On Sat, Sep 12, 2020, at 21:55, Karthik Bhargavan wrote: > > Any big issue keeping N=8 > > Regarding the length of N, I gather that the trade-off is that if it is > too short, the probability of collisions between the signal and > randomly generated server randoms becomes significant, > and so does the probability of an active MitM forging the signal. Is > there some other concern? > 8 bytes seems fine for these considerations. Is the idea that we would > reuse the downgrade sentinel? If they collide, you could test with trial decryption, but 8 bytes seems like it might be enough that you might choose not to bother. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] TLS ECH, ho... Salz, Rich
- Re: [TLS] TLS ECH... Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] TLS ECH, how much can th... Eric Rescorla
- Re: [TLS] TLS ECH, how much ca... Mike Bishop
- Re: [TLS] TLS ECH, how muc... Eric Rescorla
- Re: [TLS] TLS ECH, ho... Martin Thomson
- Re: [TLS] TLS ECH, how much can the hint st... Karthik Bhargavan
- Re: [TLS] TLS ECH, how much can the hi... Karthik Bhargavan
- Re: [TLS] TLS ECH, how much can th... Christian Huitema
- Re: [TLS] TLS ECH, how much ca... Karthik Bhargavan
- Re: [TLS] TLS ECH, how muc... Martin Thomson
- Re: [TLS] TLS ECH, how much can the hi... Karthik Bhargavan
- Re: [TLS] TLS ECH, how much can th... Christian Huitema
- Re: [TLS] TLS ECH, how much can th... Christopher Patton
- Re: [TLS] TLS ECH, how much ca... Eric Rescorla
- Re: [TLS] TLS ECH, how much can th... Salz, Rich
