Re: [openpgp] AEAD Chunk Size

Bart Butler <bartbutler@protonmail.com> Thu, 28 February 2019 19:44 UTC

Return-Path: <bartbutler@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 958B2130F7F for <openpgp@ietfa.amsl.com>; Thu, 28 Feb 2019 11:44:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wf4YgtriHWJ5 for <openpgp@ietfa.amsl.com>; Thu, 28 Feb 2019 11:44:51 -0800 (PST)
Received: from mail2.protonmail.ch (mail2.protonmail.ch [185.70.40.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D135C130FBD for <openpgp@ietf.org>; Thu, 28 Feb 2019 11:44:50 -0800 (PST)
Date: Thu, 28 Feb 2019 19:44:41 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1551383088; bh=zu2t16oe/m++83HHMXPVE0Og89VdybNWtm8ck7jmasc=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=nEHJChZ+ah5XTCaly3EYwkm1cu7i+H4bPA+fmKBRqxxBPmtEP5bdlIjQ9+K8Nm2HK RukVNyMD0gH10sLZJt/4m1oiEBu+puuv9tmhVm1SwJZzTLlJrQPg+n9N6eo9xSW2qT 8M3JqIZVypaE4Zu6aIX09k9L/6D2FZfJvkbSYkCM=
To: "Neal H. Walfield" <neal@walfield.org>
From: Bart Butler <bartbutler@protonmail.com>
Cc: Vincent Breitmoser <look@my.amazin.horse>, "openpgp@ietf.org" <openpgp@ietf.org>
Reply-To: Bart Butler <bartbutler@protonmail.com>
Message-ID: <WLJKnDhqfAcj2mWai1J6cWQijecNBEWcynMRXIYqSy5XzBQLD_C-SrU84jSNPvA_SQdVkKESr4qptvn123CnpsAAyczxkeaka0V-xmweGtY=@protonmail.com>
In-Reply-To: <87imx42tj9.wl-neal@walfield.org>
References: <87mumh33nc.wl-neal@walfield.org> <F9VLV9HZWH.3RYL3UM3BN873@my.amazin.horse> <3WZ7-hy9V7TOy53p1gP5EXELzHJIqjouV9x0YTN3PWsBZedKkqvVCRm-2XzGZy-FYAYdTqP1-7YV4wbTWMWAYhSujQA6NmrnIuXfZLRHkdQ=@protonmail.com> <87imx42tj9.wl-neal@walfield.org>
Feedback-ID: XShtE-_o2KLy9dSshc6ANALRnvTQ9U24aqXW2ympbGschdpHbU6GYCTUCtfmGhY9HmOyP1Uweyandwh1AVDFrQ==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="---------------------4f22db9c76945c90a1ad90e6ce332776"; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ObX0gFCjt00HHK-taxZfW7KkIzY>
Subject: Re: [openpgp] AEAD Chunk Size
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 19:44:55 -0000

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, February 28, 2019 12:42 AM, Neal H. Walfield <neal@walfield.org> wrote:

> On Wed, 27 Feb 2019 22:34:09 +0100,
> Bart Butler wrote:
> 

> > So ideally we’d prefer to keep the size byte, but to shrink its
> > range in both directions. For example, the RFC could state that the
> > chunk SHOULD be 16 kiB (or 256 kiB, hint hint), but decryption MUST
> > be available for `c` values between 8-12 inclusive. This would also
> > allow us to be backwards-compatible with messages that have already
> > been created following the current version of the draft, which do
> > exist given the benefit that AEAD provides and that OpenPGP.js has
> > supported the current draft in experimental mode for most of the
> > last year.
> 

> Could you please comment on the approximate number of messages that
> have been sent with AEAD? Is protonmail doing AEAD exclusively these
> days?

I can't because I do not know--it's an experimental feature in OpenPGP.js. I do know that some users of the library are using it internally in closed systems, and we'd prefer not to break decryption for their existing messages but also prefer not to keep supporting an obsolete draft. You could argue that they shouldn't have used an experimental feature for production but given how overdue AEAD is for PGP I find it difficult to blame them myself.

ProtonMail doesn't use V5 keys yet at all, as we exist within the federated email ecosystem and it would break compatibility. So this is not coming from us personally, just on behalf of the OpenPGP.js community in general.