to build up > pools of meaningfully distinct tickets. > > There's also an observation there that it should really be that clients > "MUST" use tickets only once. Any re-use likely discloses the obfuscated > ticket age, which is intended to be secret. Right now it's a "SHOULD". > > On replay, the main finding is that what's in the draft is not workably > secure, and the review includes 5 different attacks against 0-RTT data to > illustrate that. Attacks 1 and 2 show that the kind of replay permitted by > the draft is very different from the kind of replay permitted by dkg's > existing downgrade-and-retry attack. I also go over why it very very > difficult to many applications to achieve that idempotency, and why one > idempotency pattern actually relies on non-replayable messages. > > Attack 3 shows that idempotency is not sufficient, applications must also > be free of measurable side-effects, which is not practical. Attack 4 shows > that 0-RTT breaks a common security mechanism: spoofing-resistant > throttles. Attack 5 shows that 0-RTT replay-ability enables an additional > form of traffic analysis. > > The recommendation in the review is that implementations "MUST" prevent > replays of 0-RTT section, with some additional discussion about why the > existing advice is unlikely to be followed, and why consistent > interoperability matters here. > > Unfortunately, I wasn't aware until Friday that this review would be > coming so late in the TLD1.3 draft process, and my apologies for that. I am > now planning to attend the future WG in-person meetings and look forward to > seeing many of you there. > > -- > Colm > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Daniel Kahn Gillmor
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Peter Gutmann
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Jeffrey Walton
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Hannes Tschofenig
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Timothy Jackson
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Watson Ladd
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Peter Gutmann
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Erik Nygren
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Erik Nygren
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Derrell Piper
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT David Benjamin
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Dave Garrett
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Yoav Nir