On Thu, Apr 23, 2020, at 18:11, Hanno Becker wrote: > You criticize that an implicit CID which is still included in the AAD > requires state on the receiver when processing multiple records within > a single datagram, which is true. I'm saying that the same holds for > the PR 143 which adds the implicit CID to the AAD even if it's not in > the header. In that sense, this (valid) issue exists on both cases.
Right, but that is why I don't like 143.. > There is nothing subjective here: You cannot make full use of the > compression features such as length omission independently of the > underlying datagram layer, because you have to know that the record > you're sending will be the last. So clearly sending is _harder_ if you > have to decide on the header format already during record protection, > while if you can protect the record on the basis of the logical header > data alone, choice of header format and choice of packing into > datagrams can be handled entirely independently. Those are new, optional features, so I'm assuming that any costs associated with exercising them justify any complexity. > > The authenticated logical header being different than what is sent on the > > wire is a bug in my opinion. Authenticating all the bytes you send makes > > the protocol simpler and less error prone. > > So far, there hasn't been any substance to the claim that > authenticating the logical header is a "bug" or "defect", while in > (a)-(c) above I provide multiple reasons why it is in fact beneficial. I don't agree with your reasoning. As far as a bug, let me just say that having to allocate and construct a pseudo-header separate to the actual header is work that no longer has to be done. So receiver logic is easier. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls