the nonce -> message-id (term of CoAP) is good enough to be 16 bit (as in CoAP),
because it is just per-hop retransmission, and the goal should be to
simply change only things that don't need a lot of argument/evaluation.

The session-id is network-wide GRASP and again, there is no good reason to 
change it:
Just causes a whole new re-investigation if it's sufficient (which i think it 
isn't,
but my argument is not really technical, but just "keep it simple - only change 
what
must be changed compared to GRASP").

Cheers
    Toerless

On Mon, May 12, 2025 at 08:09:40AM +1200, Brian E Carpenter wrote:
> On 11-May-25 21:53, Michael Richardson wrote:
> > 
> > Brian E Carpenter <brian.e.carpen...@gmail.com> wrote:
> >      > One detail: when developing RFC 8991 we were given very strong 
> > advice to
> >      > avoid the word "nonce" as some people find it offensive (it has a 
> > slang
> >      > meaning in British English). We switched to "handle" in that RFC. 
> > But given
> >      > that GRASP and cGRASP both have a pseudo-random "session-id", why 
> > not simply
> >      > call it "message-id"?
> > 
> > Oh.  The rest of the security community will be surprised, so I think that
> > ship has sailed, and we should stick with nonce, if it's purpose is 
> > freshness
> > and/or contribution to a cryptographic state.
> > {sitting in a cafe next to Farrindon station. Shall I ask a random person?}
> > 
> >      > I am a little concerned by the reduction from 32 to 16 bits for the
> >      > session-id.
> > 
> > Since it's CBOR, there are no on-the-wire changes.
> > It's really about saying that implementations can expect to use a 16-bit
> > register for this.   I.e., it's not saving any bytes in the wire, it's 
> > saving
> > cycles on a CPU with a 16-bit ALU.
> 
> Sure, but it's reducing the collision space from 4294967296 to 65536. That
> means that collisions *will* happen so the collision avoidance mechanism
> *will* be exercised. That may be a good design choice but I think it needs
> to be documented.
> 
>   Brian
> 

-- 
---
t...@cs.fau.de

_______________________________________________
Anima mailing list -- anima@ietf.org
To unsubscribe send an email to anima-le...@ietf.org

Reply via email to