PRF. PBKDF2 is the devil you know. It behaves in completely
[...] Thus I consider it better to wait for
the outcome of the PHC
I agree; and I'm not convinced a future standard should be built on past
technology - apart from being for the sake of backwards compatibility.
The PBKDF2 argument is today's version of a 2000's "AES is fine and
well, but we should also include DESede - it's the devil you know".
Besides that, what do others think about OpenPGP's variant of CFB - in
particular the computationally cheap oracle it entails? Should it also
be updated, perhaps with an authenticating cipher mode which might also
kill the MDC birdie with the same stone?
With the CAESAR competition conclusion being a bit more down the road -
end of 2017 - what would a suitable AE mode be?
Regards,
Nils
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp