Hi, On 2020-05-17 07:35 +0200, Hanno Becker <hanno.bec...@arm.com> wrote: > So, we're here at the moment: > (1) Only the CID issue really _needs_ fixing somehow. > (2) Other header fields are currently authenticated through a mixture of > AAD, nonce, and implicit properties of the AEAD, > and proof complexity doesn't seem to grow significantly because of that > non-uniformity (the latter was slightly in doubt > so far for epoch authentication, but Ekr's remark clarifies that it > isn't actually the case). > (3) No security issues with the proposed alternative -- uniformly > pseudo-header based AAD -- have been raised yet. > (4) Non-security arguments for a pseudo-header AAD have been proposed, > e.g. network bandwidth reduction. > Those aren't discussed until the question of security reaches some clarity. > > Felix, could you give some input on (3) as detailed in my last post?
Our security analysis doesn't speak to (3) --- I added some more detailed remarks in reply to your last post. Cearly, you wouldn't achieve the same security definition (as headers are intentionally malleable). Whether that's a problem or not depends on the goal, and if you can indeed prove the corresponding, to-be-formalized security statements. Cheers, Felix _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls