2024-06-03 12:07 GMT+02:00 Martin Thomson <m...@lowentropy.net>:
> Some numbers from our telemetry. This is purely connection-volume-based (so
> sites with lots of connections will be over-represented), but overall fairly
> stable.
>
> Key exchange:
> ECDHE 99.21%, RSA 0.76%, ECDHE+KYBER: 0.03%
> ECDHE curve: X25519 84.50%, P-256 14.03%, P-384 0.93%, P-521 0.53%
> RSA size: 1024 0.25% (!), 2048 98.45%, 3072 0.26%, 4096 1.03%
Thank you for sharing those! Could you filter down to TLS 1.3 only (since we
are not going to add hybrids to TLS 1.2 anyway)? I assume that after filtering
to TLS 1.3, any non-X25519 connections are Hello Retry Requests, since you only
send an X25519 key share?
I think the relevant question to selecting an ECC hybrid is "how many of the
X25519 connections would have supported P-256, and vice-versa?" If you are
sending a X25519 key share and getting an HRR to P-256, I guess the
would-also-support-X25519 number is zero. The would-also-support-P256 number is
harder to get: either you sample a small percentage of connections and send a
P-256 key share, or we rely on internet scan data like Censys's.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
