[Msg for followup picked at random from this thread -JimC] One thing we should remember on this thread is that it does not only apply to aes and its' 128-bit block size.
Because TLS chose to create a NotQuiteChaCha rather than use ChaCha, its chacha20poly1305 also has a small data volume limit (2^40 bits; only twice aesgcm's limit). So key updates or re-keying will be more universally required. (Are there any aeads currently spec'ed with both large enough blocks and large enough nonces safely to avoid key updates?) -JimC -- James Cloos <cl...@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls