On 7/2/15 3:49 PM, Tankred Hase wrote: > We've already gotten feedback from other vendors using OpenPGP.js such > as Mailvelope and 1&1, and we would also like to hear what others in > the community have to say about it. Here is our current proposal: > > https://github.com/whiteout-io/mail-html5/wiki/Secure-OpenPGP-Key-Pair-Synchronization-via-IMAP > > Thanks for any feedback!
I think that it's unrealistic to have people type a 24 character paraphrase: "The passphrase SHOULD be a random high-entropy uppercase alphanumeric string of 24 characters, generated from a cryptographically secure pseudo-random number generator (CSPRNG). " For that reason the maximum key-stretching possible should be employed in order to increase the entropy that can derive from a low-entropy password. For that reason the hashing of the key should use algorithms that are much more difficult to be parallelized such as scrypt (and in upcoming future yescript, likely coming as a winner from the password-hashing competition). -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi _______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
