On Tue, Dec 15, 2015 at 2:01 PM, Scott Fluhrer (sfluhrer) < sfluh...@cisco.com> wrote:
> Might I enquire about the cryptographical reason behind such a limit? > > > > Is this the limit on the size of a single record? GCM does have a limit > approximately there on the size of a single plaintext it can encrypt. For > TLS, it encrypts a record as a single plaintext, and so this would apply to > extremely huge records. > > > > Or is this a limit on the total amount of traffic that can go through a > connection over multiple records? If this is the issue, what is the > security concern that you would have if that limit is exceeded? > Watson provided these, so perhaps he can elaborate. It would be good to have a value we all agree on. Thanks, -Ekr > > Thank you. > > > > *From:* TLS [mailto:tls-boun...@ietf.org] *On Behalf Of *Eric Rescorla > *Sent:* Tuesday, December 15, 2015 4:15 PM > *To:* tls@ietf.org > *Subject:* [TLS] Data volume limits > > > > Watson kindly prepared some text that described the limits on what's safe > > for AES-GCM and restricting all algorithms with TLS 1.3 to that lower > > limit (2^{36} bytes), even though ChaCha doesn't have the same > > restriction. > > > > I wanted to get people's opinions on whether that's actually what we want > > or whether we should (as is my instinct) allow people to use ChaCha > > for longer periods. > > > > -Ekr > > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
