On 11/30/15 2:26 AM, Peter Gutmann wrote: > Bryan A Ford <brynosau...@gmail.com> writes: > >> Feel free to attack my proposal but then please attack *my* proposal, not >> the old broken SSH approach. > > I was actually commenting on the concept of encrypting headers in general, > not the specific case you'd given. That is, I assumed you'd specifically > chosen the one case where it's practical, an AEAD stream cipher, and used > that as a strawman. Re-reading your post, it looks like "adding a stream > cipher to every TLS 1.3-compatible ciphersuite" should really be "require > that the only cipher type allowed for TLS be an AEAD stream cipher", > because it's not going to work with anything else.
In my proposal I focused on AEAD because I had understood (and thought I had read in the TLS spec) that TLS had decided to move to AEAD-based encryption in general. I had no intention of implying that TLS "must" switch to AEAD completely, and there's no reason it would need to for my proposal to work. It would work just as well and in exactly the same way if the AEAD is replaced with the traditional Encrypt-then-MAC construction, for example. Also, if any issues with some (e.g., old) ciphersuites do arise, I wouldn't object to specifying that TLS header encryption is done only with "new" ciphersuites (e.g., the AEAD-based ones, or using some other appropriate definition of "new"). Bryan
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
