WKD proper behavior on fetch error

Neal H. Walfield neal at walfield.org
Sat Jan 23 23:33:16 CET 2021

On Fri, 22 Jan 2021 23:59:36 +0100,
Andrew Gallagher via Gnupg-users wrote:
> On 22/01/2021 17:29, Daniel Kahn Gillmor via Gnupg-users wrote:
> > this is a non-backward-compatible change to the format, so i think
> > that's probably not a great outcome.
> I can't help thinking that length fingerprinting and padding oracles are
> a general concern, and therefore more appropriately solved at a lower
> layer of the network stack.

Padding needs to happen as close to the application as possible.

Consider the case where an application has two possible responses: a 1
bit response and a 100 MB response.  Most padding schemes won't
obfuscate these two responses.  Using dkg's suggestion, all 1-bit
responses would be padded to 4k and hence all responses would still be
fully distinguishable.

For a padding scheme to be useful, many different types of messages
must end up in the same size bucket.  Ensuring that requires
application-specific knowledge.


More information about the Gnupg-users mailing list