Re: Comments on draft-ietf-httpbis-encryption-encoding-04

On 12 November 2016 at 15:30, Eric Rescorla <> wrote:
> S 2.1.
>   The "rs" or record size parameter contains an unsigned 32-bit
>   integer in network byte order that describes the record size in
>   octets.  Note that it is therefore impossible to exceed the
>   2^36-31 limit on plaintext input to AEAD_AES_128_GCM.  Values
>   smaller than 3 are invalid.
> I don't believe that this is correct, because the limit is on the
> total number of bytes with the same key, not on the total number
> of bytes with one nonce.

This is just P_MAX from RFC 5116.

> S 2.2.
>    Why are you using the terminal 0x00 here? I don't see anywhere
>    else you HMAC on cek_info without it.

I like null-terminating my context strings.

> S 3.
> This whole Crypto-Key thing seems like a menace. As has been noted,
> it's a terrible idea to provide Crypto-Key and encrypted data
> for the same key in the same HTTP message, but that's the only
> thing you see to support:
>    The value or values provided in the Crypto-Key header field is valid
>    only for the current HTTP message unless additional information
>    indicates a greater scope.
> Do we have a concrete use case for Crypto-Key? If not, I would remove
> it. If so, I would consider writing a different spec.

Maybe we can discuss this in the meeting, I don't have any objection
to this.  I like deleting code.


These seem sensible.  I'll do what I can to sort them out when I get some time.

Received on Saturday, 12 November 2016 06:57:26 UTC