Re: [TLS] Data limit for GCM under a given key.

[Eric Rescorla <ekr@rtfm.com>]

Update: we discussed this extensively in Yokohama and based on Watson's
feedback and offline comments from David McGrew, the consensus was that we
needed to add some sort of rekeying mechanism to support long-lived flows.
Expect a PR on this next week.

Note: We'll still need guidance to implementations on when to re-key, but
we don't expect to have a hard protocol limit.

-Ekr



On Fri, Nov 6, 2015 at 4:59 PM, Tony Arcieri <bascule@gmail.com> wrote:

> On Friday, November 6, 2015, Watson Ladd <watsonbladd@gmail.com> wrote:
>
>> On Wed, Nov 4, 2015 at 3:43 PM, Dang, Quynh <quynh.dang@nist.gov> wrote:
>> > I did not talk  under indistinguishability framework. My discussion was
>> about confidentiality protection and authentication.
>>
>> What is the definition of "confidentiality protection" being used here?
>>
>
> I too am confused by Quynh's statement. Indistinguishability is the modern
> bar for confidentiality and authentication.
>
> Quynh, are you talking about anything less than IND-CCA2? If you are, that
> is less than the modern bar I would personally consider acceptable.
>
>
> --
> Tony Arcieri
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>