On Thu, Apr 14, 2022 at 8:53 PM Daniel Kahn Gillmor
<dkg(_at_)fifthhorseman(_dot_)net> wrote:
The end user wants to see the cleartext!
Under that basis one could argue that whenever unsupported ciphers are
requested the system ought to send cleartext embedded in an pgp
binary/ascii-armored message. ... Silently failing to insecure or less
secure than believed behavior isn't great. :)
I apologize for the potentially ignorant question-- but why are these
hybrid cryptosystems not just treated as a single cryptosystem e.g.
"classic mceliece xyz + ed448" or whatever? In analyzing the security
and performance of a hybrid scheme and in maintaining it long term
(e.g. announcing concerns about failures in its components costs) it
would be much easier to do so if it were treated as a single atomic
unit.
"Your messages are secure, unless some of them happened to be
encrypted without function-bar in parallel, which you wouldn't know
because these messages were silently accepted in spite of your key
requesting otherwise."
One doesn't generally allow users to request and initialize the
discrete log cryptosystems under every conceivable combination of
field/group/parameters though openpgp certainly could have been
designed with that kind of build your own cryptosystem approach.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp