Hi,
On Fri, 2019-03-01 at 09:45 +0100, Neal H. Walfield wrote:
I think that security concerns should be our first priority. And, any
flexibility increases our bug potential. As such, I'm not convinced
that we shouldn't use a fixed chunk size.
Note that introducing "chunks" diverts from authenticated encryption and
increases the bug potential. That is, an implementation may more easily
release plaintext although the ciphertext has been modified.
The AE mode is OpenPGP's chance to become a protocol which enjoys the
strong security guarantees of AE and catch up with S/MIME.
By fixing a "chunk size" you take away the ability to benefit from AE
for messages bigger than that size.
Implementations could easily collect all chunks and only release the
plaintext once all chunks check out successfully. But that could go
wrong. And depending on implementations to get things right and clients
to use those implementations correctly is exactly what enabled Efail to
become an issue. I think it'd be much nicer if the protocol already
ensures that my emails do indeed enjoy protection against modification
rather than me having to rely too much on clients getting it right.
Having said that, I understand the desire for fixing a chunk size to
reduce complexity for implementers. My desire as a user is to have a
strong and resilient protocol. As such I prefer producing messages that
enjoy strong protection against modification. That includes my emails
or backups larger than 16kB, 256kB, or whatever size you come up with.
Is there another way to do real AE?
Cheers,
Tobi
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp