Hi, * Simon Josefsson <si...@josefsson.org> [16/12/2015 09:44:55] wrote: > I don't like re-keying. It is usually a sign that your primitives are > too weak and you are attempting to hide that fact. To me, it is similar > to discard the first X byte of RC4 output. > > If AES-GCM cannot provide confidentiality beyond 64GB (which would > surprise me somewhat), I believe we ought to be careful about > recommending it. >
I unequivocally concur here. This might be a good time to point again to my existing AES-OCB draft that hasn't really seen a lot of discussion nor love lately. It expired but I've recently updated the draft (not yet uploaded to IETF as I'm waiting for implementer feedback from two particular sources). The update has something to do with how GCM is implemented in some stacks though, see: https://github.com/azet/draft-zauner-tls-aes-ocb/commit/26c2fff7808fc88bf47e5d097f2ff5ca23201029 Aaron
signature.asc
Description: Digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
