On Tue, 15 Dec 2015 13:14:30 -0800 Eric Rescorla <[email protected]> wrote:
> Watson kindly prepared some text that described the limits on what's
> safe for AES-GCM and restricting all algorithms with TLS 1.3 to that
> lower limit (2^{36} bytes), even though ChaCha doesn't have the same
> restriction.
>
> I wanted to get people's opinions on whether that's actually what we
> want or whether we should (as is my instinct) allow people to use
> ChaCha for longer periods.
Let me state the opinion that unlikely will get adopted: Isn't that a
good reason to reconsider whether GCM is a good mode in the first place?
How about: Let's use chacha20, let's not set any limits because we don't
have to, let's deprecate algorithms that can't keep up with that?
(I generally think even TLS 1.3 deprecates a lot of stuff there is
still far too much variation. Let's keep things simpler, let's reduce
the algorithm zoo.)
--
Hanno Böck
http://hboeck.de/
mail/jabber: [email protected]
GPG: BBB51E42
pgpARhQ8AV2Cs.pgp
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
