[Fando]

I wonder how they managed the zero RTT connections? How would that ever work?

[magicalist]

You might be interested in https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblH... ("Client handshake" section).

The key is "Conceptually, all handshakes in QUIC are 0-RTT, it’s just that some of them fail and need to be retried" (at least the first time you contact the server a 1-roundtrip handshake is required).

[api]

Crypto? You can know who your peer is with a single packet if you've already exchanged keys, and other cleverness is also possible.

[ndesaulniers]

At the cost of perfect forward secrecy, since then you're no longer using ephemeral keys?

[_urga]

QUIC has a mechanism to upgrade to ephemeral keys once the connection has started.

[ndesaulniers]

As will TLS 1.3, starting from page 3: http://www.ietf.org/proceedings/92/slides/slides-92-tls-3.pd...