On Tue, Nov 3, 2015 at 11:29 AM, Brian Smith <br...@briansmith.org> wrote: > Brian Smith <br...@briansmith.org> wrote: >> >> This way, one Poly1305 invocation per record could be saved, potentially, >> forapplication_data records, which is the common case. > > > This is still true, but... > >> >> An implementation that avavoids sending encrypted alerts and avoids >> renegotiation could avoid writing code for the case where non-empty AAD is >> needed, and could share the exact same code between TLS 1.2 and TLS 1.3 for >> ChaCha20-Poly1305. > > > This isn't true, because of the Finished message. So, it is not quite as > good of an idea as I thought, but still it seems like it could be > worthwhile.
My feelings on this are not strong either way but I tend towards keeping it simple, which to me means that this cipher suite will use the standard AD value for the TLS version in use. Saving a single Poly1305 block per record isn't a big deal and it looks like we'll get it anyway with TLS 1.3. So, for the moment, I'm not planning on adding anything to that effect. Cheers AGL -- Adam Langley a...@imperialviolet.org https://www.imperialviolet.org _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
