On Wed, 23 Mar 2016 17:04, [email protected] said: > Could you kindly point me to the discussion on the WG list? I’m new to > the IETF world. Thanks.
They now have a strange mail archive but here is my last message regrading this topic (also copied below): <https://mailarchive.ietf.org/arch/msg/openpgp/gAPnZgCtjXNpHvl_hiXogcBrtsg> BTW, there will be a WG session at IETF-95 on April 6, 11:00 - 12:30. You may participate remotely: <http://www.ietf.org/meeting/95/remote-participation.html> > I have no objections against supporting multiple authenticated modes, > including OCB. Like I said, the reason I would advocate for GCM is That is not going to work. I am pretty sure that there is already a rough concensus in the WG that we will add only one new encryption format which will eventually replace the MDC format. The current discussion is around the idea to detecta corrupt large message early and not only after the full message has been processed. > channel attacks. WebCrypto is now widely supported [2] and browsers > also offer hardware acceleration for GCM [3]. GCM has only be developed to avoid the OCB patent which in fact is irrelevant these days. And frankly it will take at least 5 years before a new AE mode in OpenPGP will be widely deployed - by then the patent has expired. OCB is way easier than GCM and thus also easier to implement in JS Salam-Shalom, Werner ========== From: Werner Koch <[email protected]> Subject: Re: [openpgp] OpenPGP SEIP downgrade attack On Thu, 8 Oct 2015 16:59, [email protected] said: > (It's also not clear whether someone encrypting a 10k email message with PGP > is going to notice it being processed at 100MB/s or 150MB/s). I heard of backups somewhat larger than that. For mail it is anyway not a problem - you sign and encrypt and you are done. Not even a need for an MDC. > (I actually really like OCB and don't like GCM much, but the patent situation > makes it pretty problematic). Well, for the majority of uses cases there is a gratis license grant from Phil Rogaway for his patents. Further daft-zauner-tls-aes-ocb-03.txt states: 6. Intellectual Propery Rights Issues Historically OCB Mode has seen difficulty with deployment and standardization because of pending patents and intellectual rights claims on OCB itself. In preparation of this document all interested parties have declared they will issue IPR statements exempting use of OCB Mode in TLS from these claims. Specifically - OCB Mode as described in this document for use in TLS - is based, and strongly influenced, by earlier work from Charanjit Jutla on [IAPM]. At IETF-93 this case was mentioned and it was suggested to ask for a similar licenses exception [1,2] if we consider to use OCB for OpenPGP. Salam-Shalom, Werner [1] https://datatracker.ietf.org/ipr/2647/ [1] https://datatracker.ietf.org/ipr/2640/ -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
