Standards: IETF WG proposing incompatible despite implementations and objections

Jeffrey Walton noloader at gmail.com
Thu Apr 27 18:44:33 CEST 2023


On Wed, Apr 26, 2023 at 8:37 PM Bruce Walzer <bwalzer at 59.ca> wrote:
> [...]
> There was a complaint that there were too many block encryption modes
> in one of the earlier drafts. There was OCFB, OCFB-MDC, OCB, EAX, and
> GCM. My understanding was that EAX was only there because of the
> uncertain patent status of OCB. Then GCM was added. The patent status
> of OCB is very clear now and has been for something like 3 years. If
> the process is capable of making substantive changes then EAX should
> be removed by now, thus at least partially reflecting the concern
> about too many block modes.

EAX was one of my favorite modes back in the early 2000s. It had a lot
of benefits with little downside. Cf.,
https://www.cryptopp.com/wiki/AEAD_Comparison .

To play devil's advocate... how does one decrypt an old message or
file encrypted using EAX mode if EAX mode is removed?

If EAX is going to be removed, then there has to be a path forward for
users. I think it is a bad idea to simply cut them off. That's bad
design and bad usability.

Perhaps it would be better to deprecate EAX mode, and suggest it not
be used for new messages. It might even be enforced by making it
runtime configurable, and defaulting to off.

Jeff



More information about the Gnupg-devel mailing list