On Thu, Sep 25, 2014 at 9:10 AM, Greg Wilkins <gregw@intalio.com> wrote: > I am concerned that "No block/stream ciphers except AEAD" is a > sufficiently future proof specification. Could there be block/stream > ciphers that use something other than AEAD to make them sufficiently strong > for h2? > For the record, I think it's important to be clear that this isn't quite accurate. TLS divides cipher suites into three categories: - block - stream - AEAD So, AEAD isn't an exception, it's a third category. One might imagine adding a fourth category, but that wouldn't fall afoul of 9.2.2 because 9.2.2 prohibits block and stream, but doesn't say *only* AEAD. I realize that it's a bit confusing because AES-GCM is an AEAD primitive based on a block cipher (AES) [0], but in the TLS taxonomy, that makes it an AEAD cipher, not a block cipher. -Ekr
Received on Thursday, 25 September 2014 16:37:55 UTC