On Wed, Jan 18, 2017 at 8:15 PM Martin Thomson <martin.thom...@gmail.com> wrote:
On 19 January 2017 at 14:04, Kazu Yamamoto <k...@iij.ad.jp> wrote: > Should we also add grease values for key_share? supported_groups code points should cover that, but if you are asking if we should spend bytes on sending shares for bogus groups, that's a question I don't have an opinion on. I guess that you *could*, but whether the document should recommend it .... That's what we do in Chrome/BoringSSL. We send one fake NamedGroup at the front of supported_groups and then put it in key_shares with a one-byte fake KeyShareEntry. It costs five bytes total and, having already caught a bug with it, seems valuable. It ensures that servers are capable of skipping over an unknown KeyShareEntry and don't just go for the first one. But, document-wise, I was expecting to just use MAY for everything rather than expressing much opinion. (Front is because presumably if we add a new NamedGroup, it'd be because we like it more than our current ones rather than less! So it's more important that that edge continue working.) David
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls