Bart Butler <bartbutler=40protonmail(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org>
writes:
It does not seem worth it to me, at least at this time.
Another problem with ChaCha20-Poly1305 is that it's incredibly brittle unless
you get the keying details exactly 100% right. There's at least two full-
blown lengthy RFCs written that cover nothing but the complex keying
requirements, and if you get them wrong you get a catastrophic failure of
security. For things like TLS it may not be that bad because an attacker
would have to intercept and analyse live data at a particular point in time,
while for OpenPGP they could go back years later to stored data to take
advantage of a flaw. It's like using nitroglycerine vs. TNT, they both have
the same end effect if you get everything just right, but I'd never even
consider the former.
Peter.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp