Hacker News new | ask | show | jobs
by pas 3011 days ago
Is there any way to do a 0RTT request for a completely new connection/session?

I mean, if I want to get weather data from let's say NOAA, so a simple GET / HTTP/2, why would I want to send any PSK? Let the server send the response and the Server Cert and the client can decide whether to trust the reply or not.

CloudFlare only "allows" 0RTT for GETs, for example. Is that different, or they also need the PSK?
1 comments
tialaramex 3011 days ago
0-RTT is defined with a PSK (pre-shared key). There are two ways you might have a PSK. The only one that would come up in a web browser as they're constructed today is a "resumption" PSK, agreed between the two parties during a previous connection.

For the Internet of Things it's also envisioned that some devices might know a PSK at the outset to use TLS rather than some custom protocol to secure their traffic. Maybe your lightbulb controller knows a PSK for the lightbulbs baked in at the factory. But it's not expected that web browsers will care about this case.

link
pas 3011 days ago
I'm pretty happy with the strong confidentiality guarantees offered by TLS 1.3, and a finished standard is better than more draft and committee turns, but I think the simple use case of securely accessing "public" information with 0-RTT seems to be left out.

Or simply serving static content faster would have been a nice few percentage efficiency gain.

link