To be clear, I'm in favor of introducing server-side NamedGroups in 1.3. I've no interest in making this change in any earlier protocol versions.
Cheers, Andrei ________________________________ From: Eric Rescorla Sent: 10/22/2015 10:40 AM To: m...@sap.com Cc: Andrei Popov; tls@ietf.org Subject: Re: [TLS] Allow NamedGroups from the server? On Thu, Oct 22, 2015 at 10:36 AM, Martin Rex <m...@sap.com<mailto:m...@sap.com>> wrote: Andrei Popov wrote: > > Then my argument would be: why send extra bytes in each ServerHello > when TLS client auth is not used most of the time? In this case, > CertificateRequest seems to be a better place. I'm perfectly OK with the server _not_ sending/including a TLS extension "Supported Elliptic Curves" in ServerHello if the server is not going to request a client certificate. This is first of all about a fully backwards-compatible change of the protocol, which does not need to be seperately negotiated, and which is optional to use (for the server). It's not clear that it's in fact backwards compatible, since this is an undefined area in the spec. As I mentioned earlier, I wasn't sure how NSS behaved here and so before we even considered this [and I would still have to test to be totally sure] and we would need to take some sort of measurement from servers to determine that this does not cause bustage. By including the information in "CertificateRequest", it will be necessary to change the CertificateRequest PDU, and that will require a new negotiation of such a changed PDU for existing TLS protocol versions (TLSv1.0/1.1/1.2). We are already changing CertificateRequest in TLS 1.3 and we could (and probably should do nothing for previous versions of TLS). -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
