HelloRetryRequest is annoying. Is there any way we can replace it with something? I know our options are limited, here. We can't mandate offers for everything, not just due to constrained environments, but also because post-quantum keys could get too big.
The main thing that comes to mind would be to provide a way for a server to respond to a client with a ServerConfiguration, but not a hello, and put group support in there (maybe a whole supported_groups extension). Clients that don't provide the needed key would get a config and a fatal alert telling it that it needs to use a supported group from that config. The client could then retry as it does now or do 0-RTT with early data, which could cut an RTT out of the current flow. (This is similar to the QUIC way of doing things.) Dave _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
