- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Sat, 12 Nov 2016 15:56:53 +0900
- To: Eric Rescorla <ekr@rtfm.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 12 November 2016 at 15:30, Eric Rescorla <ekr@rtfm.com> wrote: > SUBSTANTIVE > S 2.1. > The "rs" or record size parameter contains an unsigned 32-bit > integer in network byte order that describes the record size in > octets. Note that it is therefore impossible to exceed the > 2^36-31 limit on plaintext input to AEAD_AES_128_GCM. Values > smaller than 3 are invalid. > > I don't believe that this is correct, because the limit is on the > total number of bytes with the same key, not on the total number > of bytes with one nonce. This is just P_MAX from RFC 5116. > S 2.2. > Why are you using the terminal 0x00 here? I don't see anywhere > else you HMAC on cek_info without it. I like null-terminating my context strings. > S 3. > This whole Crypto-Key thing seems like a menace. As has been noted, > it's a terrible idea to provide Crypto-Key and encrypted data > for the same key in the same HTTP message, but that's the only > thing you see to support: > > The value or values provided in the Crypto-Key header field is valid > only for the current HTTP message unless additional information > indicates a greater scope. > > Do we have a concrete use case for Crypto-Key? If not, I would remove > it. If so, I would consider writing a different spec. Maybe we can discuss this in the meeting, I don't have any objection to this. I like deleting code. > EDITORIAL These seem sensible. I'll do what I can to sort them out when I get some time.
Received on Saturday, 12 November 2016 06:57:26 UTC