Re: Discussion of 9.2.2 from Eric Rescorla on 2014-09-25 (ietf-http-wg@w3.org from July to September 2014)

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 25 Sep 2014 09:36:47 -0700
To: Greg Wilkins <gregw@intalio.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABcZeBMOqi+5LFzf1MmQuuW+4O7Pmvky68riNqtJDcbzQnvQig@mail.gmail.com>

On Thu, Sep 25, 2014 at 9:10 AM, Greg Wilkins <gregw@intalio.com> wrote:

> I am concerned that "No block/stream ciphers except AEAD" is a
> sufficiently future proof specification.  Could there be block/stream
> ciphers that use something other than AEAD to make them sufficiently strong
> for h2?
>

For the record, I think it's important to be clear that this isn't quite
accurate.

TLS divides cipher suites into three categories:

- block
- stream
- AEAD

So, AEAD isn't an exception, it's a third category. One might imagine adding
a fourth category, but that wouldn't fall afoul of 9.2.2 because 9.2.2
prohibits
block and stream, but doesn't say *only* AEAD.

I realize that it's a bit confusing because AES-GCM is an AEAD primitive
based on a block cipher (AES) [0], but in the TLS taxonomy, that makes it
an AEAD cipher, not a block cipher.

-Ekr

Received on Thursday, 25 September 2014 16:37:55 UTC