On Tue, Dec 27, 2016 at 7:06 PM, David Benjamin
wrote:
> On Tue, Dec 27, 2016 at 4:44 PM Joseph Birr-Pixton
> wrote:
>
> Hi folks,
>
> It appears to me that HRR is a pretty large and tricky source of
> complexity in TLS1.3. Judging by the implementations page, 40% don't
> support it right now. I
HRR is a pretty simple message to implemement. Including it into a ServerHello
would complexify the protocol without much gain imo.
I also think that forcing a client to use one of the curve is not a good idea
either. Who is going to agree on what curve it should be here :) ?
Probably browser
On Tue, Dec 27, 2016 at 4:44 PM Joseph Birr-Pixton
wrote:
Hi folks,
It appears to me that HRR is a pretty large and tricky source of
complexity in TLS1.3. Judging by the implementations page, 40% don't
support it right now. It's *precisely the kind of thing* that vendors
could easily ship broken
On Tue, Dec 27, 2016 at 2:27 PM, Xiaoyin Liu wrote:
> Hi Joe,
>
>
>
> My understanding is that we can't get rid of HRR unless we require clients
> to send a key_share for every key exchange group in the supported_groups
> extension. This would be a quite large overhead if the client wants to
> su
Hi Joe,
My understanding is that we can't get rid of HRR unless we require clients to
send a key_share for every key exchange group in the supported_groups
extension. This would be a quite large overhead if the client wants to support
lots of groups.
Also HRR allows servers to request clie
Hi folks,
It appears to me that HRR is a pretty large and tricky source of
complexity in TLS1.3. Judging by the implementations page, 40% don't
support it right now. It's *precisely the kind of thing* that vendors
could easily ship broken/missing support for, and they'd get away with
it for years