Sure. Like I said, I don't feel strongly about this, I just wanted to take people's temperature. I'm find with removing the seq from the AD.
-Ekr On Tue, Oct 27, 2015 at 2:49 PM, Adam Langley <a...@imperialviolet.org> wrote: > On Tue, Oct 27, 2015 at 8:56 AM, Eric Rescorla <e...@rtfm.com> wrote: > > Yes, that's correct. But we could relax that restriction and make those > work > > if we wanted... > > Explicit nonces should not be used in TLS. I'm happy to be building > things without them in mind. > > SIV modes, if turned into AEADs, would have to authenticate their > nonces internally. RFC 5297 basically says that already > (https://tools.ietf.org/html/rfc5297#section-3). That might mean that > the nonce is prepended to the AD inside the AEAD abstraction, but that > wouldn't be TLS's concern. > > > Cheers > > AGL > > -- > Adam Langley a...@imperialviolet.org https://www.imperialviolet.org >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
