Bodo Moeller <bmoel...@acm.org> writes: >Peter, so your complaint is about the lack of support for explicitly >specified (non-"named") groups?
It's the lack of support for DHE unless it's the exact parameters the server wants. At the moment if your implementation wants to use DHE (which pretty much all of them do) you have two options: 1. Ignore RFC 7919 and perform DHE with several billion devices worldwide. 2. Implement RFC 7919 and, unless both client and server happen to choose an appropriate FFDHE parameter set that both sides can agree on, be forced to fall back to the old, unsafe RSA key exchange. The problem is that 7919 doesn't say "I want to do DHE, if possible with these parameters", it says "I will only accept DHE if you use these parameters, otherwise you cannot use DHE but must drop back to RSA". Talk about cutting off your nose to spite your face, you'd have to have rocks in your head to want to break your implementation like that. Until now I hadn't had a major interest in 7919 (it's rather hard to identify what problem it's actually solving), but thought I'd look at it for TLS-LTS use. However, if using it requires giving up DHE in a lot of cases there's no way I'll be implementing it. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
