For TLS on the Web it would be ideal if we can find a single[1] hybrid
which we can all be happy with because that will make keyshare negotiation
easier.
To wit, BoringSSL, when SSL_OP_CIPHER_SERVER_PREFERENCE is set, will pick
the group based on the supported_groups that the client sends.
Thus,
On Tue, Aug 30, 2022 at 02:11:57PM +0200, Bas Westerbaan wrote:
> For TLS on the Web it would be ideal if we can find a single[1] hybrid
> which we can all be happy with because that will make keyshare
> negotiation easier.
I don't suppose that will happen, as:
- Some folks want something with P3
