I also agree. Even without implicit CIDs we can still put multiple handshake messages into a single record. Hence, there is no performance problem.
From: TLS <tls-boun...@ietf.org> On Behalf Of Richard Barnes Sent: Thursday, May 28, 2020 3:37 PM To: Christopher Wood <c...@heapingbits.net> Cc: TLS@ietf.org Subject: Re: [TLS] Banning implicit CIDs in DTLS I agree with EKR that this seems like the most expedient solution to the issue. --Richard On Thu, May 21, 2020 at 12:00 PM Christopher Wood <c...@heapingbits.net<mailto:c...@heapingbits.net>> wrote: PR #148 in the DTLS 1.3 draft (https://github.com/tlswg/dtls13-spec/pull/148) proposes banning implicit CIDs. This comes at an obvious cost in terms of bytes on the wire. However, in discussions on a parallel thread [1 and related], it's noted that this removes header malleability. Given that we don't have backing analysis suggesting that malleability (with the other AAD properties) is safe*, the chairs propose merging this PR as-is. To that end, please respond to the list by May 28, 2020, indicating whether or not you support this PR. Thanks, Chris, on behalf of the chairs *One proposal to address this is by extending the AAD to include the pseudo-header. However, the chairs feel this is an unnecessary divergence from QUIC. [1] https://mailarchive.ietf.org/arch/msg/tls/kFnlBW-TmlArcU0lD9UQdf_1t_o/ _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls