Yoav Nir <y...@checkpoint.com> wrote: >>> Fix PRF_AES128_CBC to PRF_AES128_XCBC and downgrade it from SHOULD+ >>> to SHOULD.
>> this is the only one which I didn't understand. > Which one? There's two parts there. True. So, the "_CBC" to "_XCBC" is either a typo in the email or in the spec, and: > AES-XCBC was supposed to take the world over by storm from the HMAC > constructions. Except it didn't - everybody still uses HMAC-SHA1, it's > still considered secure, and those who don't use HMAC-SHA1, use > GHASH. So we no longer expect this to become a MUST in the future, > hence the removal of the "+". Within the IPsec community, I agree that this is the case, thank you for the explanation. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
pgpKr24PezTsj.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec