On Fri, May 22, 2020, at 01:58, Christopher Wood wrote: > PR #148 I think that this is the right solution to this problem.
> *One proposal to address this is by extending the AAD to include the > pseudo-header. However, the chairs feel this is an unnecessary > divergence from QUIC. I'm not sure that we need to concern ourselves with avoiding divergence. I would instead point to the advantages of only authenticating what is on the wire: with multiple records in a datagram, having to prepend to the AAD means a performance hit of some kind. Either because you need to pass AAD in two chunks (one for the extra bit, one for the on-the-wire header), which is not commonly supported in APIs, or you need to move or copy stuff around to create a single contiguous AAD. The result is a small amount of complexity. I can probably make a case for not including connection ID in the AAD entirely on the basis of it being analogous to IP or port, but unless that was formally verified, I wouldn't want to rely on that. So #148 WFM. The number of cases where a connection ID can be omitted are vanishingly small anyway. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
