Should DH be allowed in conjunction with SSL? The easiest and safest answer is "of course!", but it might be beneficial to tell identity server providers that they don't need to do DH if they're doing SSL. I don't care much either way, but it should be discussed at least briefly and documented. - Brad