On Sun, Jun 19, 2022 at 08:38:26PM +0300, Ilari Liusvaara wrote: > > Of course both EMS and EtM MUST be a MUST. > > I think EtM is only MUST if blockmode (CBC) cipher is supported. And > clients SHOULD NOT send EtM if not sending any blockmode cipher suites > (as it is not possible to successfully negotiate EtM).
Though, sure, the server will not be able to reciprocate EtM given: https://datatracker.ietf.org/doc/html/rfc7366#section-3 Note from the GenericBlockCipher annotation that this only applies to standard block ciphers that have distinct encrypt and MAC operations. It does not apply to GenericStreamCiphers or to GenericAEADCiphers that already include integrity protection with the cipher. If a server receives an encrypt-then-MAC request extension from a client and then selects a stream or Authenticated Encryption with Associated Data (AEAD) ciphersuite, it MUST NOT send an encrypt-then-MAC response extension back to the client. and yet perhaps the client should still be free to send a "futile" EtM, even when it offers no "standard block ciphers". Sure it should no longer be obligated to do so. Such freedom potentially simplifies implementations that won't need client-side logic to conditionally elide EtM. Is there a compelling reason for "SHOULD NOT", rather than "MAY"? -- Viktor. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
