[{"author": "Richard Barnes", "text": "<p>:nauseated_face:</p>", "time": "2022-11-08T15:05:06Z"}, {"author": "Richard Barnes", "text": "<p>(my reaction to non-AEAD)</p>", "time": "2022-11-08T15:05:32Z"}, {"author": "Richard Barnes", "text": "<p>relying on signatures seems superficially plausible but kinda sus</p>", "time": "2022-11-08T15:06:39Z"}, {"author": "Richard Barnes", "text": "<p>i'm not going to bang on the table, but we should generally not be encouraging non-AEAD</p>", "time": "2022-11-08T15:11:54Z"}, {"author": "Richard Barnes", "text": "<p>just to push back on G\u00f6ran -- there may be multiple uses, but each one requires special analysis to verify that authentication is not necessary</p>", "time": "2022-11-08T15:12:42Z"}, {"author": "Ira McDonald", "text": "<p>I favor the map (extensible).  I don't like the \"implicit\" kem suggestion from Ilari</p>", "time": "2022-11-08T15:18:19Z"}, {"author": "Richard Barnes", "text": "<p>+1 Ira</p>", "time": "2022-11-08T15:19:09Z"}, {"author": "Richard Barnes", "text": "<p>fwiw, TLS ECH use of HPKE is disaggregated.  server advertises a KEM, then the client selects a KDF and AEAD.  and they're all signalled separately</p>", "time": "2022-11-08T15:25:13Z"}, {"author": "Ira McDonald", "text": "<p>cabo is in SEDATE at the moment</p>", "time": "2022-11-08T15:35:34Z"}, {"author": "David Waite", "text": "<p>you may just be very quiet</p>", "time": "2022-11-08T15:36:08Z"}]