Hi Vincent, > the draft mentions that OpenPGP has S2K transforms to protect private > key material, which you specifically don't use because they don't > protect the integrity of the public key material. If we assume that the > fingerprint is still known, all information besides the private key > material is available in the usual append-only fashion from keyservers. > Can you elaborate on this design decision?
Sure. We actually used standard S2K passphrase protection in an initial draft of the IMAP sync. We could verify the integrity of the public key packet by comparing the fingerprint to the integrity protected private key, but this is something all user agents would need to implement correctly when integrating the spec. This would leave more wiggle-room for error. The alternative here was just to encrypted the complete ascii armored key using AES-GCM, which does the integrity check during decryption. This way there is one thing less to keep in mind for implementors of the spec. Tankred -- Whiteout Networks GmbH c/o Werk1 Grafinger Str. 6 D-81671 München Geschäftsführer: Oliver Gajek RG München HRB 204479 _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
