2024-06-05 15:17 GMT+02:00 Peter Gutmann <pgut...@cs.auckland.ac.nz>:
> Nick Harper <i...@nharper.org> writes:
>
> >I see no requirement in section 9 nor in section 4.2.8 requiring MTI curves
> >be present in the key_share extension if that extension is non-empty.
>
> Just because it's possible to rules-lawyer your way around something doesn't
> make it valid (I also see nothing in the spec saying a TLS 1.3 implementation
> can't reformat your hard drive, for example, so presumably that's OK too).
> The point is that P256 is a MTI algorithm and Chrome doesn't provide any MTI
> keyex in its client hello, making it a noncompliant TLS 1.3 implementation.
This is not rules lawyering. P-256 is MTI as a supported group, and Chrome
supports it and will successfully negotiate with a server that only supports
P-256 (through a Hello Retry Request, which is a perfectly valid—if
inefficient—mechanism). That's following both the letter and the spirit of the
MTI requirement. If the spec wanted to make a key share mandatory, it could
have said so.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
