AES-GCM and AEAD Protected Data Packet (IETF draft)
wk at gnupg.org
Thu Mar 24 10:51:08 CET 2016
On Wed, 23 Mar 2016 17:04, mail at tankredhase.de said:
> Could you kindly point me to the discussion on the WG list? I’m new to
> the IETF world. Thanks.
They now have a strange mail archive but here is my last message
regrading this topic (also copied below):
BTW, there will be a WG session at IETF-95 on April 6, 11:00 - 12:30.
You may participate remotely:
> I have no objections against supporting multiple authenticated modes,
> including OCB. Like I said, the reason I would advocate for GCM is
That is not going to work. I am pretty sure that there is already a
rough concensus in the WG that we will add only one new encryption
format which will eventually replace the MDC format. The current
discussion is around the idea to detecta corrupt large message early and
not only after the full message has been processed.
> channel attacks. WebCrypto is now widely supported  and browsers
> also offer hardware acceleration for GCM .
GCM has only be developed to avoid the OCB patent which in fact is
irrelevant these days. And frankly it will take at least 5 years before
a new AE mode in OpenPGP will be widely deployed - by then the patent
OCB is way easier than GCM and thus also easier to implement in JS
From: Werner Koch <wk at gnupg.org>
Subject: Re: [openpgp] OpenPGP SEIP downgrade attack
On Thu, 8 Oct 2015 16:59, pgut001 at cs.auckland.ac.nz said:
> (It's also not clear whether someone encrypting a 10k email message with PGP
> is going to notice it being processed at 100MB/s or 150MB/s).
I heard of backups somewhat larger than that. For mail it is anyway not a
problem - you sign and encrypt and you are done. Not even a need for an
> (I actually really like OCB and don't like GCM much, but the patent situation
> makes it pretty problematic).
Well, for the majority of uses cases there is a gratis license grant
from Phil Rogaway for his patents.
Further daft-zauner-tls-aes-ocb-03.txt states:
6. Intellectual Propery Rights Issues
Historically OCB Mode has seen difficulty with deployment and
standardization because of pending patents and intellectual rights
claims on OCB itself. In preparation of this document all interested
parties have declared they will issue IPR statements exempting use of
OCB Mode in TLS from these claims. Specifically - OCB Mode as
described in this document for use in TLS - is based, and strongly
influenced, by earlier work from Charanjit Jutla on [IAPM].
At IETF-93 this case was mentioned and it was suggested to ask for a
similar licenses exception [1,2] if we consider to use OCB for OpenPGP.
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users