Clarify DH calculations

[pasi.eronen@…]

​http://www1.ietf.org/mail-archive/web/tls/current/msg01115.html

IMHO it probably would make sense for a TLS implementation
to use one of the groups specified in RFC 4306 or 3526,
instead of e.g.  generating a random prime p (generating
random primes is kind of slow, and then you have to worry
about RFC 2785 etc.).

(Would others agree with this recommendation? Should we add
it to the TLS 1.2 spec?)

​http://www1.ietf.org/mail-archive/web/tls/current/msg01116.html

Just one group? Or allow choosing the group like in IKE?
<snip>
Makes perfect sense to me!

​http://www1.ietf.org/mail-archive/web/tls/current/msg01121.html

Should we recommend using larger moduli in the Diffie-Hellman
key exchange methods?  And should we encourage checking the
size of the ServerDHParams.p when acting as a client to make
sure it is not too small?

[ekr@…]

I'd prefer not to get into this in the TLS spec. If someone wants to write a general "these are good DH parameters" that's fine but I don't think this is TLS-specific.

[ekr@…]

I think this got settled or at least everyone got worn out on the TLS ML.