On Tue, Oct 25, 2022 at 3:40 PM Andrei Popov
wrote:
> (It's also not clear to me how we would get rid of HRR in a future TLS
> version, without removing algorithm options, adding round-trips, or relying
> on some out-of-band signals.)
>
It was pretty much the idea to do those things, although I
In TLS <= 1.2, the client and server agree on the (EC)DHE group to use for key
exchange by negotiating it (at the cost of a round-trip).
In TLS 1.3, the client tries to guess what (EC)DHE group(s) the server might
support and sends key share(s) accordingly (saving a round-trip).
When a TLS 1.3
