Pasi.Eronen@xxxxxxxxx a écrit :
I disagree. Anybody can connect to your server at any time and doing uncompleted double handshake. It is not a rare situation.Do you have any data to back that claim?
No, unfortunately.
But the "anybody" that can connect at any time will be able to establish several "double handshake" in parallel; especially when TLS is used over EAP or UDP (I don't have data but maybe Eric).The fact that anybody can connect at any time does not automatically imply that lots of peopleare connecting all the time! (And in particular, lots of people without client certificates connecting all the time to servers that always require clientauthentication, and without malicious intent to DoS the server.)
My point is that double handshake will increase complexity and will not help in reducing TLS server overload factor, especially when legitimate clients that don't have certificates are trying to connect. Their number is not actually important.
(at least sufficiently to spend the $$$ for designing, implementing, testing, deploying, etc. a new mechanism).How much :). The proposed changes are minimal.To get widespread deployment, several TLS implementations would have to be updated, e.g. Microsoft Schannel, OpenSSL, Mozilla NSS, JSSE, GnuTLS, etc. Getting any change, no matter how "minimal", to them is not easy.
I don't see the point here. Any TLS feature will require updating TLS implementations.
Best regards, Pasi
Best regards, Badra _______________________________________________ TLS mailing list TLS@xxxxxxxxxxxxxx https://www1.ietf.org/mailman/listinfo/tls