> That's what we do in Chrome/BoringSSL. We send one fake NamedGroup at the > front of supported_groups and then put it in key_shares with a one-byte > fake KeyShareEntry. > > It costs five bytes total and, having already caught a bug with it, seems > valuable. It ensures that servers are capable of skipping over an unknown > KeyShareEntry and don't just go for the first one. But, document-wise, I > was expecting to just use MAY for everything rather than expressing much > opinion.
OK. --Kazu _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls