Hi, I recall that we have had discussions about how we should combine HRR and resumption.
My feeling is that combining the two is a needless complication. Instead, I believe that when a client attempts to resume a session using psk_dhe_ke, then it should use the named group that was used in the previous handshake (i.e. the handshake the client used for establishing the connection from which it obtained the session ticket). It might be beneficial to state such advise in the specification, and that there is no need for server implementors to take care of resumption in case when sending HRR. Having such a guideline might reduce the chance of us creating a vulnerability. -- Kazuho Oku _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
