Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decide servers should have accounted for this already #6

Merged
merged 1 commit into from
Mar 18, 2024
Merged

Decide servers should have accounted for this already #6

merged 1 commit into from
Mar 18, 2024

Commits on Mar 14, 2024

  1. Decide servers should have accounted for this already 

    This cuts the document by about half.

In the original version of this document, I assumed that attacker
control over the key_share list was a novel scenario that servers were
not expected to previously account for. After all, we went through quite
a lot of trouble to capture both ClientHellos in the handshake
transcript.

On reflection after MT filed issue #5, I think that was too timid of a
position. Although rfc8446bis improves the wording, RFC 8446 *already*
was quite clear that the key_share list may be an arbitrary subset of
the supported_groups list and doesn't reflect the full preferences. So
we can reasonably claim that any key_share-first server either:

* has considered this and believes the groups are compariable in
  preference, or

* did not understand the protocol and failed to implement their desired
  policy correctly.

The first is a perfectly valid choice. It's not a good choice between
ECDH and post-quantum, but it's perfectly defensible between
post-quantum options or between two ECDH curves. The second is a server
bug and the server's responsibility to fix, even if it is exacerbated by
new client behavior.
    @davidben
    davidben committed Mar 14, 2024
    Configuration menu
    Copy the full SHA
    421f1a8 View commit details
    Browse the repository at this point in the history