Per discussion with Sean, I've merged this at: https://github.com/tlswg/tls13-spec/commit/5f30bca74fdf8ded2bf50b112487ca780faa52ef
On Wed, Oct 28, 2015 at 3:53 AM, Eric Rescorla <e...@rtfm.com> wrote: > Sure. Like I said, I don't feel strongly about this, I just wanted to take > people's > temperature. I'm find with removing the seq from the AD. > > -Ekr > > On Tue, Oct 27, 2015 at 2:49 PM, Adam Langley <a...@imperialviolet.org> > wrote: > >> On Tue, Oct 27, 2015 at 8:56 AM, Eric Rescorla <e...@rtfm.com> wrote: >> > Yes, that's correct. But we could relax that restriction and make those >> work >> > if we wanted... >> >> Explicit nonces should not be used in TLS. I'm happy to be building >> things without them in mind. >> >> SIV modes, if turned into AEADs, would have to authenticate their >> nonces internally. RFC 5297 basically says that already >> (https://tools.ietf.org/html/rfc5297#section-3). That might mean that >> the nonce is prepended to the AD inside the AEAD abstraction, but that >> wouldn't be TLS's concern. >> >> >> Cheers >> >> AGL >> >> -- >> Adam Langley a...@imperialviolet.org https://www.imperialviolet.org >> > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls