Stephen Farrell <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie> writes:
Thanks again to Aron and Florence for taking good notes.
Our draft minutes for the session are at [1]. Please
send any corrections/clarifications/additions to the list
and/or chairs in the next week or so.
] Discussion:
] * Werner Koch (WK) dropped out of DT in summer, stating the critical
questions were already done. Still, since then there are large changes from
then. AEAD started being deployed 4y ago, and is now being reworked already.
The old AEAD packets were deprecated and new packets were added. Also doesn't
think that adding a new KDF is a good idea, it adds complexity.
] * Daniel Huigens (DH): AEAD was changed because of a downgrade attack
designed from Lara Bruseghini, converting GCM to CFB if the MDC is broken,
leading to a decryption oracle. Therefore we added key separation. There are
other possibilities, but changes were needed.
I don't think the attack was designed by Lara, AIUI she dug it up.
] * WK: Better option is to only allow one mode of operation, which should be
OCB. Rather add an optional GCM packet rather than deprecating the old one.
] * Daniel Kahn Gillmor (DKG): Less is better, but changing the mode to OCB
only is a major change already.
] * WK: Users should have choice of algorithm but not mode.
] * Paul Wouters (PW): This is an argument for discussion before we make a PR.
] * Justus Winter (JW): check with Werner to define a more precise proposal and
discuss this on the mailing list.
That was someone else, I don't remember who though.
Justus
signature.asc
Description: PGP signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp