On Fri, Dec 18, 2015 at 1:43 PM, Brian Smith <br...@briansmith.org> wrote: >> The recent renaming of the ChaCha20-Poly1305 cipher suites brought >> something to my attention that I hadn't thought about before. It seems like >> it might be better to use HKDF-SHA512 instead of HKDF-SHA512, and > > > That is, it seems it would be better to use HKDF-SHA512 instead of > **HKDF-SHA256**.
I assume that you mean for TLS 1.3 since you mention HKDF? I updated the draft recently because David Benjamin noted that the names didn't include the PRF (which they should these days) and that OpenSSL, at least, used SHA-256, so might as well make the spec match reality. So, the current code points are probably SHA-256 now. I don't object to adding more if people want SHA-384 too. Although, since the hash function is only used in key derivation with these cipher suites, I'm not sure that a slower, software implementation of SHA-256 would be a big problem. Cheers AGL -- Adam Langley a...@imperialviolet.org https://www.imperialviolet.org _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
