> Nor have I, and I rather think that introducing fixed-(EC)DH ciphers into TLS > was a mistake, and glad to see them gone in TLS 1.3.
I agree with the sentiment, but there is a concerted effort to bring fixed (EC)DH to TLS 1.3: https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.01.01_60/ts_10352303v010101p.pdf It seems that a client that is not willing to participate has to actively look for and reject server certs with "VisibilityInformation" in them. Except this won't always help, because "In some essential circumstances, the visibility information field may be omitted." Cheers, Andrei _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls