On 16 February 2017 at 04:30, Yoav Nir <ynir.i...@gmail.com> wrote: > And now I’ve lost you. A moment ago I thought you were concerned that people > would fail to implement KeyUpdate. Are you now suggesting that it be removed > entirely from TLS 1.3?
No. My point was that if GCM requires more updates than you can handle (because you are running well in excess of 1Tbps perhaps, I don't know, my crystal ball isn't that good), then use ChaCha where you don't need to update so often. Obviously there is a tradeoff there given the relative availability of hardware support, which you likely need at those rates, but again the crystal ball is imperfect in telling us how that story plays out. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls