* Viktor Dukhovni: > In that case, it should be said that a client MUST NOT advertise > TLS 1.3 unless it offers at least one of the TLS 1.3 MTI ciphers > (or perhaps less restrictive at least one TLS 1.3 compatible cipher).
Or the server should negotiate TLS 1.2 instead. Servers should already do something similar today: For an extension-less TLS 1.2 handshake, they should negotiate TLS 1.1 instead, to get a stronger PRF. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
