IIRC the license has allowed OCB to be used for TLS for several years. They haven’t taken it up. There are no AES-OCB ciphersuites inhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4 <inhttps://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4>
So I’m wondering right with you: It has a theoretical advantage in security and a measurable advantage in speed in software. Neither were compelling enough for anyone to bother adding it in TLS ciphersuites. Why should our conclusion be any different? Yoav > On 28 Feb 2021, at 22:35, Paul Wouters <p...@nohats.ca> wrote: > > > So now that OCB is finally free, do we want to implement it? :) > > I'm honestly not sure if the improvements of AES-GCM are worth it. > I haven't heard of vulnerabilities in IKE/ESP wrt. IVs or counters. > > Paul > > ---------- Forwarded message ---------- > Date: Sat, 27 Feb 2021 14:37:30 > From: "Salz, Rich via cryptography" <cryptogra...@metzdowd.com> > To: "cryptogra...@metzdowd.com" <cryptogra...@metzdowd.com> > Subject: [Cryptography] Direct public confirmation from Dr. Rogaway > > > https://mailarchive.ietf.org/arch/msg/cfrg/qLTveWOdTJcLn4HP3ev-vrj05Vg/ : > > > > I can confirm that I have abandoned all OCB patents > > and placed into the public domain all OCB-related IP of mine. > > While I have been telling people this for quite some time, I don't > > think I ever made a proper announcement to the CFRG or on the > > OCB webpage. Consider that done. > > > > I hope people will use the scheme to do positive things. > > > > phil > > _______________________________________________ > The cryptography mailing list > cryptogra...@metzdowd.com > https://www.metzdowd.com/mailman/listinfo/cryptography > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec