On Sat, Oct 14, 2017 at 1:20 AM, Kathleen Moriarty <kathleen.moriarty.ietf@xxxxxxxxx> wrote: > The systems running ROLIE will be ones that enterprises will regard as > high value assets. Replay attack and lack of forward secrecy aren't > acceptable. The same will be true of many other HTTP enabled > services. A performance gain isn't worth the trade off. My point isn't to reject this sort of analysis, which is possibly correct, but to point out that this analysis is one that a deployment makes based on the circumstances Everyone thinks that their thing is a special snowflake, and that's OK, but you are asking for a levy on all implementations that would prevent use of 0-RTT in all deployments. I think that is inappropriate. I don't want to see every draft that the IETF ever published making its own assessment and a policy statement regarding this particular feature. (We don't mandate a particular authentication mechanism here either.) Note that TLS 1.3 permits resumption without forward secrecy. It's not widely implemented that way, but it is possible. If you care about forward secrecy (I'm not sure that it's especially critical in this context given the time-sensitive nature of the information you are talking about), then you have to make statements about that as well. But again, I would not on the same grounds: the purpose of this work is to define what interoperability looks like, not to legislate deployment configuration. Explain the trade-off and let the operational teams do their work.