On Wed, Oct 6, 2021, at 12:58, Eric Rescorla wrote: > This isn't dispositive, but note that TLS 1.3 doesn't include the epoch > in its nonce at all.
That strengthens the gut instinct some, as does the fact that QUIC doesn't either. But neither of those protocols is exactly the same as DTLS. DTLS doesn't place a hard end on any given epoch. TLS does. QUIC's continuous packet number space creates a hard limit, even if that limit isn't a single value. That suggests that some analysis would be helpful. I'm less concerned about analysis than I am about getting the specification bit right. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
