On Tue, Aug 04, 2015 at 10:35:30AM -0700, Martin Thomson wrote: > > As for the wasted bytes, I don't care for that. We will fix that later.
It is not just wasted bytes. It is also increased auditing requirements: Auditing that the nonce generation is sound (e.g. not random). And in constructs like this, if you get it wrong, you will notice very quickly (contrast to AES-GCM nonce generation: Serious errors can remain hidden). Also, unifying the GCM scheme, CCM scheme the scheme from this draft and TLS 1.3 scheme isn't hard (supporting CBC is loads more annoying, as it is much harder to unify[1]). [1] Well, there are tricks with TLS 1.1/1.2 CBC modes, but TLS 1.0 CBC modes just won't unify. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
