Am 03.03.2019 um 19:36 schrieb Tobias Mueller:
Having said that, I understand the desire for fixing a chunk size to
reduce complexity for implementers. My desire as a user is to have a
strong and resilient protocol. As such I prefer producing messages that
enjoy strong protection against modification. That includes my emails
or backups larger than 16kB, 256kB, or whatever size you come up with.
Chunking breaks plaintexts of arbitrary size into many smaller "chunks"
and adds an authentication tag to each chunk. The advantage of smaller
chunks is that the plaintext can be cached until the chunk's auth tag is
validated. That's to guarantee that no unauthenticated plaintext is
released. (Leaving truncation aside.)
Your reasoning regarding proper AE is correct, but you are drawing the
wrong conclusions. You want small chunks to do proper AE! This implies
no limit to the overall size of the plaintext.
I also don't see any reason to keep the variable chunk size. We should
fix it to something between 16kB and 64kB.
Best,
Sebastian
pEpkey.asc
Description: application/pgp-keys
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp