On Tue, 2015-03-17 at 11:27 -0400, Derek Atkins wrote:
I don't agree with this statement. It wasn't flexibility that stopped
changing CFB, it was that CTR mode was relatively new when the group was
working on 4880 (I'm not sure it even existed when we did 2440). And
compatibility was always (generally) paramount. I.e., if it ain't
completely broke let's not fix it.. and where it is broke, let's fix it
in the most compatible way.
Were I do start from scratch today then yes, I'd just use GCM. We could
certainly add a GCM mode and a preference to specify support for it.
But for interop I don't think we could drop CFB support completely from
Could you elaborate on that?
I probably lack some decent+recent cryptanalysis of CFB as used with
OpenPGP, but at least we had quite a number of crypto systems where it
caused all kinds of issues recently.
So *if* there's a new OpenPGP v.X (and not just "amendments" as with
Ed25519), shouldn't it be actually a goal to get current state of the
Description: S/MIME cryptographic signature
openpgp mailing list