When using chunking correctly, the emitted plaintext is not partially
authenticated; it is fully authenticated: all of the bytes are right.
As such, I'd prefer to use the term "authenticated prefix" in place of
"partially authenticated plaintext".
I'm not sure calling individual bytes "authenticated" is valid if they have been
authenticated as part of a larger message. But I don't mind the terminology much
one way or another.
- Should an implementation ever be allowed to emit unauthenticated
plaintext?
Is it okay to have a --do-it-anyway flag? How to we prevent
implementors from doing it anyways?
I don't think we can do too much there, one way or another.
- What should an implementation do if it is passed a large message
(say n times the available RAM) and chunking is disabled?
They can decide between failing hard, buffering to disk, or taking
responsibility for emitting unauthenticated output. Note that this choice is
much easier at implementation time if the chunk size isn't variable - either you
support chunking, or you don't.
I'm concerned about an attacker's ability to twiddle the chunking bit.
Do you have any thoughts on how to prevent this?
Good point. I guess we could simply stick with the "empty chunk at the end"
mechanism, which implementations have to have anyways for chunked AE?
- V
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp