On 5/24/16, 12:13 PM, "Martin Thomson" <martin.thom...@gmail.com> wrote:
>On 24 May 2016 at 08:20, Dang, Quynh (Fed) <quynh.d...@nist.gov> wrote: >> 1. For this text: "plus the length of the output of the signing >>algorithm. >> " in the last paragraph of Section 4.8.1, did you mean "plus the output >>of >> the signing algorithm.² ? > >The text is correct. It is talking about the length of the structure, >not its contents. > >> 2. "The length (in bytes) of the following TLSCiphertext.fragment. The >> length MUST NOT exceed 2^14 + 256. An endpoint that receives a record >>that >> exceeds this length MUST generate a fatal "record_overflow" alert. " . >>There >> could be a cipher that generates ciphertext longer than plaintext in >>some >> cases plus the tag. If the tag was 256 bits, then this requirement would >> disallow that cipher unnecessarily when a record size is 2^14. > >The value 256 is octets, not bits. If you are aware of a need for an >authentication tag longer than 256 octets, now would be a great time >to tell all of us. My misreading of the text. Thanks. > > >> 3. "The padded sequence number is XORed with the static client_write_iv >>or >> server_write_iv, depending on the role.² I think the ivs are not needed. > >We discussed this at quite some length. I originally took your >position, but the IVs add an extra layer of safety at very little >cost. I don¹t see any extra layer here. > _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
