On Mon, Mar 23, 2020, at 03:54, Christopher Wood wrote: > I propose we remove this requirement and add an explicit signal in SH > that says whether or not ECHO was negotiated.
Here's a spitball signaling option that might not stick out: Client sends (in the ECHO) a random value, N, with 32(?) < |N| << 128. And N != either of the values we reserve for signaling downgrade. Server sends that value in the ServerHello.random, in the same place we signal downgrade. If the client sees that value, then it proceeds with the trial encryption with an expectation that it will work. > (This will require us to revisit GREASE.) I'm not following how this relates, sorry. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls