On Thu, 14 Mar 2019 15:06:15 +0100,
Werner Koch wrote:
On Thu, 14 Mar 2019 14:47, neal(_at_)walfield(_dot_)org said:
Are you arguing like Werner that catching transmission errors is
enough and that we shouldn't bother with ciphertext integrity?
I never said this.
I was referring to this:
On Fri, 01 Mar 2019 15:50:15 +0100,
Werner Koch wrote:
> Let me repeat it again: The chunking was introduced for just one
> purpose: To be able to detect rare transmission errors earlier than at
> the end of the message.
My point was that you are discussing a certain
programming pattern on how to implement AEAD modes and I remarked that
the OpenPGP standard is about a protocol and not an implementation.
I agree that the OpenPGP standard is about a protocol. My suggestions
are about fixing a security hole in the proposed protocol.
BTW, OpenPGP provides ciphertext integrity for more than 15 years.
But not for streaming, which is what this discussion is about.
Experience showed that transmission errors are the major cause for false
MDC triggered alarms. We want to detect them earlier and not only at
the end of the transmission to support real world use cases. The move
from CFB+SHA1 to OCB can also be seen in the light of required
performance improvements.
Performance concerns are secondary to security concerns. But anyway,
your argument that large chunks are a sensible choice for large pipes
makes no sense, because the protocol doesn't require the
implementation to release chunks as soon as they are authenticated;
they can be buffered.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp