On Fri, May 1, 2020, at 14:51, Martin Thomson wrote: > Thanks to some good work from Felix Günther, Marc Fischlin, Christian > Janson, and Kenny Paterson we now have a new result to share about the > integrity limits in QUIC. > > There is a long write-up in > https://github.com/quicwg/base-drafts/issues/3619, the conclusion of > which is that endpoints need to count the number of failed decryptions > and stop using keys once a certain limit is reached. Key updates can > be used to avoid this. > > The same concern applies to DTLS. I believe that the same solution - > or at least a similar solution - is therefore necessary for DTLS. > > I know that we're past WGLC, but this is an important result regarding > a key distinction between TLS and DTLS.
News here is that we resolved some issues with AEAD_AES_128_CCM. For TLS, we need to resolve what to do with AEAD_AES_128_CCM_8. For those who don't want to read a long issue, the number of forgery attempts permitted has to be less than 2^6 to keep the same bounds as other ciphers. That's not very useful. TLS_AES_128_CCM_8_SHA256 is already a non-recommended cipher, so we're good there. But it might still be good to have some parameters for it, even if it is guarded with some warning labels about differences in security margins. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls