Jon Callas <joncallas(_at_)icloud(_dot_)com> writes:
I think that if Peter wanted to remove AEAD, he’d just say that.
I'm not saying remove it, just get some data to support making a decision in
some way. In particular, AEAD is a good thing, but there's no evidence that
chunking with AEAD, which complicates things greatly, is useful or necessary.
Here's three actual real-world data points:
For the last twenty-eight years, PGP has had functionality equivalent to AEAD
in the form of encrypt+sign. The only mechanism this supported was chunk-
size = data-size, and in twenty-eight years this never seems to have
caused/been seen as a problem.
If you don't think encrypt+sign is equivalent functionality then we've also
had pseudo-AEAD in the form of MDC for eighteen years (draft-ietf-openpgp-
rfc2440bis-02) and chunking wasn't an issue then either.
Finally, CMS has had this for more than a decade (Authenticated-Enveloped-
Data) and it's not been a problem there either.
Why is it suddenly a big deal now, and only with OpenPGP, after twenty-eight
or eighteen years (depending on which one you choose) of equivalent mechanisms
not being a problem? Is this because it really is, or just because AEAD can
do all sorts of cool things and people want to play with them?
Peter.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp