--- gvpe/NEWS	2013/10/11 07:56:07	1.120
+++ gvpe/NEWS	2014/01/17 19:47:08	1.122
@@ -5,26 +5,14 @@
 TODO: replace ripemd160 as the only authentication hash.
 TODO: increase rsa size.
 TODO: replace transport bits by transport endpoint structs?
-TODO: ecdh to avoid session replay attacks
 TODO: http://incog-izick.blogspot.de/2011/08/using-openssl-aes-gcm.html
 TODO: http://stackoverflow.com/questions/12153009/openssl-c-example-of-aes-gcm-using-evp-interfaces
 
-proposed: 3 types, req, resreq, res
-
-req (hmac1) rsa(seqno1 hmac1 aes1 seqno2 hmac2 aes2 auth) ecdh1
-res (hmac1) hash(rsa-contents) ecdh2
-
-req hmac0(*) rsa(seqno hmac0 hmac aes auth) hkdf-salt ecdh1
-res hmac0(rsa-contents ecdh2)
-   hmac_key = hkdf(hkdf-salt, hmac | ecdh)
-   aes_key  = hkdf(hkdf-salt, aes  | ecdh)
-
-TODO: protocol magic fixen(!!!)
-TODO: "global"
 TODO: verify
 TODO: make sense of overhead calculation
 TODO: if-up &c should not be scripts?
-TODO: low-power
+TODO: ipv6
+TODO: gvpectrl should not use default privatekey,. or maybe document it better
 	- INCOMPATIBLE CHANGE: core protocol version 1.0.
         - INCOMPATIBLE CHANGE: node sextions are now introduced
           with "node nodename", not "node = nodename".
@@ -64,6 +52,7 @@
           errors could occur and reset the connection. Transient hmac
           authentication errors are now being ignored for 3 seconds.
         - log the reason for a conneciton loss.
+        - use a (hopefully) constant time memcmp to compare internal secrets.
           
 2.25 Sat Jul 13 06:42:33 CEST 2013
 	- INCOMPATIBLE CHANGE: no longer enable udp protocol if no other