Personally, I think a hard requirement to rekey every 64GiB is reasonable enough to just use it for every cipher. I don't think cipher-specific requirements are worth the effort/complexity. Something like a MUST for AES-GCM and a SHOULD for ChaCha seems fine, though, if really desired.
Dave On Tuesday, December 15, 2015 04:17:34 pm Watson Ladd wrote: > I don't think that's what I intended: I think the limit should be > ciphersuite specific. Unfortunately that requires more work. > > On Tue, Dec 15, 2015 at 4:15 PM, Eric Rescorla <e...@rtfm.com> wrote: > > For context, see: > > https://github.com/tlswg/tls13-spec/pull/372 > > > > On Tue, Dec 15, 2015 at 1:14 PM, Eric Rescorla <e...@rtfm.com> wrote: > >> > >> Watson kindly prepared some text that described the limits on what's safe > >> for AES-GCM and restricting all algorithms with TLS 1.3 to that lower > >> limit (2^{36} bytes), even though ChaCha doesn't have the same > >> restriction. > >> > >> I wanted to get people's opinions on whether that's actually what we want > >> or whether we should (as is my instinct) allow people to use ChaCha > >> for longer periods. > >> > >> -Ekr _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
