On Tue, Oct 27, 2015 at 11:09 AM, Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> On Tue, Oct 27, 2015 at 08:49:35AM -0400, Eric Rescorla wrote: > > Thinking about this a little more: > > > > If we ever change the nonce construction to have an explicit nonce or > > otherwise > > not depend on the RSN (e.g., something like SIV) we're going to be sad if > > we don't have the RSN in the AD. Obviously, we'd also need to change the > > text about the nonce construction, so it's not like you could drop in a > > construction > > like this, but it would be slightly easier to do if we already MACed the > > RSN. > > > > I'm not sure which side of the fence I'm on here. What do others think? > > AFAIK, the only case where this would be useful with RFC5116-compliant > ciphers are the ciphers with N_MAX=0, i.e. no nonce. And such ciphers > can't currently be used. Yes, that's correct. But we could relax that restriction and make those work if we wanted... -Ekr > > > -Ilari >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
