On Tue, Oct 27, 2015 at 8:56 AM, Eric Rescorla <e...@rtfm.com> wrote: > Yes, that's correct. But we could relax that restriction and make those work > if we wanted...
Explicit nonces should not be used in TLS. I'm happy to be building things without them in mind. SIV modes, if turned into AEADs, would have to authenticate their nonces internally. RFC 5297 basically says that already (https://tools.ietf.org/html/rfc5297#section-3). That might mean that the nonce is prepended to the AD inside the AEAD abstraction, but that wouldn't be TLS's concern. Cheers AGL -- Adam Langley a...@imperialviolet.org https://www.imperialviolet.org _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
