> On 3 Apr 2016, at 8:44 AM, Martin Thomson <martin.thom...@gmail.com> wrote: > > On 3 April 2016 at 18:18, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: >> I think the reason why there's no rationale is because there's no rational >> explanation for lumping TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 in with the likes >> of TLS_RSA_EXPORT_WITH_RC4_40_MD5. > > You evidently believe that a decision to move to AEAD only is > irrational. Others, myself included, do not. >
Agree. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 is fine if you also implement the EtM extension that nobody did. OTOH everybody implemented AES-GCM, so that’s better in the “yeah, we do that already” criterion. And as Dave McGrew’s draft showed us, you can fit CBC + HMAC into an AEAD in case you really, really like CBC and HMAC. Yoav _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
