Might I enquire about the cryptographical reason behind such a limit? Is this the limit on the size of a single record? GCM does have a limit approximately there on the size of a single plaintext it can encrypt. For TLS, it encrypts a record as a single plaintext, and so this would apply to extremely huge records.
Or is this a limit on the total amount of traffic that can go through a connection over multiple records? If this is the issue, what is the security concern that you would have if that limit is exceeded? Thank you. From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Eric Rescorla Sent: Tuesday, December 15, 2015 4:15 PM To: tls@ietf.org Subject: [TLS] Data volume limits Watson kindly prepared some text that described the limits on what's safe for AES-GCM and restricting all algorithms with TLS 1.3 to that lower limit (2^{36} bytes), even though ChaCha doesn't have the same restriction. I wanted to get people's opinions on whether that's actually what we want or whether we should (as is my instinct) allow people to use ChaCha for longer periods. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
