Colm MacCárthaigh wrote: > > But I take the point that AEAD modes are harder for programmers to screw > up; and that does have value.
Though it is a pretty flawed assumption. I've seen an AEAD cipher implementation fail badly just recently (resulting in corrupted plaintext that went unnoticed within TLS--MACing the ciphertext is obviously a pretty dumb idea), something that is *MUCH* more unlikely to happen to any cipher suites using GenericBlockCipher PDU. Pretty much all of othe known crypto attacks are highly theoretical and meaningless in practice, whereas corrupted plaintext is an immediate real pain in the ass. I'm glad that the problem was spotted before the affected code was shipped. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
