ietf-openpgp
[Top] [All Lists]

Re: [openpgp] AEAD Chunk Size

2019-03-30 11:42:51
Hi Ben,

One concern that I have (and is only tangentially related to this quoted
part) is that I want to make it easy for implementations to "do the right
thing" when ciphertext is modified, i.e., return an error, and specifically
to return an error without releasing any plaintext that originates from the
modified ciphertext. The current openpgp ecosystem does not seem to be
very compliant to that desired behavior, and part of that may be due to a
lack of philosophical support/help from the spec.



If you mean 'modified ciphertext' to equal 'modified chunk', and are OK with 
releasing previously unauthenticated chunks, then I completely agree. The 
alternative is is just no streaming.

I'm still not sure I understand the point of very large chunks, since once
they get really big an implementation is choosing between streaming
plaintext from potentially modified ciphertext or return an error without
even attempting to process the chunk. I'm not convinced that the second
will win out in implementations if we alow very large chunks.



Agreed. Part of the rationale with a smaller chunk limit is not forcing 
implementations to make this choice. The guidance becomes very simple--never 
release unauthenticated chunks, full stop.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
<Prev in Thread] Current Thread [Next in Thread>