On Thu, Jun 6, 2024, at 23:21, Nick Harper wrote: > On Wed, Jun 5, 2024 at 6:25 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> > wrote: >> There are embedded TLS 1.3 implementations [*] that, presumably for space/ >> complexity reasons and possibly also for attack surface reduction, only >> support the MTI algorithms (AES, SHA-2, P256) and don't do HRR. > > Those implementations are not compliant with RFC 8446.
Yes. You might reasonably rely on the MTI algorithm being supported, but you cannot rely on the ClientHello containing a key share for that algorithm. Put differently, you might be able to get away with not implementing HRR if you only talk to a known set of peers who always send you key shares that you understand. That's not the same as interoperably implementing TLS 1.3. _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
