Neal H. Walfield <neal(_at_)walfield(_dot_)org> writes:
Until now, OpenPGP didn't require buffering data. A decrypted AEAD chunk
MUST only be released when it has been authenticated. In the current
proposal, AEAD chunks are potentially unbounded (well, up to 4 exabytes...)
in size. No one can decrypt such chunks without cheating, i.e., releasing
unauthenticated plaintext.
This has been considered before, e.g. with S/MIME's authenticated encryption:
https://tools.ietf.org/html/rfc6476#section-6
and so far doesn't seem to have caused any major problems. That is, it's not
that there's a perfect solution, it's that actual problem situations seem to
be pretty rare.
If you want to do it right, you'd really want some formal academic treatment
rather than guessing at chunk sizes and what may or may not be needed, i.e.
typical message size X, typical chunk size Y gives these security bounds. PGP
is typically used to encrypt data at rest (make the chunk size the file size)
or short email messages (chunk size doesn't matter, it's short). That leaves
a remainder of large emails, which we know exist but don't know how frequent
they are or how often they're sent or from what sorts of systems.
Without hard data on what's actually needed, we're just bikeshedding... while
blindfolded.
Peter.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp