On Tue, Oct 25, 2022 at 02:57:47PM +1100, Martin Thomson wrote: > > Removing HRR might be possible if we look at putting more stuff in > DNS or something along those lines, but that would require a bunch > of care and preparation. That's effort that - at least to me - > might be better spent elsewhere.
Idea: SVCB/HTTP key preferredgroups. Value is one or more group ids encoded as 2 octet big endian and concatenated, in order from most preferred to least preferred. When connecting, the client should scan the list for first group it supports and send a share for that (send no share if no overlap?). Supported_groups still contains full supported group list. ... The problem with this is that in some servers, key share affects group selection. This could lead into downgrade attacks with such servers. On the other hand, most clients today send x25519 key share by default, which seems to be the weakest supported group in TLS 1.3. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls