On 23 September 2016 at 04:04, Colm MacCárthaigh <c...@allcosts.net> wrote:
> If the problem is the use of forward secrecy then there is a simple >>>> solution, don't use it. >>>> That is, you can, as a server, have a fixed key_share for which the >>>> secret exponent becomes the private key exactly as in the RSA case. It does >>>> require some careful analysis, though. >>>> >>> >> The key_share contributed by the client is indeed ephemeral and it >> replaces the random key chosen by the client in the RSA-based scheme. >> > > Yep, you're right, now I get it. I also now wonder if clients should make > a best effort of detecting duplicate parameters and rejecting them. > Regular clients, no. But this would be a useful addition to debugging / scanning suites (e.g. Qualys), or browser extensions for the security conscious (e.g. CertPatrol). -Thijs
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls