> > If we can establish how difficult it would be to hash the server keyshare > into the hint in various implementations, I think we'll have our answer. I > suspect it is difficult enough to create a problem for someone, but I'm not > a TLS implementer. >
One data point: In the standard Go implementation, the ServerHello.random is computed well before the "key_shares" extension is serialized [1]. Changing this would be somewhat invasive, but perhaps not prohibitively so. Best, Chris P. [1] https://github.com/golang/go/blob/master/src/crypto/tls/handshake_server_tls13.go#L83
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
