On Wed, Jun 5, 2024 at 9:19 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Nick Harper <i...@nharper.org> writes: > > >I see no requirement in section 9 nor in section 4.2.8 requiring MTI > curves > >be present in the key_share extension if that extension is non-empty. > > Just because it's possible to rules-lawyer your way around something > doesn't > make it valid (I also see nothing in the spec saying a TLS 1.3 > implementation > can't reformat your hard drive, for example, so presumably that's OK too). > The point is that P256 is a MTI algorithm and Chrome doesn't provide any > MTI > keyex in its client hello, making it a noncompliant TLS 1.3 implementation. Hi Peter, As you describe it, this seems like a somewhat material issue in Chrome’s TLS 1.3 support, which I confess is surprising to hear about given Google’s experience and level of investment in that space. You mentioned in another message that some embedded TLS implementations also omit MTI support for code size or attack surface reasons. Not to ask you to speak for Chrome (though perhaps someone else on this list might be able to!), but do you have any sense of why Chrome chose to omit this MTI support? Mike
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
