Eric, Thanks for that clarification. I think that explains much of the(my?) confusion about 9.2.2. I think this indicates that the wording of 9.2.2 is indeed causing confusion and has actually created wrong implementations. In FF the 9.2.2 test is currently implemented as: isAEAD() when it should be: !isBlock() && !isStream() The former is a interoperability problem for future acceptable non AEAD ciphers, while the later is not. cheers On 26 September 2014 02:36, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Thu, Sep 25, 2014 at 9:10 AM, Greg Wilkins <gregw@intalio.com> wrote: > >> I am concerned that "No block/stream ciphers except AEAD" is a >> sufficiently future proof specification. Could there be block/stream >> ciphers that use something other than AEAD to make them sufficiently strong >> for h2? >> > > For the record, I think it's important to be clear that this isn't quite > accurate. > > TLS divides cipher suites into three categories: > > - block > - stream > - AEAD > > So, AEAD isn't an exception, it's a third category. One might imagine > adding > a fourth category, but that wouldn't fall afoul of 9.2.2 because 9.2.2 > prohibits > block and stream, but doesn't say *only* AEAD. > > I realize that it's a bit confusing because AES-GCM is an AEAD primitive > based on a block cipher (AES) [0], but in the TLS taxonomy, that makes it > an AEAD cipher, not a block cipher. > > -Ekr > > -- Greg Wilkins <gregw@intalio.com> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales http://www.webtide.com advice and support for jetty and cometd.
Received on Thursday, 25 September 2014 16:53:09 UTC