Eric,
Thanks for that clarification. I think that explains much of the(my?)
confusion about 9.2.2.
I think this indicates that the wording of 9.2.2 is indeed causing
confusion and has actually created wrong implementations. In FF the 9.2.2
test is currently implemented as:
isAEAD()
when it should be:
!isBlock() && !isStream()
The former is a interoperability problem for future acceptable non AEAD
ciphers, while the later is not.
cheers
On 26 September 2014 02:36, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
> On Thu, Sep 25, 2014 at 9:10 AM, Greg Wilkins <gregw@intalio.com> wrote:
>
>> I am concerned that "No block/stream ciphers except AEAD" is a
>> sufficiently future proof specification. Could there be block/stream
>> ciphers that use something other than AEAD to make them sufficiently strong
>> for h2?
>>
>
> For the record, I think it's important to be clear that this isn't quite
> accurate.
>
> TLS divides cipher suites into three categories:
>
> - block
> - stream
> - AEAD
>
> So, AEAD isn't an exception, it's a third category. One might imagine
> adding
> a fourth category, but that wouldn't fall afoul of 9.2.2 because 9.2.2
> prohibits
> block and stream, but doesn't say *only* AEAD.
>
> I realize that it's a bit confusing because AES-GCM is an AEAD primitive
> based on a block cipher (AES) [0], but in the TLS taxonomy, that makes it
> an AEAD cipher, not a block cipher.
>
> -Ekr
>
>
--
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com advice and support for jetty and cometd.