On Tue, Oct 27, 2015 at 08:49:35AM -0400, Eric Rescorla wrote: > Thinking about this a little more: > > If we ever change the nonce construction to have an explicit nonce or > otherwise > not depend on the RSN (e.g., something like SIV) we're going to be sad if > we don't have the RSN in the AD. Obviously, we'd also need to change the > text about the nonce construction, so it's not like you could drop in a > construction > like this, but it would be slightly easier to do if we already MACed the > RSN. > > I'm not sure which side of the fence I'm on here. What do others think?
AFAIK, the only case where this would be useful with RFC5116-compliant ciphers are the ciphers with N_MAX=0, i.e. no nonce. And such ciphers can't currently be used. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
