>> Without the Negotiated Groups extension, >> >> Case 1: if the server accepts the Groups in ClientHello.keyshare, it just >> use one of the Groups for DH, and CertificateVerify for both sides. >> >> Case 2: else it responses an HelloRetryRequest message, which takes *all >> Groups* that the server supports. Client picks one and continue.
> No. In case 2, the client indicates the groups it supports and the server > tells it which group to use. So, could the HelloRetryRequest be changed to indicate *all Groups* ? If so, could the Negotiated Groups extension be removed? _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
