<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.10 (Ruby 2.6.10) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-westerlund-tls-gcm-sst-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="GCM-SST in TLS, DTLS and QUIC">Use of Galois Counter Mode with Strong Secure Tags (GCM-SST) in TLS, DTLS and QUIC</title>

    <author initials="M." surname="Westerlund" fullname="Magnus Westerlund">
      <organization>Ericsson</organization>
      <address>
        <email>magnus.westerlund@ericsson.com</email>
      </address>
    </author>
    <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
      <organization>Ericsson</organization>
      <address>
        <email>john.mattsson@ericsson.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>Security</area>
    <workgroup>Transport Layer Security</workgroup>
    <keyword>TLS</keyword> <keyword>QUIC</keyword> <keyword>Cipher Suite</keyword> <keyword>GCM-SST</keyword>

    <abstract>


<t>This document defines cipher suites based on AES-GCM-SST and Rijndael-GCM-SST (Galois Counter Mode with Strong Secure Tags) for use in TLS 1.3, DTLS 1.3, and QUIC. GCM-SST provides authenticated encryption with near-ideal forgery probabilities for short authentication tags, making it suitable for bandwidth-constrained environments where reduced per-packet overhead is important. This document specifies cipher suites with 96-bit and 112-bit authentication tags.</t>



    </abstract>

    <note title="About This Document" removeInRFC="true">
      <t>
        The latest revision of this draft can be found at <eref target="https://gloinul.github.io/draft-westerlund-tls-gsm-sst/draft-westerlund-tls-gsm-sst.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-westerlund-tls-gcm-sst/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Transport Layer Security Working Group mailing list (<eref target="mailto:tls@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/tls/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/gloinul/draft-westerlund-tls-gsm-sst"/>.</t>
    </note>


  </front>

  <middle>


<section anchor="introduction"><name>Introduction</name>

<t>AES-GCM-SST and Rijndael-GCM-SST <xref target="I-D.draft-mattsson-cfrg-aes-gcm-sst"/> are Authenticated Encryption with Associated Data (AEAD) algorithms that provide near-ideal forgery probabilities even with short authentication tags. This makes them particularly suitable for use cases where bandwidth is constrained and reduced per-packet overhead is desirable, such as real-time media, IoT communications, and constrained radio networks.</t>

<t>Standard AES-GCM with short tags has well-known weaknesses that significantly increase forgery probabilities, especially under multiple forgery attacks. GCM-SST addresses these weaknesses through the introduction of an additional subkey and per-nonce subkey derivation, following recommendations from Nyberg et al.</t>

<t>Rijndael-GCM-SST uses Rijndael-256 (256-bit block size) as the keystream generator, providing a 28-byte nonce and significantly higher security margins against precomputation and multi-key attacks compared to AES-GCM-SST.</t>

<t>This document specifies how AES-GCM-SST and Rijndael-GCM-SST algorithms are integrated into TLS 1.3 <xref target="RFC8446"/>, DTLS 1.3 <xref target="RFC9147"/>, and QUIC <xref target="RFC9000"/>, defining new cipher suites and the necessary procedures for record number encryption and header protection.</t>

</section>
<section anchor="conventions-and-definitions"><name>Conventions and Definitions</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

</section>
<section anchor="new-cipher-suites"><name>New Cipher Suites</name>

<t>The cipher suites and cryptographic negotiation mechanisms established in TLS 1.3 are reused by the DTLS 1.3 and QUIC protocols.</t>

<t>This document introduces the following cipher suites based on AES-GCM-SST:</t>

<texttable title="GCM-SST cipher suites for TLS 1.3">
      <ttcol align='left'>Cipher Suite Name</ttcol>
      <ttcol align='left'>AEAD Algorithm</ttcol>
      <ttcol align='left'>Hash Algorithm</ttcol>
      <ttcol align='left'>Tag Length (bits)</ttcol>
      <c><spanx style="verb">TLS_AES_128_GCM_SST_12_SHA256</spanx></c>
      <c>AEAD_AES_128_GCM_SST_12</c>
      <c>SHA256</c>
      <c>96</c>
      <c><spanx style="verb">TLS_AES_128_GCM_SST_14_SHA256</spanx></c>
      <c>AEAD_AES_128_GCM_SST_14</c>
      <c>SHA256</c>
      <c>112</c>
      <c><spanx style="verb">TLS_AES_256_GCM_SST_12_SHA384</spanx></c>
      <c>AEAD_AES_256_GCM_SST_12</c>
      <c>SHA384</c>
      <c>96</c>
      <c><spanx style="verb">TLS_AES_256_GCM_SST_14_SHA384</spanx></c>
      <c>AEAD_AES_256_GCM_SST_14</c>
      <c>SHA384</c>
      <c>112</c>
      <c><spanx style="verb">TLS_RIJNDAEL_GCM_SST_12_SHA384</spanx></c>
      <c>AEAD_RIJNDAEL_GCM_SST_12</c>
      <c>SHA384</c>
      <c>96</c>
      <c><spanx style="verb">TLS_RIJNDAEL_GCM_SST_14_SHA384</spanx></c>
      <c>AEAD_RIJNDAEL_GCM_SST_14</c>
      <c>SHA384</c>
      <c>112</c>
</texttable>

<t>The AEAD algorithms are defined in <xref target="I-D.draft-mattsson-cfrg-aes-gcm-sst"/>. The number in the cipher suite name after "SST" indicates the tag length in bytes (12 or 14).</t>

<t>The 256-bit key variants (AES-256 and Rijndael) use SHA384 as the hash algorithm for HKDF to provide a security margin consistent with the larger key size.</t>

<t>The Rijndael-GCM-SST variants use a 28-byte nonce, which provides significantly greater security against precomputation and multi-key attacks compared to the AES variants with their 12-byte nonce.</t>

<t>With the inclusion of these new cipher suites, the cryptographic negotiation mechanism in TLS 1.3, as outlined in <xref section="4.1.1" sectionFormat="comma" target="RFC8446"/>, remains unchanged, as does the record payload protection mechanism specified in <xref section="5.2" sectionFormat="comma" target="RFC8446"/>.</t>

</section>
<section anchor="tls-13-record-payload-protection"><name>TLS 1.3 Record Payload Protection</name>

<t>When a GCM-SST cipher suite is negotiated, record payload protection follows <xref section="5.2" sectionFormat="comma" target="RFC8446"/> using the negotiated AEAD algorithm.</t>

<t>The per-record nonce is constructed as specified in <xref section="5.3" sectionFormat="comma" target="RFC8446"/>: the 64-bit record sequence number is padded with leading zeros to the nonce length and XORed with the write_iv derived from the traffic secret. The nonce length is 12 bytes for AES-GCM-SST cipher suites and 28 bytes for Rijndael-GCM-SST cipher suites.</t>

<t>The encrypted record has the following structure:</t>

<figure><artwork><![CDATA[
struct {
    opaque content[TLSPlaintext.length];
    ContentType type;
    uint8 zeros[length_of_padding];
} TLSInnerPlaintext;

struct {
    ContentType opaque_type = application_data; /* 23 */
    ProtocolVersion legacy_record_version = 0x0303; /* TLS v1.2 */
    uint16 length;
    opaque encrypted_record[TLSInnerPlaintext.length + tag_length];
} TLSCiphertext;
]]></artwork></figure>

<t>The tag_length is 12 or 14 bytes depending on the negotiated cipher suite.</t>

</section>
<section anchor="dtls-13-record-number-encryption"><name>DTLS 1.3 Record Number Encryption</name>

<t>In DTLS 1.3, encryption of record sequence numbers follows the specification in <xref section="4.2.3" sectionFormat="comma" target="RFC9147"/>.</t>

<section anchor="aes-gcm-sst-cipher-suites"><name>AES-GCM-SST Cipher Suites</name>

<t>For AES-GCM-SST cipher suites, the mask used for sequence number encryption is generated using AES-ECB with:</t>

<t><list style="symbols">
  <t><spanx style="verb">sn_key</spanx>: the sequence number encryption key as defined in <xref section="4.2.3" sectionFormat="comma" target="RFC9147"/></t>
  <t><spanx style="verb">ciphertext[0..15]</spanx>: the first 16 bytes of the DTLS ciphertext</t>
</list></t>

<t>The mask is computed as follows:</t>

<figure><artwork><![CDATA[
mask = AES-ECB(sn_key, ciphertext[0..15])
]]></artwork></figure>

<t>This is the same mechanism used for AES-GCM and AES-CCM cipher suites in DTLS 1.3.</t>

</section>
<section anchor="rijndael-gcm-sst-cipher-suites"><name>Rijndael-GCM-SST Cipher Suites</name>

<t>For Rijndael-GCM-SST cipher suites, Rijndael-256-ECB would require a 32-byte input, which may exceed the available ciphertext in short DTLS records. Instead, the mask is generated using the Rijndael-GCM-SST keystream generator with:</t>

<t><list style="symbols">
  <t><spanx style="verb">sn_key</spanx>: the sequence number encryption key as defined in <xref section="4.2.3" sectionFormat="comma" target="RFC9147"/></t>
  <t><spanx style="verb">ciphertext[0..15]</spanx>: the first 16 bytes of the DTLS ciphertext</t>
</list></t>

<t>The mask is computed as follows:</t>

<figure><artwork><![CDATA[
mask = Stream(16, sn_key, ZeroPad(ciphertext[0..15], 28))
]]></artwork></figure>

<t>Where Stream(n, K, N) denotes the first n bits of keystream produced by the Rijndael-GCM-SST keystream generator instantiated with key K and nonce N (i.e., Rijndael-256 in counter mode as defined in <xref target="I-D.draft-mattsson-cfrg-aes-gcm-sst"/>), and ZeroPad(x, len) right-pads the byte string x with zeros to a length of len bytes. The first 16 bits of the mask are used to encrypt the sequence number in the record header, following the procedure in <xref section="4.2.3" sectionFormat="comma" target="RFC9147"/>.</t>

</section>
</section>
<section anchor="quic-header-protection"><name>QUIC Header Protection</name>

<t>In QUIC, specific segments of the packet header are protected as specified in <xref section="5.4" sectionFormat="comma" target="RFC9001"/>.</t>

<section anchor="aes-gcm-sst-cipher-suites-1"><name>AES-GCM-SST Cipher Suites</name>

<t>For AES-GCM-SST cipher suites, the header protection mask is generated using AES-ECB with:</t>

<t><list style="symbols">
  <t><spanx style="verb">hp_key</spanx>: the header protection key as defined in <xref section="5.4.3" sectionFormat="comma" target="RFC9001"/></t>
  <t><spanx style="verb">sample</spanx>: a 16-byte sample from the packet payload ciphertext</t>
</list></t>

<t>The 5-byte mask is computed as follows:</t>

<figure><artwork><![CDATA[
mask = AES-ECB(hp_key, sample)[0..4]
]]></artwork></figure>

<t>This is the same mechanism used for AES-GCM cipher suites in QUIC, as specified in <xref section="5.4.3" sectionFormat="comma" target="RFC9001"/>.</t>

</section>
<section anchor="rijndael-gcm-sst-cipher-suites-1"><name>Rijndael-GCM-SST Cipher Suites</name>

<t>For Rijndael-GCM-SST cipher suites, Rijndael-256-ECB would require a 32-byte sample, which may exceed the available ciphertext in short QUIC packets. Instead, the mask is generated using the Rijndael-GCM-SST keystream generator with:</t>

<t><list style="symbols">
  <t><spanx style="verb">hp_key</spanx>: the header protection key as defined in <xref section="5.4.3" sectionFormat="comma" target="RFC9001"/></t>
  <t><spanx style="verb">sample</spanx>: a 16-byte sample from the packet payload ciphertext</t>
</list></t>

<t>The 5-byte mask is computed as follows:</t>

<figure><artwork><![CDATA[
mask = Stream(40, hp_key, ZeroPad(sample, 28))[0..4]
]]></artwork></figure>

<t>Where Stream(n, K, N) denotes the first n bits of keystream produced by the Rijndael-GCM-SST keystream generator instantiated with key K and nonce N (i.e., Rijndael-256 in counter mode as defined in <xref target="I-D.draft-mattsson-cfrg-aes-gcm-sst"/>), and ZeroPad(x, len) right-pads the byte string x with zeros to a length of len bytes.</t>

</section>
</section>
<section anchor="key-update-and-usage-limits"><name>Key Update and Usage Limits</name>

<t>A key update <bcp14>MUST</bcp14> be performed prior to reaching the usage limits specified in <xref target="I-D.draft-mattsson-cfrg-aes-gcm-sst"/>. The key update mechanism is documented in <xref section="4.6.3" sectionFormat="comma" target="RFC8446"/>.</t>

<t>For AES-GCM-SST, the confidentiality and integrity limits depend on the specific AEAD instance. To ensure that the Bernstein bound factor satisfies delta approximately 1, protocols utilizing AES-GCM-SST <bcp14>MUST</bcp14> enforce that Q_MAX multiplied by P_MAX / 16 does not exceed approximately 2^59, as specified in <xref target="I-D.draft-mattsson-cfrg-aes-gcm-sst"/>.</t>

<t>In TLS 1.3 and DTLS 1.3, where record payloads are limited to 2^14 bytes, the general constraint permits up to approximately 2^49 records per key for AES-GCM-SST cipher suites. In QUIC, where packet payloads can be up to 2^16 bytes, the constraint permits up to approximately 2^47 packets per key. Implementations <bcp14>MAY</bcp14> choose more conservative limits. The maximum number of failed decryption attempts (V_MAX) for AES-GCM-SST is 2^54.</t>

<t>For Rijndael-GCM-SST cipher suites, the usage limits are significantly higher. A key update <bcp14>MUST</bcp14> be performed before encrypting 2^64 records with the same key (Q_MAX = 2^64 as specified in <xref target="I-D.draft-mattsson-cfrg-aes-gcm-sst"/>). The maximum number of failed decryption attempts (V_MAX) for Rijndael-GCM-SST is 2^118.</t>

<t>The number of failed decryption attempts (forgery attempts) before a key update or connection termination <bcp14>SHOULD</bcp14> be limited to V_MAX as specified above.</t>

</section>
<section anchor="operational-considerations"><name>Operational Considerations</name>

<t>The cipher suites defined in this document use 96-bit or 112-bit tags. For general-purpose use, cipher suites with 112-bit tags are <bcp14>RECOMMENDED</bcp14>.</t>

<t>Rijndael-GCM-SST cipher suites offer significantly higher usage limits and stronger multi-key security compared to AES-GCM-SST, at the cost of requiring Rijndael-256 hardware support for optimal performance.</t>

<t>On devices lacking hardware AES acceleration, cipher suites dependent on the AES round function <bcp14>SHOULD NOT</bcp14> be prioritized.</t>

<t>On devices equipped with hardware AES acceleration, GCM-SST cipher suites provide performance comparable to standard AES-GCM cipher suites while offering improved integrity guarantees for a given tag length.</t>

<t>To align with zero-trust principles and minimize the impact of key compromise, implementations <bcp14>SHOULD</bcp14> enforce rekeying well before reaching the cryptographic limits. Rekeying via ephemeral key exchange providing Forward Secrecy (FS) and Post-Compromise Security (PCS) after 1 hour or 2^30 to 2^37 bytes of data is <bcp14>RECOMMENDED</bcp14>.</t>

</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<t>The security properties of GCM-SST are detailed in <xref target="I-D.draft-mattsson-cfrg-aes-gcm-sst"/>. The key security advantages over standard AES-GCM with equivalent tag lengths are:</t>

<t><list style="symbols">
  <t>Near-ideal forgery probability of approximately 1/2^tag_length, even for long messages.</t>
  <t>Resistance to multiple forgery attacks (reforgeability resistance).</t>
  <t>Per-nonce subkey derivation prevents key recovery from successful forgeries.</t>
</list></t>

<t>GCM-SST <bcp14>MUST</bcp14> be used in a nonce-respecting setting. Nonce reuse enables universal forgery. The nonce construction in TLS 1.3 (XOR of sequence number with per-key IV) satisfies this requirement.</t>

<t>The 96-bit tag cipher suites provide a forgery probability of approximately 2^-96 per attempt, which is suitable for most applications. The 112-bit tag cipher suites provide an even higher security margin.</t>

</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<t>IANA is requested to assign identifiers in the TLS Cipher Suite Registry for the following cipher suites:</t>

<texttable title="IANA cipher suite assignments">
      <ttcol align='center'>Value</ttcol>
      <ttcol align='left'>Description</ttcol>
      <ttcol align='center'>DTLS-OK</ttcol>
      <ttcol align='center'>Recommended</ttcol>
      <c>TBD</c>
      <c><spanx style="verb">TLS_AES_128_GCM_SST_12_SHA256</spanx></c>
      <c>Y</c>
      <c>N</c>
      <c>TBD</c>
      <c><spanx style="verb">TLS_AES_128_GCM_SST_14_SHA256</spanx></c>
      <c>Y</c>
      <c>N</c>
      <c>TBD</c>
      <c><spanx style="verb">TLS_AES_256_GCM_SST_12_SHA384</spanx></c>
      <c>Y</c>
      <c>N</c>
      <c>TBD</c>
      <c><spanx style="verb">TLS_AES_256_GCM_SST_14_SHA384</spanx></c>
      <c>Y</c>
      <c>N</c>
      <c>TBD</c>
      <c><spanx style="verb">TLS_RIJNDAEL_GCM_SST_12_SHA384</spanx></c>
      <c>Y</c>
      <c>N</c>
      <c>TBD</c>
      <c><spanx style="verb">TLS_RIJNDAEL_GCM_SST_14_SHA384</spanx></c>
      <c>Y</c>
      <c>N</c>
</texttable>

</section>


  </middle>

  <back>


    <references title='Normative References'>




<reference anchor='I-D.draft-mattsson-cfrg-aes-gcm-sst' target='https://datatracker.ietf.org/doc/html/draft-mattsson-cfrg-aes-gcm-sst-21'>
   <front>
      <title>Galois Counter Mode with Strong Secure Tags (GCM-SST)</title>
      <author fullname='Matt Campagna' initials='M.' surname='Campagna'>
         <organization>Amazon Web Services</organization>
      </author>
      <author fullname='Alexander Maximov' initials='A.' surname='Maximov'>
         <organization>Ericsson</organization>
      </author>
      <author fullname='John Preuß Mattsson' initials='J. P.' surname='Mattsson'>
         <organization>Ericsson</organization>
      </author>
      <date day='5' month='July' year='2026'/>
      <abstract>
	 <t>   This document defines Galois Counter Mode with Strong Secure Tags
   (GCM-SST), an Authenticated Encryption with Associated Data (AEAD)
   algorithm that addresses several weaknesses of GCM.  GCM-SST can be
   used with any keystream generator, not only 128-bit block ciphers.
   Main differences from GCM are the introduction of a second
   authentication subkey H_2, per-nonce derivation of both H and H_2,
   and stricter usage limits.  Together, these changes yield
   authentication tags with near-ideal forgery probabilities, including
   reforgeability resistance.  All registered instances have an expected
   number of forgeries E(F) ≈ v / 2^t, a property that GCM is far from
   providing.  GCM-SST is designed for security protocols with replay
   protection such as TLS, QUIC, SRTP, and PDCP, and provides hardware
   and software performance comparable to GCM.  This document registers
   nine AEAD algorithm instances using AES and Rijndael-256 in counter
   mode, with tag lengths of 48, 96, and 112 bits.  GCM-SST has been
   standardized by 3GPP for use with SNOW 5G, AES-256, and ZUC-256.

	 </t>
      </abstract>
   </front>
   <seriesInfo name='Internet-Draft' value='draft-mattsson-cfrg-aes-gcm-sst-21'/>
   
</reference>
<reference anchor='RFC8446' target='https://www.rfc-editor.org/info/rfc8446'>
  <front>
    <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
    <author fullname='E. Rescorla' initials='E.' surname='Rescorla'/>
    <date month='August' year='2018'/>
    <abstract>
      <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
      <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='8446'/>
  <seriesInfo name='DOI' value='10.17487/RFC8446'/>
</reference>
<reference anchor='RFC9147' target='https://www.rfc-editor.org/info/rfc9147'>
  <front>
    <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
    <author fullname='E. Rescorla' initials='E.' surname='Rescorla'/>
    <author fullname='H. Tschofenig' initials='H.' surname='Tschofenig'/>
    <author fullname='N. Modadugu' initials='N.' surname='Modadugu'/>
    <date month='April' year='2022'/>
    <abstract>
      <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
      <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
      <t>This document obsoletes RFC 6347.</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='9147'/>
  <seriesInfo name='DOI' value='10.17487/RFC9147'/>
</reference>
<reference anchor='RFC9000' target='https://www.rfc-editor.org/info/rfc9000'>
  <front>
    <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
    <author fullname='J. Iyengar' initials='J.' role='editor' surname='Iyengar'/>
    <author fullname='M. Thomson' initials='M.' role='editor' surname='Thomson'/>
    <date month='May' year='2021'/>
    <abstract>
      <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='9000'/>
  <seriesInfo name='DOI' value='10.17487/RFC9000'/>
</reference>
<reference anchor='RFC2119' target='https://www.rfc-editor.org/info/rfc2119'>
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname='S. Bradner' initials='S.' surname='Bradner'/>
    <date month='March' year='1997'/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name='BCP' value='14'/>
  <seriesInfo name='RFC' value='2119'/>
  <seriesInfo name='DOI' value='10.17487/RFC2119'/>
</reference>
<reference anchor='RFC8174' target='https://www.rfc-editor.org/info/rfc8174'>
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname='B. Leiba' initials='B.' surname='Leiba'/>
    <date month='May' year='2017'/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name='BCP' value='14'/>
  <seriesInfo name='RFC' value='8174'/>
  <seriesInfo name='DOI' value='10.17487/RFC8174'/>
</reference>
<reference anchor='RFC9001' target='https://www.rfc-editor.org/info/rfc9001'>
  <front>
    <title>Using TLS to Secure QUIC</title>
    <author fullname='M. Thomson' initials='M.' role='editor' surname='Thomson'/>
    <author fullname='S. Turner' initials='S.' role='editor' surname='Turner'/>
    <date month='May' year='2021'/>
    <abstract>
      <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='9001'/>
  <seriesInfo name='DOI' value='10.17487/RFC9001'/>
</reference>



    </references>



<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>

<t>This document is based on draft-denis-tls-aegis. The authors would like to thank Frank Denis and Samuel Lucas for their work on that document.</t>

</section>


  </back>

<!-- ##markdown-source:
H4sIAE2sS2oAA+1b63YbN5L+z6fAKn/ELJsSJVqxlfWcUSQ5VqzbSHIu6xMr
YDdEYtQXTqObMp04r7LzLLMvtl8VgL6Q1CWZ2T1n5uycMxYJAoVC1VcXFCpB
EHQKXcRqV6y9NUpkN+JrGWfaiP2sTAuVi5MsUuJOFxNxWeRZOhaXKixzJa7k
2Ij1r/dPgsvLq67Qqbg6vuyJA/wrZBqJP7092l/ryNEoVzMQdxPvmxfKQo2z
fL4rTBF1OlEWpjIBU1Eub4rgThmwEpdpFBSxCcZhEhhTBDEWmaJjylGijdFZ
WsynWHN0ePWqk5bJSOW7nQhzdjthlhqVmtLsiiIvVQccbXdkriQ44/PoYr7W
ucvy23GelVOMXuUyNdMsL8SxnEMM9axbNcfEaLcjAjoK/aEz0N99PZ3Q3FIX
ir67Q3c6M5WWYEOIx8kLYU+x9h240ZD317SExhOpY4xDAn/UqrjpZ/mYhmUe
TjA8KYqp2d3YoFk0pGeq76dt0MDGKM/ujNrA+g1aN4ZOyxFWjqHvtIw3Vsva
sKxpgRV3Yyu3sG8p9XX2IIkHf+xPiiRe63RkWUyynGSLDQEWKEyc9MV31SIa
ttA4keO0NAs/4bC74jDXoTFZSgPKSi3hyf168z8qN6kfZkmnud83fXGeq/K/
/ws7FIWnY/f8Jpukq369b9s/Y34/cRMXtkyzHL9ATbvYXhwFB30rID89CG/y
cSBVhXfM0+lNY1UQBEKOTJHLsOh0riawWhhOmai0EJG60akyIrSQNARJI0bS
qEhkqdg7vAy8SZIVXug/p5FUcTW4/hvcQFeAK1HCfVjrFoP+trNw/uTNvO8N
QkzzbKYjMET6Brua7D8SKg3z+bSAJdutUiXzAPNkTDuMVT6nlSM50rEuNJbT
vmZCZtQgRMsLsNWD1tmCdMHnl6NY8YoRGLrTUTEJyC9AfJAUbT7TOBlJz4g7
CE2JXEVliJ+mKg+mMrxVhchmKp8oGQnIRidkwTIt+qItfDNVob7RS+LnQ73Y
CUbgiIQyGGzZz8vM9616Ex1Fsep0PhNHKeQOdmhGp/Oo/n7++QmI+vQJ3kOJ
vZYSDheUsIeloeafDmQhxfre4d5BV8gY/hq/J0YUE1l4lT6uMwVnaCnfqzkn
T6hPEXWViKnMMaOEZ4vnbWUS7ELA2uusUi5pqKlfEtMjCgUidU6Ue9gjnAhp
sELGQaETJRIVadkTR9kVyCZJmTqOjQV4c6tcRjqDJAqKKKTKS6Akknnk7a55
fjqwmGCrOxXHwW2a3UE8St7Ceo1ywjV6nAJQIbCG82toSOHIqwXcE4rxJ2NM
hacD/JIyLvQ0rhcAEDi9qQ1SRlHu91Og3GIAAWg8oR+wcw1CyhVkSis1fYW+
EYgRHFkaJOA0S0PlB8GGnrG8euAijrM7ssxckSgVZMOSFDd5lojTOSL3WEA3
MobslqBdElfV6NazHbGOf9iQRnEW3kJaH1WXlEcsY3PoRclEjFWqcllkec+B
lTiQYut5MJoXAC6zS8y3pT3RYzZhF6GBynyMQCHkGMo2BHw6xLQsLH6JAMs7
YFlYQRNiAGFAo8iavre/6LZrzzHJ7h730g0jJEOGetQ4Z1PFx8z7YjiDf7t4
tf98ONz59Kl2zG74xWD4BQ17L+2HNzc3aZgDCUkqVXcL7oxWkIhTFQIq0gIR
5oW4YF0zSQagt7lY07vTSjI6jGJJoRhQfXJz+1k6I29AaKBZB7w9fydZsT4F
5V9GrJ28vbxa69m/4vSMP18c4gwXhwf0+fL13vFx9aHjZly+Pnt7fFB/qlfu
n52cHJ4e2MUYFa2hztrJ3g9rVk5rZ+dXR2ene8drFPKKlgpJEZD9yKojBzxI
H9J04F3CXI9YOeKr/fO//XUwdMLeGgxewBk7PQ2+GOIL3Flqd8tSwNB+hbjn
HTmdwskSFdg4nN8U7jAmN2TIpcB9kCOEND9/R5L5cVf8xyicDoZ/cAN04Nag
l1lrkGW2PLK02ApxxdCKbSpptsYXJN3md++H1ncv98YgoeYU2Gwm3w4ry3Bl
BGawkelEhwDuOCu0tdtEhROZagNTQpKIIKDNxKrKm4vkjKCkDGo0Z+BXllTZ
DqE5C7PYLFm2d53WxTZ84OMZGlK9X1rHE6fIRsUvgiKx2PM+AAOvpZm0BpCe
iWOVjhFt1uEgkar9AlqUWaz4F7/8hBNdY+vrwdbza2x/je3x+Rq6h4/9ye25
YgZ+sXPw4cXOA7SGj9IaNmkNiHSTGIYXGNt+PmwRa8+wxDBnBWOtmcNHaQ2b
tFqMXRx9c3qwd3j8AGcrptzH2vLUJd5WTFlm7mfcdulu/7K6fbexRi7aIXjt
k7UYRtRCVLFXCTaFJ2aVlL8p7/bZQbZtkW9TAkQwsAa+yItGnH5a40BKJGKL
Wqym6GzEOo4EfgfDbt+y6mM+BYSZzLWkvH2dzIaQ0wyXXU4SnXBcWjAhS6kO
yqJ4/ebgFXlun8nKxZjPOZ7GDRLmzAkcEUJKipSKuaC8wzG3FKkrDomVhaSj
B+eukW5Wt6J2AjJG9lI0M5DfnXkUrOHLmhl/Cg3BbjU4wim+8wdEthmXxiV8
NjtcSgV6VsWPO9fWDRGqyMoirsHls5Qe3S554bA/6A8oDcnpRo2coEyJ0lhF
vDzKHGJcpjGV8zhDLl8nFY2tfW5172bP+lvALsUT79cvLNlzR/a8Igv5IB5D
kassi64S/vTE6P3M2Shg7ucGcKEYYbMsT3HBSh3kKOX2CRenstX9B/k6ZyBP
kcD2p0+7vN3OkK3LUTTqL6Uiot6oDY4TRaDEEIqRyxGfH1WeGY80y4WzYwLn
92cXfgH9fgfu1bWe2bsBfuHsn+0fDgbwJ8Qje3LepEkN28MdWMdApttMlJeD
/tbzxtQly2zNd7J0qSpd5ez5J3IxbFu5ItVFdP7111879rv4mao/IptKyIvE
T87iHeB0HktKBz8UfXuEH7/kift2xtV8qrjuZ0dLTH1uhfnOTr/Obq5J4NgZ
Kz8RQI9SXGcqsl922hw0CVturom+eCmQPcbu6nqNe5f8Umx8Lra2xecbvPDc
ZTDfqpyNPlZjGc6vrRyuZ270pdj8sLm9uc2LyVpmg/6WJ0HsD3acrr5sCqSS
q6P3bukcTjzi3ykIXFey4hPbFMielkTOqqqnOVRwkHAKj9QUl0tSV5YuGlFT
72z0BwtWf2qhXtdDOp2jtFHWatxn4BlXG4qpTJx2d/bnKh2VDdINrOnytsgK
iaXPWsBeSHBfPYR765ATaW4FJ6xcKFuw4Qb/kJy7HWOudTlE+nD/KzZXqjWK
n0x6jcDyk3UPDxDj6GPaacO9xyTCYaXXd5v9/uDZj26PG50jygFJVpk2/FgF
1EssCvik2ka70nk7J3lnnzzjpT/Wuj1MTyzt3fXQogKfU5vk8o+PI5VAfTGH
fAx93sfntvfRNV6sPpe8zwqlPuyheq3Sh1VRVsbkqf5S6pySi20XynUKWfjk
IpFzoT6EStk7u5zROwEV0WoJELu2JsVMW0SbvjhCEIGDb2BqBV6KVVnPiuLL
vxqgLvl86wNEUY+p/4TjPpfR+hIbPYSirgPYd1ytdKtxs3/TE6ddnDHNfBZs
uUX+i3sb8VoLc2pvktU99Elyp5QRSZ91fhyESa5vGL02uJ6Kdd1X/TbCBOe9
9hEgoUeARU086UbQtZUML5kPPYoOXZHr8aQIENjsiRm1YJzw9MHyWGUU0sd+
SAKfrAptalCr1UmqwildX9hcQcABaiXY3B3FB3uuTDXrlPRjVdt6guO2xYDX
tsLVzBoRQOinXhUKwMrYPjk4vl1Z2lXH6AAuX7w3hXuxuTlopnDDf0zwWKrP
3Wv6y6FiMm1Y9jKhew168STeoOGBp7ECPQk1W+dmh+qc0cnNJ9mL9vzMrvrN
ccKepOe265IhD3/87SFiKSxYFDxRoXU+8H8aP+yZf1cAscUwVsn/YgD554eZ
8//DzZ7wSPM+0kufQkYTdv8fOP4RgYOc9Bsc4+2UOkR4j7dGjpU41gnE1uns
8SlL+zOXzUd8x6YHeHpBzDVEA/IQVjjx+C2ZRMwkFi37N1TOGjs3Kid1Mfmh
esmOcxYLHt5VaLL0Rkf0viJjriSlkXs0om+Ob3tp8jemKlBx0cFiIVTgkyKq
oXDIL5Q09SuVk6FTyQ56hwOUIeHH4Lpj+E0rUnEh6QKaZx80pKDiuRj06qK5
KAsd648+pnhQsvQVtT6Ebrc/XZ/sfe+fNbXF8zmPbVAewGUh2IP3V+0dt94/
e7HK9T5NQRzDm3X/+kLomwaa1R5bQmXJ2jRk672/nVqVWDuL6/fjglDGiiin
jN8F5ocvfGZOExkrD5ZAyP26cGMZbLswOCmZErbtbmBvp8ne09n6wvt7zxY2
Jg9GgHXPuyd7P4hwkmUGuM5yS1zlM+5nceizBpBIUC4Tn57Bcm8QbSDASNVv
iEWhkinVfL8lzXeXpACDgaqH/adFxSXzJb2tegnui0dcw0jd0OH8BQZg3nq/
M6yUVtW/OGcgSusWzi/tvN8JzO7fKbkl+bD4BoPnriT2NIKNBgMe6XppyKbM
sB1UnzqfVRCuUlsTcU+Ho5bJMJdtuchRNrNVm7MphSnbgLBP9fnIfV/5BtgI
QO1XWyrLu84cKiC5xhzbjELwcWYaTMt8SvjF/N6q7p7mSoZQ42VzVTNDm0R2
c0NfVvUftLFJXQrch+W7O7jmX70Q3NNuAK9XOKtGgsBFK8r5CKKtyD2ReXTH
+C+n3KRIAMmg6wRCdkCX9pngLIVMZ5qeNWOYP5GqVtNTgwxDFTuNLArMBhqS
vos1tCC3oaNMwyYg6I2YjIyiri70RxW196ZzTKc+P3mAg9Vy908+jbM5GXKG
CymaxQ6eBd1PYBNWfdxxlhBF1Qyu4xLE8M2VoaUYa2qEqp+6yM7gVmMov85g
giIv+aVHpyF18FjVw1yAg4/Kvs+AzbBweR5zjVxVEzz1gvt1svSRNFdYQNxS
45G301Y6037Q8Q76wq+baSkUpJBwAKPdEW/5dabRYAPjuSO5XVItP4Sze3XZ
5UOcA4PBfsVu1QIr1s/3aQq/Dg7EJCtzMsmt99ubNkBtf1HXb6iATZ6qbWWf
1cRWuYTKTLA1NM5dadT47Jtq+M2zsF7u96Ru9UNdNIPKYbeG28yWQcR6JuzO
ZEx2UKOBnQffck4faqibcxdWO6Ha2HpfF8V7tt+OIBdT22ZCnTpjSoADKJJe
MxnsEOx9TWJiPVc85HfMq2VdonJ+f6sXvVDOuLhB4xQAZ0SYL1OmDKlr6Kb0
x9KclbdyvpGr3lCni71qBDk3t3FUNaqgv31xyrtzawbATRZL74Sa3ipqoTVf
kapnMVeG9+nc+vdnFyTQxfIQq4ne1+gYR992GyktRxF3dSZTc9HShRLS52pP
I5+mzK33wYsdTqhcRPW3cezaaoNMyKM3nnZcItUIR/cxklqErG5zY2M62jvd
WzIkHnRnp65qjjXSUOwS9ooB+eTGl9ZIxK0Wlgs1Bopym7w+0BHDzS/fyrik
hpcDbqGySccvnHkHZ2/w6cL3EYINaqPYDYJgV9i/7n/Vt/b4Ls+/+upAPKX5
5Qf8//TRFcOnrLi3j+VpK4aPrXi4JeWJS1btUneVMARaD99W/1zPpI4SEvsI
PoRAtBdSaytcqi13gow1LhW9XLuRsVG2BaXVMtVoh7LuF7jShv+7AUnwsRi3
/82AcWWsWN8q+wIt01vxKqd/D2gZB51LmZQqFsdlKI1Hns6pofDWJiFIkPz+
/c7/ACnR7tkeMwAA

-->

</rfc>

