I've opened a pull request that defines an AEAD encrypted data packet
using GCM. This work is necessarily incomplete, because it doesn't
define a new version of the symmetrically-encrypted data packet, which
we'd want, and it doesn't define a new encoding for the secret key
packet.
GCM seems to be the uncontroversial choice here. It's used in TLS and
other protocols, and it provides adequate security. It isn't encumbered
by patents. It performs reasonably well.
Other alternatives include OCB and CTR with HMAC. I personally object
to OCB because it's patented, and while I like CTR with HMAC, it was my
impression that the rest of the working group would not share my
opinion.
While I understand that we are not interested in adding general
extensibility to the protocol, I opted to include an octet for the AEAD
algorithm in case someone wants to define OCB or something like
ChaCha20-Poly1305. ChaCha20 cannot use GCM, but it is a popular
algorithm that performs well on many architectures and is well-suited to
embedded systems.
I've proposed this as a starting point and welcome further comments.
[0] https://gitlab.com/openpgp-wg/rfc4880bis/merge_requests/2
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp