By “obsolete keyex draft” you mean expired, right? I am in favor of MUST NOT have a certificate with DH keys. So yes to 1. I think #2 is unenforceable/undetectable, but would be happy to be convinced otherwise. So I’m unsure about #2.
But yes, let’s adopt and merge in the expired keyex draft and then argue over it.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
