Re: [openpgp] Replacing the OpenPGP Encryption Mode is Harmful and Pointless
Daniel Huigens <d.huigens@protonmail.com> Mon, 18 July 2022 09:59 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE562C16ED02 for <openpgp@ietfa.amsl.com>; Mon, 18 Jul 2022 02:59:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z1BG68_aoKcs for <openpgp@ietfa.amsl.com>; Mon, 18 Jul 2022 02:59:13 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81B6DC182D6B for <openpgp@ietf.org>; Mon, 18 Jul 2022 02:59:13 -0700 (PDT)
Date: Mon, 18 Jul 2022 09:59:08 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1658138350; x=1658397550; bh=jPf6mgbEuXAcyMf1ndxt9yPCDHNUuqZsdYJ7X0kQ1lY=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=H684etvFN459yjC/okBuNJgkr5D34v2AQXdzhm+lxdrT6P4QCgtIx5e0iIuiny++h +TJdE9MRwN6ZY2c1FnM58x7yAejcQrDWyhPh3Cwe2v/7nMTtlQNFmKEdvO3ZA7HSpT p1qUfvhX/4IAHJ5kY7Ivm1TBg5a2j3kqYpN6/3EeNL4S1fD+5Z4vb5RvI2OKz0a1pW 0lkAaVxRHQSE311hz5PBFTHFOhxRbqhuzh0YuF5dR15DLTR72fjjq6DG5mqdATBmqd QO1M1lwvTmYmDItKdo/lLKyeTVer4eY+eKd4KsHqB/PuwDvsK8xE7/efv+VcmsW8qs Ie74G21xT1PDg==
To: Bruce Walzer <bwalzer@59.ca>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <bZNA5Kqg_5MZFIzOuRnGvoTx8_tPdvasQ8U7v1tCQQXfVJu5QZOqpoq1TTqeXi_TMjHzDFEKtfIV--pC7vIO0t0nswB2vv1AqqSrfY_c8CY=@protonmail.com>
In-Reply-To: <YtG/rE5D71hJtFyM@ohm.59.ca>
References: <YtFLcfKMEC/vRXY+@watt.59.ca> <8z4hYvgxLiNrfVMLCTfxUFCm6MVzugdNOvjPdvn4qoRF76lESafW0nqnQthrtCGbGK3ire9lqAmrJetJHHCYJiHhxXXgkCWKB5zmPc6Ax-g=@protonmail.com> <YtG/rE5D71hJtFyM@ohm.59.ca>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/xXm5MuWs0XmPHQTtOj-dB-uBPFQ>
Subject: Re: [openpgp] Replacing the OpenPGP Encryption Mode is Harmful and Pointless
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2022 09:59:18 -0000
On Friday, July 15th, 2022 at 21:27, Bruce Walzer <bwalzer@59.ca> wrote: > If the error is in the spec, then I, as the application programmer, > have to deal with it somehow. So I can't get around having to decide > what to provide the user instead of the message they are expecting. Sure. My argument is that you can safely decide not to provide anything in this case, because in practice, this situation won't occur. > Why would the application programmer perfer having to dechunk the > message? The application programmer doesn't have to do that. The OpenPGP library can do so. The advantage for the application programmer is that they get data sooner (when streaming) when the library does this check. > I don't understand how this relates to anything I said in the article. In your article, you proposed using signatures to fix EFAIL. I pointed out that this is mixing up responsibilities. > I was not suggesting that anonymous/unsigned messages should be > withheld, only modified. The point still stands, using signatures to fix EFAIL is impractical and inefficient. Also, I think modifying unsigned messages would cause much worse UX. > Are we implying here that OCFB-MDC is inefficient? Yes, AEAD is more efficient than OCFB-MDC in both our implementations. OCB, for example, is a single-pass algorithm, which means it looks at the data only once, while OCFB-MDC has to go over the data twice. > At some point experience has to trump analysis. If 20 years > is not enough then how long would it take? Why do you think that a scheme not being broken in the past 20 years means that it won't be broken in the coming 20 years? In any case, OCB is also 10 years old at this point, if you value that more. Combined with a security proof (based on some reasonable assumptions), to me it inspires more confidence than OCFB-MDC. Best, Daniel
- [openpgp] Replacing the OpenPGP Encryption Mode i… Bruce Walzer
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Daniel Huigens
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Bruce Walzer
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Daniel Huigens
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Wyllys Ingersoll
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Paul Schaub
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Bruce Walzer
- Re: [openpgp] Replacing the OpenPGP Encryption Mo… Daniel Huigens