Technical Summary
Traditional finite-field-based Diffie-Hellman (DH) key exchange
during the TLS handshake suffers from a number of security,
interoperability, and efficiency shortcomings. These shortcomings
arise from lack of clarity about which DH group parameters TLS
servers should offer and clients should accept. This document offers
a solution to these shortcomings for compatible peers by using a
section of the TLS "EC Named Curve Registry" to establish common
finite-field DH parameters with known structure and a mechanism for
peers to negotiate support for these groups.
Working Group Summary
This was well debated in the WG and the idea is very
well supported as it's a useful security improvement.
Document Quality
This has had plenty of review. I'm not sure if there are
current implementations, but TLS1.3 will also adopt
this approach so it will be implemented then at least
and likely backported if that'st still needed.
Personnel
Sean Turner is the highly experienced document shepherd.
Stephen Farrell is the irresponsible AD.