On 2021-02-28 at 17:09:28, Paul Wouters wrote:
On Sat, 27 Feb 2021, brian m. carlson wrote:
I'm wondering, however, if there's consensus for adding Curve448 as well
That is being tracked by the WG chairs.
Great.
The reason I ask is that in many implementations, of the NIST curves,
only P-256 is implemented in a constant-time manner, whereas Curve25519
and Curve448 are almost always implemented in a constant-time manner.
Is that a concern for openpgp ? openpgp is not an interactive protocol
where there is a server-client with possible MITM observing time spent?
People definitely do use OpenPGP for interactive uses where constant
time operations are relevant. For example, when you create a commit by
editing a file on GitHub, that commit will be signed by GitHub's private
key, which is an online use. This is hardly the only case where people
sign online.
We've also seen cases where people do encryption and decryption online,
such as by sending an encrypted message to an API and getting back an
error or not depending on whether the message could be successfully
decrypted.
I agree that these are not the typical uses of OpenPGP, but people
definitely do use it for online operations, and therefore, we need to
properly consider them when we secure the protocol.
--
brian m. carlson (he/him or they/them)
Houston, Texas, US
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp