[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    Re: [TLS] Integrity bounds in DTLS
From:       Thomas Fossati <Thomas.Fossati () arm ! com>
Date:       2020-05-19 10:50:41
Message-ID: B3ADE8B6-3B5B-4113-90A1-630535DA2A5F () arm ! com
[Download RAW message or body]

On 18/05/2020, 01:47, "Martin Thomson" <mt@lowentropy.net> wrote:
> The question is whether it is clear that these limits apply to the use
> of AEADs in TLS more generally.  I think that is clear enough, but I
> doubt that people will pay any mind unless they are implementing TLS
> 1.3.

Yes, that's exactly my original point.  I'd like to maximise the chance
that the message doesn't get ignored: we have 1.2 deployments around
that are not likely to be forklifted to 1.3 soon and will have to
make them aware of the risk nonetheless.

> The problem with TLS 1.2 is that there is no option for key updates,
> unless you count renegotiation, which is often disabled.  When I added
> limits to NSS, all I could reliably do was make the connection
> terminate if the limit was hit (which is why the limits used are
> larger than advised in the spec).

Sure, protocol version as well as stack specific reactions will differ.

I guess my question is whether, to maximise coverage/visibility, it
makes sense to state the general problem together with version specific
behaviours in a separate doc?

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and \
may also be privileged. If you are not the intended recipient, please notify the \
sender immediately and do not disclose the contents to any other person, use it for \
any purpose, or store or copy the information in any medium. Thank you. \
_______________________________________________ TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


[prev in list] [next in list] [prev in thread] [next in thread]