Eric Rescorla <e...@rtfm.com> wrote: > On Sun, Dec 20, 2015 at 5:13 PM, Brian Smith <br...@briansmith.org> wrote: > >> Adam Langley <a...@imperialviolet.org> wrote: >> >>> On Fri, Dec 18, 2015 at 1:43 PM, Brian Smith <br...@briansmith.org> >>> wrote: >>> > That is, it seems it would be better to use HKDF-SHA512 instead of >>> > **HKDF-SHA256**. >>> >>> I assume that you mean for TLS 1.3 since you mention HKDF? >> >> >> No, I mean for all versions of TLS. >> > > Do you mean using SHA-512 in the TLS 1.2 PRF? Or something else? >
Yes, for TLS 1.2 and TLS 1.3. > The MTI cipher suites for TLS 1.2 and 1.3 require SHA-256 and > All the AES-GCM ciphers already require SHA-256 or SHA-384, so it > seems like the vast majority of implementations are going to require at > least one of these algorithms in any case. > Nobody should pay attention to what the MTI cipher suite for TLS 1.2 is, because it's obsolete; in fact, one would be making a huge mistake to deploy it now if one's application didn't have legacy backward compatibility concerns. And, we should change the MTI cipher suite for TLS 1.3 to the ChaCha20-Poly1305 ones, because they solve a lot of problems. For example, they remove any question of any need to implement rekeying, they avoid the weird IV construction hacks that are necessary for 128-bit cipher suites like AES-GCM, and they can be implemented efficiently in a safe way, unlike AES-GCM. Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
