Please feel free to ask any questions you have here, or by emailing tls13 at cloudflare.
The slide deck is at https://speakerdeck.com/filosottile/tls-1-dot-3-at-33c3 (but it's not really made for standalone consumption).
Let's say I run a static website and I'm 100% sure unauthenticated GET won't break anything, is there anything special I need to do or is it going to be "enable this flag"?
Another question: Can I set 0-RTT per vhost (sni) or do I need dedicated 0-RTT IPs?
The following two questions are of course implementation-specific, but there is nothing in the protocol blocking a "just do 0-RTT" flag or vhost configs.
What prevents a Sufficiently Incompetent Implementer from manually ignoring all known GREASE values, while still doing something crazy otherwise?
The implementer that tries to special-case GREASE values must have first hit an interop problem and thus had a second or third opportunity to think about it. I would hope, at that point, they realize they're meant to ignore unknown ones!
I'm not sure who was the first to propose 0-RTT like this, but it appears that both MinimaLT and QUIC did at about the same time.
TLS 1.3 does nothing to improve TCP deficiencies, but there are alternatives that does, including QUIC. What I can't quite tell is how the the two combine, if at all. Does a QUIC connection mean that TLS 1.3 doesn't apply/is redundant?