On 21 December 2016 at 01:45, Russ Housley <hous...@vigilsec.com> wrote: > I am curious about the choice of hash function for > TLS_ECDHE_PSK_WITH_AES_256_CCM_8_SHA256. All of the other AES-256 > ciphersuites defined in this document that use SHA-384. Why does the one > with a truncated authentication tag use SHA-256?
I would go further than Russ and challenge the value of the ciphersuite entirely. Though I think that we've already discussed this before, several times. For some reason I can't remember ever having had my mind changed on this point, though I think John pointed at the larger key size having some advantage with respect to (mumble), even if you aren't concerned about active forgery. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls