On 18/05/2020, 01:47, "Martin Thomson" <m...@lowentropy.net> wrote: > The question is whether it is clear that these limits apply to the use > of AEADs in TLS more generally. I think that is clear enough, but I > doubt that people will pay any mind unless they are implementing TLS > 1.3.
Yes, that's exactly my original point. I'd like to maximise the chance that the message doesn't get ignored: we have 1.2 deployments around that are not likely to be forklifted to 1.3 soon and will have to make them aware of the risk nonetheless. > The problem with TLS 1.2 is that there is no option for key updates, > unless you count renegotiation, which is often disabled. When I added > limits to NSS, all I could reliably do was make the connection > terminate if the limit was hit (which is why the limits used are > larger than advised in the spec). Sure, protocol version as well as stack specific reactions will differ. I guess my question is whether, to maximise coverage/visibility, it makes sense to state the general problem together with version specific behaviours in a separate doc? IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
