brian m. carlson <sandals(_at_)crustytoothpaste(_dot_)net> writes:
I'm interested in seeing if we can require v5 SKESK packets with RSA use RSA-
OAEP with SHA-256 and MGF1-SHA-256 and require that v5 signatures with RSA
use RSA-PSS, with the MGF using the same digest as the signature.
Apart from adding a huge amount of complexity and potential interop problems,
you're not really gaining anything by this that isn't already addressed by
"MUST use encode-them-memcmp() for signatures". PKCS #1 signing is perfectly
secure if you do that, and PKCS #1 encryption doesn't matter much because PGP
isn't likely to be used in situations where it acts as an online million-
message oracle.
See also my post to the cryptography list last year about all the games an
attacker can play with OAEP because the parameters aren't authenticated and
therefore attacker-controlled.
Peter.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp