Thanks to some good work from Felix Günther, Marc Fischlin, Christian Janson, and Kenny Paterson we now have a new result to share about the integrity limits in QUIC.
There is a long write-up in https://github.com/quicwg/base-drafts/issues/3619, the conclusion of which is that endpoints need to count the number of failed decryptions and stop using keys once a certain limit is reached. Key updates can be used to avoid this. The same concern applies to DTLS. I believe that the same solution - or at least a similar solution - is therefore necessary for DTLS. I know that we're past WGLC, but this is an important result regarding a key distinction between TLS and DTLS. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
