This draft still has the same problem that's been pointed out previously: Clients MUST NOT offer and servers MUST NOT select FFDHE cipher suites in TLS 1.2 connections.
What this means is that if the implementation doesn't support ECC, as some do, then it's in effect saying: Clients and servers MUST use RSA cipher suites. Some people may actually read a bit further and see the MUST NOT RSA, but that's just as non-useful because now it's saying you can't do TLS at all. So it needs to say: Unless ECC suites are not available, [Clients MUST NOT ...]. Or just something that doesn't end up being MUST RSA as it's currently being interpreted. I'd also go further and say that since FFDHE is allowed in TLS 1.3 it's also safe with EMS or LTS in effect, so it should really be: Clients and servers that do not support TLS-EMS or TLS-LTS MUST NOT offer and servers MUST NOT select FFDHE cipher suites in TLS 1.2 connections. Peter. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
