Hi All, Without the Negotiated Groups extension,
Case 1: if the server accepts the Groups in ClientHello.keyshare, it just use one of the Groups for DH, and CertificateVerify for both sides. Case 2: else it responses an HelloRetryRequest message, which takes *all Groups* that the server supports. Client picks one and continue. I think Case 1 always happens in real world, and Negotiated Groups extension is then useless. So removing it will simplify the protocol and save some bytes, without bring any disadvantage. Do I miss anything? Does this extension exist for compatible with elliptic_curves? Wu _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
