Continuing the trend where I am the only one to post to this thread... I just posted a proposal:
https://github.com/tlswg/dtls13-spec/pull/147 This is essentially a transcription of the work done for QUIC to DTLS. There is one major change, in the addition of TLS_AES_128_CCM_8_SHA256. QUIC prohibits the use of this cipher suite, so it doesn't have to worry about it. The proposed text does not define limits for this cipher, essentially suggesting that it's not good for general use. My personal conclusion is that this suite is fine for use in TLS, but unless we dramatically revise our expectations, it's no good for DTLS. To that end, I'd be happier prohibiting the use of this cipher suite outright in DTLS. I didn't put that in the proposal as I believe that would be counter to our established position, which is that this is not generally recommended, but it might have specialized uses in which it is OK. The proposal therefore attempts to hedge by saying that you need special circumstances and further analysis before using it. So I see two paths and one maybe option: 1. Prohibit use of TLS_AES_128_CCM_8_SHA256 in DTLS. 2. Allow TLS_AES_128_CCM_8_SHA256 in DTLS under special circumstances (the PR). 3. An unspecified proposal that allows TLS_AES_128_CCM_8_SHA256 more generally somehow. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
