On 4 August 2015 at 10:24, Wan-Teh Chang <[email protected]> wrote:
> The consistency you want to see seems to be
> consistency with the AES GCM cipher suites, rather than with TLS 1.2.
Yes, this is correct.
RFC 5288:
struct {
opaque salt[4];
opaque nonce_explicit[8];
} GCMNonce;
RFC 6655:
struct {
opaque salt[4];
opaque nonce_explicit[8];
} CCMNonce;
Interestingly, RFC 6655 removes the explicit nonce for DTLS, but DTLS
only (if I'm reading it correctly).
Either way, I think that we should attempt to be consistent with
these. Which suggests that perhaps we can adopt a zero-length
explicit nonce and borrow the 6655 DTLS construction.
As for the wasted bytes, I don't care for that. We will fix that later.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
