----- Original Message ----- > I'm not convinced about SHA-512, but yes, they probably should use > SHA-384 at the very least. And given that the algorithm for SHA-384 and > SHA-512 is essentially the same, using just different IVs, that should > be usable for highly restricted hardware, wouldn't it? > I would be against SHA-512 as that would be the very first cipher that > uses SHA-512 PRF in TLS1.2, making its addition/implementation much more > invasive to the underlying library, OTOH, we have multiple ciphers which > use SHA-384 PRF. I think I just need to remind the delay after which NSS > added support for SHA-384 compared to introduction to AES-128-GCM TLS > ciphers...
I agree. SHA384 also aligns it with the AES-256-GCM ciphers. I believe an implementation mixing chacha20 with AES is a much more common scenario than the one described by Brian. regards, Nikos _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
