Just one comment. On 23/04/2020, 00:54, "Martin Thomson" <m...@lowentropy.net> wrote: > But Hanno's proposal is a terrible thing to have to implement. You > have to assume that there is some way to recover which CID to use in > decrypting any record. You might save some datagram-local state, but > that's awkward. Stacks that I've worked on try very hard not to have > state transmission between records for good reasons. So this would be > a fairly bad complication.
The cost of keeping per-datagram state on the receiving end seem very low to me. And that would be the only cost overall, because on the sending side there's none. And this is in contrast to the higher sender complexity in the current draft. Also, once you start keeping per-datagram state, you might as well stash as much as possible in it and for example compress sequence numbers as well as just the CID. So, if that is the only blocker WRT Hanno's proposal, I'd be happy to trade that off for the nice properties it comes with. > Separately, I hope that no one would be contemplating trial decryption > for this, which would be terrible. Surely not. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
