Daniel A. Nagy wrote:
I don't think it is dangerous if done properly, but it definitely does not
fit into CFB cipher condext mode (which, by the way, is another thing that
is worth considering for retirement).
<broken record>
Yes please!
</scratch-kadunk-scratch-kadunk>
Actually, I am leaning toward introducing a general stream cipher mode of
which block ciphers operated in CTR mode are a special case. CTR has much
nicer theoretical properties than CFB in the sense that security assumptions
for block ciphers imply certain security properties for the stream cipher.
OpenPGP has these built in application notions that inform
it on what is "in" and what is "out" ... which are basically
historical and probably due to be updated. E.g., ascii
armouring is "in" and s/mime is "out".
For all those (historical) reasons it probably makes sense
to sit down around a round table and craft a future
architecture of what is "base" and what is "extension". I'd
see stream modes as being "extensions".
(leaving the question of whether the base includes even a
block cipher mode to the round table ;)
So I suppose I'm heading over to one of these "big questions":
supposing that we do proceed to do a next generation, are we
planning on a "big" change over a 10 year cycle, or are we
planning on a "small" change with only modest fix-ups?
(I'm hoping here that we don't up with a "small" change
taking 10 years .....)
iang