On Sun, Dec 20, 2015 at 5:50 PM, Brian Smith <[email protected]> wrote:
> Eric Rescorla <[email protected]> wrote: > >> On Sun, Dec 20, 2015 at 5:13 PM, Brian Smith <[email protected]> >> wrote: >> >>> Adam Langley <[email protected]> wrote: >>> >>>> On Fri, Dec 18, 2015 at 1:43 PM, Brian Smith <[email protected]> >>>> wrote: >>>> > That is, it seems it would be better to use HKDF-SHA512 instead of >>>> > **HKDF-SHA256**. >>>> >>>> I assume that you mean for TLS 1.3 since you mention HKDF? >>> >>> >>> No, I mean for all versions of TLS. >>> >> >> Do you mean using SHA-512 in the TLS 1.2 PRF? Or something else? >> > > Yes, for TLS 1.2 and TLS 1.3. > Sorry, I'm still confused TLS 1.2 uses a specific PRF. TLS 1.3 uses HKDF. Are you suggesting TLS 1.2 use the TLS 1.2 PRF with SHA-512 and that TLS 1.2 use SHA-512 with HKDF, or something different? > The MTI cipher suites for TLS 1.2 and 1.3 require SHA-256 and >> All the AES-GCM ciphers already require SHA-256 or SHA-384, so it >> seems like the vast majority of implementations are going to require at >> least one of these algorithms in any case. >> > > Nobody should pay attention to what the MTI cipher suite for TLS 1.2 is, > because it's obsolete; in fact, one would be making a huge mistake to > deploy it now if one's application didn't have legacy backward > compatibility concerns. And, we should change the MTI cipher suite for TLS > 1.3 to the ChaCha20-Poly1305 ones, because they solve a lot of problems. > For example, they remove any question of any need to implement rekeying, > they avoid the weird IV construction hacks that are necessary for 128-bit > cipher suites like AES-GCM, and they can be implemented efficiently in a > safe way, unlike AES-GCM. > This seems like a separate question. SHA-256-using cipher suites are widely deployed and not going away any time soon, so what resource are you trying to conserve here? -Ekr
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
