[Cryptography] [openpgp] OpenPGP SEIP downgrade attack

[Peter Gutmann]

Werner Koch <wk at gnupg.org> writes:

>And wait another 15 years until it has been taken up by all implementations?
>What is wrong with the planned AE mode?

Which has just as little support as a planned EtM mode?  

The reason why I prefer EtM is that it can be pretty trivially retrofitted to
existing crypto (just add a SHA-256 MAC somewhere) and is compatible with any
existing cipher, while whatever AEAD mechanism is chosen (I'm guessing AES-
GCM, which seems to be fashionable) is purely for AES, there's no Twofish or
CAST or whatever AEAD mode defined.

Peter.