On Wednesday, March 16, 2016 08:36:05 am Peter Gutmann wrote: > After a number of, uh, gentle reminders from people who have been waiting for > this, I've finally got around to posting the TLS-LTS draft I mentioned a while > back. It's now available as: > > http://www.ietf.org/id/draft-gutmann-tls-lts-00.txt
Allowing CBC+encrypt-then-MAC seems like a messy route when AEAD is already available and deployed more widely. If you want to permit it, please make it optional and only have AEAD ciphers as MTI. Also, you should add a recommendation/requirement of ChaChaPoly support in there so that there will be a backup in the long-term in the event of the need to panic disable AES under TLS 1.2 for some unforeseen reason. This is aiming to be an LTS, after all. The big glaring problem, however, in multiple places, are the statements that something is "implicit in TLS-LTS, there is no need to signal it" via its designated extension. No! These features MUST be implemented in full, according to their specifications, such that they will work fully with servers that support them but not this new LTS proposal. Skimping on this just makes this messy situation even messier, which is the opposite of what you're trying to do here. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
