the nonce -> message-id (term of CoAP) is good enough to be 16 bit (as in CoAP),
because it is just per-hop retransmission, and the goal should be to
simply change only things that don't need a lot of argument/evaluation.
The session-id is network-wide GRASP and again, there is no good reason to
change it:
Just causes a whole new re-investigation if it's sufficient (which i think it
isn't,
but my argument is not really technical, but just "keep it simple - only change
what
must be changed compared to GRASP").
Cheers
Toerless
On Mon, May 12, 2025 at 08:09:40AM +1200, Brian E Carpenter wrote:
> On 11-May-25 21:53, Michael Richardson wrote:
> >
> > Brian E Carpenter <[email protected]> wrote:
> > > One detail: when developing RFC 8991 we were given very strong
> > advice to
> > > avoid the word "nonce" as some people find it offensive (it has a
> > slang
> > > meaning in British English). We switched to "handle" in that RFC.
> > But given
> > > that GRASP and cGRASP both have a pseudo-random "session-id", why
> > not simply
> > > call it "message-id"?
> >
> > Oh. The rest of the security community will be surprised, so I think that
> > ship has sailed, and we should stick with nonce, if it's purpose is
> > freshness
> > and/or contribution to a cryptographic state.
> > {sitting in a cafe next to Farrindon station. Shall I ask a random person?}
> >
> > > I am a little concerned by the reduction from 32 to 16 bits for the
> > > session-id.
> >
> > Since it's CBOR, there are no on-the-wire changes.
> > It's really about saying that implementations can expect to use a 16-bit
> > register for this. I.e., it's not saving any bytes in the wire, it's
> > saving
> > cycles on a CPU with a 16-bit ALU.
>
> Sure, but it's reducing the collision space from 4294967296 to 65536. That
> means that collisions *will* happen so the collision avoidance mechanism
> *will* be exercised. That may be a good design choice but I think it needs
> to be documented.
>
> Brian
>
--
---
[email protected]
_______________________________________________
Anima mailing list -- [email protected]
To unsubscribe send an email to [email protected]
