On Sat, Jul 19, 2014 at 12:33 PM, Brian Smith <brian@briansmith.org> wrote: > Also, I am > concerned that encouraging or mandating any TLS_DHE_* cipher suites > may cause complications for the 1-RTT and/or 0-RTT handshakes in TLS > 1.3. In particular, I am concerned that it may be too inefficient to > presumptuously generate ephemeral DHE keypairs for use in the > ClientHello, especially in addition to one or more ECDHE keys that > will have to be presumptuously generated too. Responding just to this point: The current TLS 1.3 draft [0] does not require clients to provide DHE shares for every possible key exchange mechanism, nor would I expect us to require that. Therefore, making DHE mandatory would not require clients to optimistically generate DHE shares. Clients can simply select the groups they believe represent the best tradeoff between correct guessing and CPU cost (or bandwidth cost, which seems to be more serious). Of course, it's possible that if we make a number of different groups MTI, that there will be disjoint sets of server support and that therefore clients will have to send a lot of shares or run the risk of multiple round trips. However, I don't think that's made much more likely by specifying integer DHE. -Ekr [0] http://tools.ietf.org/html/draft-ietf-tls-tls13-02
Received on Saturday, 19 July 2014 21:17:58 UTC