On Tue, Oct 25, 2022 at 6:30 AM Rob Sayre <say...@gmail.com> wrote: > I don't think anyone actually uses it, >
1% of Cloudflare's TLS 1.3 handshakes today used an HRR. I hope a de facto PQ kex will emerge — the old strategy of just sending multiple keyshares is more expensive with large PQ public keys (~1kB). We probably will need to complicate how the server picks the keyshare [1] By the way, forcing an HRR by not sending any keyshares might be a useful workaround if it turns out large initial ClientHello's are problematic for, say, QUIC load balancers. For those reasons I think it's a bit early to consider retiring HRR. Best, Bas [1] https://mailarchive.ietf.org/arch/msg/tls/pmJMSyf1-PGlLwcgF_jtEYKxQ-g/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
