On Thu 2019-04-25 10:11:33 +0100, Jonathan McDowell wrote:
A move to easily enable key material > 2^16 bytes seems to be in
conflict with dkg's work on trying to reinvigorate the usefulness of key
servers + the suggestion to limit key material packets to < 8383 bytes.
For existing OpenPGP key types, i do hope that sane implementations will
keep to the limits i've suggested in
draft-dkg-openpgp-abuse-resistant-keystore. But i think Werner's change
to 4-octet length representation during fingerprint and signature
calculations is intended to allow for significantly larger keys if there
are any post-quantum algorithms that need it.
If we get to a world where PQ keys of that size are necessary, the
guidance on abuse-resistant keystores will need to be updated to
accommodate the new algorithms, of course. But presumably any
cryptographically-validating keystore will need significantly more work
to implement the PQ algorithms, so a change to those suggested limits is
pretty minor in comparison -- not too big a deal.
And to be clear: this isn't mandating a 4 octet length on the wire for
all keys -- keys in transport can still use OpenPGP's weird
packed-type-length encoding and shave off a couple bytes that way when
they're aiming for smallness. We're only talking about 4 octets in RAM
when calculating the key fingerprint or the signature, right?
so i agree with Jonathan that it's not tightly aligned with the work to
set forward simple guidance for abuse-resistant keystores, but i don't
think it's in direct conflict with it either, and i support the move to
a 4-octet length in fingerprint and signature calculations for v5.
--dkg
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp