On Tue, Oct 25, 2022, at 13:57, Stephen Farrell wrote: > Is there any public info as to how often HRR happens? > (Sorry if that's well known, but it's not well known to > me:-) > > Were that rare enough, I'd hope it'd be a thing where we > could reach consensus for deprecation. If it's not yet > sufficiently rare, it might be worth considering if we > could change something to make HRR less likely.
I don't think that it is that simple. Right now, we're at an equilibrium point, where most clients and servers have moved toward a common set of algorithms for key exchange. In future, I expect that we'll see increased use of HRR as we move to new equilibria. One of these is likely coming with a move to a PQ KEM. Removing HRR might be possible if we look at putting more stuff in DNS or something along those lines, but that would require a bunch of care and preparation. That's effort that - at least to me - might be better spent elsewhere. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls