(I think I emailed about this already, but from an account which gets
dropped by DMARC policy.)
There is a perfectly good (standardized even!) robust authenticated
encryption mode: SIV.
A nonce-length of 128-bits (which you get using a 128-bit block
cipher) is rather short, but note that for asymmetric encryption
modes, a new key is used per message.
I think that streaming encryption is well outside the scope of this
WG. Is there some compelling argument that it is required for
encrypting email messages?
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp