On 16 December 2015 at 08:14, Eric Rescorla <e...@rtfm.com> wrote: > > I wanted to get people's opinions on whether that's actually what we want > or whether we should (as is my instinct) allow people to use ChaCha > for longer periods.
Whatever the actual limits are, I think that implementatios should be encouraged to rekey more strongly. If 2^36 is the number, then I can see that being reached in some applications. That means that we need the rekey feature to exist. If we are going to have that feature, then we need to make sure that it works. And suggesting a stupidly high limit (e.g., ChaCha being greater than 2^96) leaves people thinking that they can skip implementation and testing of the rekey facility; or it just goes unused. If it's not in use, then we'll have a good chance of creating a protocol feature we can't rely on if it really is needed. In light of that, the actual limits don't matter that much to me. As David McGrew suggested, set a limit at 2^32 and avoid having to think too hard about how close to the failure point you might be. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls