[1] [CITE@en[RFC 6066 - Transport Layer Security (TLS) Extensions: Extension Definitions]]
([TIME[2015-02-01 18:07:52 +09:00]] 版)
<http://tools.ietf.org/html/rfc6066#section-7>

[FIG(quote)[
[FIGCAPTION[
[2] [CITE@en[RFC 7525 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)]]
([TIME[2015-05-29 03:22:56 +09:00]] 版)
<https://tools.ietf.org/html/rfc7525#section-4.5>
]FIGCAPTION]

> Implementations MUST NOT use the Truncated HMAC extension, defined in
>    Section 7 of '''['''RFC6066''']'''.
>    Rationale: the extension does not apply to the AEAD cipher suites
>    recommended above.  However it does apply to most other TLS cipher
>    suites.  Its use has been shown to be insecure in '''['''PatersonRS11''']'''.

]FIG]