On Thu, Nov 09, 2023 at 08:48:07AM +0000, John Mattsson wrote: > > Everybody seem to agree that hybrids should be specified. Looking in > my crystal ball, I predict that registering hybrids as code points > will be a big mess with way too many opinions and registrations > similar to the TLS 1.2 cipher suites. The more I think about it, the > more I think TLS 1.3 should standardize a generic solution for > combining two or more key shares.
I don't think future hybrids in TLS will be anything even close to the mess that TLS 1.2 ciphersuites are. > My understanding of what would be needed: > > - New "split_key_PRF" extension indicating that client supports > split-key PRF. > > - When "split_key_PRF" is negotiated the server may chose more than > one group/key share. The one part that could be problematic is multiple choices for classical group to hybrizide with. That could be addressed with share compression in client hello. Probably simplest such scheme is allowing replacing first/second part of share with group number, and then copying that share from start/end of the referenced share. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
