On Tue, Aug 16, 2016 at 10:44:47AM +0000, Peter Gutmann wrote:
> As far as I can see what this text is saying is that if the client can't guess
> in advance which PFS suite/group the server knows about, the server must
> disable use of PFS. In other words instead of saying "give me a PFS suite,
> preferably with this group", it's saying "give me a PFS suite with exactly
> this group and if you can't do that, don't do PFS". This seems like a pretty
> awful way to handle things.
The client is expected to send a complete list of *all* the groups
it supports if it supports (any of) the new designated groups.
Which means that clients that support these groups will use only
these groups with servers that likewise suppose these groups, and
will not use FFDHE when the client group list and the server group
list don't overlap (which is seems unlikely).
> In my mind this makes the FFDHE extension so toxic to use that I'd rather not
> support it at all, because it disables PFS unless you're really lucky in
> guessing what the server can do.
There's no guess, the client sends its full list of supported
groups, and the server picks the one it likes.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
