There was a talk at last year's Congress about the details of TLS 1.3 and many questions were asked at the end about 0-RTT. Was interesting to hear the cryptographer's, who work on the spec, opinions about that and things like why SNI is not encrypted by default.