AES-GCM and AEAD Protected Data Packet (IETF draft)

Tankred Hase mail at
Wed Mar 23 17:04:59 CET 2016

Hi Werner,

thanks for quick response.

> Am 23.03.2016 um 22:56 schrieb Werner Koch <wk at>:
> As I mentioned on the WG list, I would really like to see OCB used for
> OpenPGP.  OCB is far superior over any other AE modes.  There are no
> software patent issues even for closed source software with the
> exception for those whose business it is to kill people.

Could you kindly point me to the discussion on the WG list? I’m new to the IETF world. Thanks.

I have no objections against supporting multiple authenticated modes, including OCB. Like I said, the reason I would advocate for GCM is because of its support in the WebCrypto api [1]. Until now, OpenPGP.js has relied on JavaScript implementations of crypto primitives. These are are not only slower, but are also subject to well known side channel attacks. WebCrypto is now widely supported [2] and browsers also offer hardware acceleration for GCM [3].

Several application like Mailvelope and ProtonMail use OpenPGP.js and with the emergence of frameworks like electron and Microsoft’s Universal JS apps on Windows 10, probably more application will in the future.



More information about the Gnupg-users mailing list