On Sat, Mar 30, 2019 at 11:59 PM Peter Gutmann
<pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz> wrote:
I'm not saying remove it, just get some data to support making a decision in
some way. In particular, AEAD is a good thing, but there's no evidence that
chunking with AEAD, which complicates things greatly, is useful or necessary.
I know you're tired of hearing about it... but EFail.
Even if PGP used AEAD, but without chunks, EFail would probably still
happen. If the AEAD data is arbitrarly large, then implementations
would be forced to provide a streaming API that discloses
unauthenticated plaintext, and the same thing would happen.
Unfortunately I'm not aware of other examples, though I'm pretty sure
they must exist... But why should we wait for more of this issues to
happen before fixing the underlying cause, if we can fix it now? (And
"now" meaning many years hence, since the standard will take a while
to be adopted).
Adam Langley has a good post about it:
https://www.imperialviolet.org/2014/06/27/streamingencryption.html
And many examples of cryptographers claiming releasing unauthenticated
plaintext is dangerous:
https://crypto.stackexchange.com/questions/41087/is-there-an-upper-limit-to-plaintext-size-in-xsalsa20poly1305/51439
https://crypto.stackexchange.com/questions/51537/delayed-tag-checks-in-aes-gcm-for-streaming-data
Conrado
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp