Hi, I fully support the statements "TLS_AES_128_CCM_8_SHA256 is not suitable for general use" and "MUST NOT be used without additional safeguards". CCM_8 has no place in general non-constrained DTLS usage.
I do however not understand the logic behind the following classifications that have been done in recent TLS WG documents: CCM_8 MUST NOT be used without additional safeguards Group key authentication NOT RECOMMENDED psk_ke RECOMMENDED Of these three I would say that CCM_8 is by far the least worrisome security problem. Even in systems with 32 bit tags, the tag length is likely very far down on the list of most severe practical security problems. Non-PFS key exchange and symmetrical group keys on the other hand are very real practical security problems that are exploited daily. Cheers, John _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
