On Tue, Mar 31, 2015 at 7:01 AM, Eric Rescorla <[email protected]> wrote:
> > > On Mon, Mar 30, 2015 at 7:38 PM, Tim Shepard <[email protected]> wrote: > >> >> > > It seems to me you have a choice of what sort of TLV encoding to use >> > > at this point. Is there any good reason not do use the same sort of >> > > TLV scheme that TLS uses today, so that at least as far as the TLV >> > > framing protocol the two proposals would be the same? >> > >> > As far as I understand, TLS MACs then encrypts the data. (Apologies if >> > I've misread RFC5246.) The best current practice is to encrypt then MAC >> > the ciphertext. Since there's no need to be compatible, we might as >> > well use the best practices as of 2015. See, e.g.: >> > http://cseweb.ucsd.edu/~mihir/papers/oem.pdf >> >> >> Well, ekr did say that TLS would be profiled for use in tcpinc. So >> presumably rfc7366 would be in the profile of TLS for tcpinc. > > > Either that or (my preference) specify an AEAD (combined encryption > and integrity) algorithm such as AES-GCM or ChaCha/Poly1305. > It's always hard to read community consensus, but my sense is that > AEAD represents the current best practice. > I should have mentioned, TLS 1.2 already supports AEAD algorithms and they're the only constructions which will be allowed in TLS 1.3. -Ekr
_______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
