On Feb 12, 2020, at 11:24 PM, Rob Sayre <say...@gmail.com> wrote: > > Would it be ok to add a rationale to the "Goals" section around backward > compatibility? I'm not sure how the compatibility points will interact with > downgrade attacks.
For now I don't think we're envisioning anything different on downgrade compared to current DH group negotiation. For example, a client that prefers curve25519 but also is willing to use nistp256 should be able to talk to a server that only supports nistp256. If the server also supports curve25519, an adversary who removes curve25519 from a hello message to try to trick them into 'downgrading' to nistp256 would eventually be caught by the handshake transcript authentication. The same holds in this setting. Douglas _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
