Hi Ilari,
You were right, for testing, a smaller number should be used. Quynh. ________________________________ From: ilariliusva...@welho.com <ilariliusva...@welho.com> on behalf of Ilari Liusvaara <ilariliusva...@welho.com> Sent: Monday, November 21, 2016 3:42 PM To: Dang, Quynh (Fed) Cc: Martin Thomson; tls@ietf.org; c...@ietf.org Subject: Re: [TLS] [Cfrg] Data limit to achieve Indifferentiability for ciphertext with TLS 1.3 GCM, and the 2nd paragraph of Section 5.5 On Mon, Nov 14, 2016 at 02:54:23AM +0000, Dang, Quynh (Fed) wrote: > > Rekeying too often than needed would just create more room for > issues for the connection/session without gaining any additional > practical security at all. With regards to rekeying frequency I'm concerned about testability, have it to be too rare and it is pretty much as good as nonexistent. This is the reason why I set the rekey limit to 2M(!) records in btls (with first rekey at 1k(!) records). These limits have absolutely nothing to do with any sort of cryptographic reasoning[1][2]. [1] If they did, then Chacha rekey limit would be when RSN exhaustion is imminent (since RSNs can't wrap, but can be reset). [2] The 2M limit is chosen so that it is reached in ~1minute in fast transfer tests. -Ilari
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
