Viktor Dukhovni <ietf-d...@dukhovni.org> writes: >What benefit do we expect from forcing weaker security (RSA key exchange or >cleartext in the case of SMTP) on the residual servers that don't do either >TLS 1.3 or ECDHE?
This already happens a lot in wholesale banking, the admins have dutifully disabled DH because someone said so and so all keyex falls back to RSA circa 1995, and worst possible situation to be in. There needs to be clear text in there to say that if you can't do ECC then do DH but never RSA, or even just "keep using DH because it's still vastly better than the alternative of RSA". At the moment the blanket "don't do DH" is in effect saying "use RSA keyex" to a chunk of the market. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
