Currently we have this comment the crypto appendix:

All encrypted messages must be authenticated. Given this, for ANY use of CBC mode there MUST be an associated hashing function or MAC to validate the message. In general, this MUST be applied in the Encrypt-Then-Hash method (but TLS 1.2 uses Hash-Then-Encrypt instead). If this cannot be guaranteed, then CBC MUST NOT be used.

We have received this comment from Bart Preneel:

I would not hide such an important aspect in an appendix. I would also rewrite it as follows:

All encrypted messages must be authenticated. Given this, for ANY use of CBC mode there MUST be an associated hashing function or MAC algorithm to validate the message. In general, this MUST be applied in the Encrypt-Then-Hash method (but TLS 1.2 uses Hash-Then-Encrypt instead). If this cannot be guaranteed, then CBC MUST NOT be used.

The only application where encryption without a MAC algorithm is allowed is disk encryption.

If CBC is used, it shall be guaranteed that the verification of the padding is performed in constant time.