On Thu, Apr 30, 2026 at 11:10:57AM +0200, Bas Westerbaan wrote:
> 2. Do we need to say anything about HRR? Should a server HRR when the
> client sends a non-PQ share, but it and the server do support a PQ share?
I think that is most likely an implementatin decision. Support HRR to
switch to a different (stronger) supported keyshare would be rather
implementation-dependent.
FWIW, as of OpenSSL 3.5 the default is in fact HRR if a client's
supported groups include an element from a higher-ranked subset
(equivalence class) of the mutually supported groups than any of the
predicted keyshares.
The same approach is now also implemented in the most recent version of
Haskell's TLS library. So there's some precedent for HRR as a means to
upgrade to a "sufficiently stonger" supported group.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
