[Top] [All Lists]

Re: [openpgp] AEAD Chunk Size

2019-02-28 02:56:23
On Thu, 28 Feb 2019 01:45:52 +0100,
Bart Butler wrote:
It does, and normally on this kind of thing I would completely agree with 
you, but in this case I think there are two mitigating factors:

1. AEAD chunk size does not limit message/file size in any meaningful way 
assuming we set the upper limit chunk size to something reasonable like 1024 
kiB, you just use multiple chunks, which is the idea anyway.
2. Abuse potential in an open standard

It's #2 which is really compelling for me for exactly the reason that we DO 
want this to be usable for arbitrary uses and message sizes in federated 
contexts, and for that to be possible we need to try to set reasonable limits 
to prevent malicious or careless users from creating bad-but-legal payloads.

I fully agree with #2.  I am convinced that it is imperative that we
avoid introducing potential attack surfaces that have no value.

openpgp mailing list