On 11-May-25 21:53, Michael Richardson wrote:
Brian E Carpenter <[email protected]> wrote: > One detail: when developing RFC 8991 we were given very strong advice to > avoid the word "nonce" as some people find it offensive (it has a slang > meaning in British English). We switched to "handle" in that RFC. But given > that GRASP and cGRASP both have a pseudo-random "session-id", why not simply > call it "message-id"? Oh. The rest of the security community will be surprised, so I think that ship has sailed, and we should stick with nonce, if it's purpose is freshness and/or contribution to a cryptographic state. {sitting in a cafe next to Farrindon station. Shall I ask a random person?} > I am a little concerned by the reduction from 32 to 16 bits for the > session-id. Since it's CBOR, there are no on-the-wire changes. It's really about saying that implementations can expect to use a 16-bit register for this. I.e., it's not saving any bytes in the wire, it's saving cycles on a CPU with a 16-bit ALU.
Sure, but it's reducing the collision space from 4294967296 to 65536. That means that collisions *will* happen so the collision avoidance mechanism *will* be exercised. That may be a good design choice but I think it needs to be documented. Brian _______________________________________________ Anima mailing list -- [email protected] To unsubscribe send an email to [email protected]
