On Tue, Oct 25, 2022 at 02:57:47PM +1100, Martin Thomson wrote:
> 
> Removing HRR might be possible if we look at putting more stuff in 
> DNS or something along those lines, but that would require a bunch
> of care and preparation.  That's effort that - at least to me -
> might be better spent elsewhere.

Idea: SVCB/HTTP key preferredgroups. Value is one or more group ids
encoded as 2 octet big endian and concatenated, in order from most
preferred to least preferred.

When connecting, the client should scan the list for first group it
supports and send a share for that (send no share if no overlap?).
Supported_groups still contains full supported group list.

... The problem with this is that in some servers, key share affects
group selection. This could lead into downgrade attacks with such
servers. On the other hand, most clients today send x25519 key share
by default, which seems to be the weakest supported group in TLS 1.3.



-Ilari

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to