[TLS] removing 128-bit ciphers in TLS 1.3

Because of this attacks: https://blog.cr.yp.to/20151120-batchattacks.html could please consider to obsoleting 128-bit ciphers in TLS 1.3. For example AES-128 encryption has been removed from Suite B https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml More discussions on AES-128

Re: [TLS] Ensuring consistent strength across certificate, ECDHE, cipher, and MAC

Timothy Jackson: > I’ve noted that many (most?) TLS implementations choose their ECDHE curves > seemingly without regard to the cipher suite strength. Thus, they'll select > an AES256 cipher suite (e.g. TLS_ECDHE_ECDSA_WITH_AES256_SHA384), but then > generate an ECDHE key on the P256 curve. This

Re: [TLS] RSA-PSS in TLS 1.3

Hanno Böck: > On Thu, 3 Mar 2016 13:35:46 + > "Dang, Quynh (Fed)" wrote: > >> Why don't we use an even more elegant RSA signature called " >> full-domain hash RSA signature" ? > > Full Domain Hashing was originally developed by Rogaway and Bellare and > then later dismissed because they foun