Werner Koch <[email protected]> writes: > On Mon, 6 May 2024 17:06, Simon Josefsson said: > >> Thank you! As far as I can tell this doesn't strongly bind eccPublicKey >> and mlkemPublicKey to the KEK which may complicate a security proof. > > Can you give a reason for this? The fingerprint binds the two public > keys and it is an input to the key combiner.
I haven't chaised the entire chain -- does it bind to the master key fingerprint only, or to the Ecc+Kyber subkey too? Including the public key in the KEK binding has been discussed before, some references: https://mailarchive.ietf.org/arch/msg/cfrg/84TUdtD0w12qFSNPpdV5ArS4-IE/ I'm not saying it is critical for security for the entire ECC+Kyber in LibrePGP (I can't fit all of it in my head), but it makes it easier to reason about security properties of the combiner on its own. /Simon
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-devel mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-devel
