IETF Logo Mail Archive

Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt

Dan Harkins <dharkins@lounge.org> Sun, 01 October 2023 22:46 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D8DDC151557 for <cfrg@ietfa.amsl.com>; Sun, 1 Oct 2023 15:46:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5KhXTY_ODM61 for <cfrg@ietfa.amsl.com>; Sun, 1 Oct 2023 15:46:47 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 715DCC151091 for <cfrg@irtf.org>; Sun, 1 Oct 2023 15:46:47 -0700 (PDT)
Received: from kitty.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0S1V0HQJ7GLYPS@wwwlocal.goatley.com> for cfrg@irtf.org; Sun, 01 Oct 2023 18:46:46 -0400 (EDT)
Received: from [192.168.1.24] (customer.lsancax1.pop.starlinkisp.net [98.97.58.27]) by kitty.bergandi.net (PMDF V6.8 #2433) with ESMTPSA id <0S1V00E5TGLX68@kitty.bergandi.net> for cfrg@irtf.org; Sun, 01 Oct 2023 15:46:46 -0700 (PDT)
Received: from customer.lsancax1.pop.starlinkisp.net ([98.97.58.27] EXTERNAL) (EHLO [192.168.1.24]) with TLS/SSL by kitty.bergandi.net ([10.0.42.19]) (PreciseMail V3.3); Sun, 01 Oct 2023 15:46:46 -0700
Date: Sun, 01 Oct 2023 15:46:44 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CABcZeBNG9TTMK7AP8+ecWjzD+k5w6YBOdM0QuePMdc+PD5QXog@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: cfrg@irtf.org
Message-id: <09ef9418-0c6c-3771-a82a-900c8143afc4@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_wHLROqUAfR6cL5g2fnZf4A)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.14.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=kitty.bergandi.net, send-ip=98.97.58.27)
X-PMAS-External-Auth: customer.lsancax1.pop.starlinkisp.net [98.97.58.27] (EHLO [192.168.1.24])
References: <169592647633.22478.7564567661859429538@ietfa.amsl.com> <105f3992-d271-d3fd-e3eb-23751f763e15@lounge.org> <CABcZeBNG9TTMK7AP8+ecWjzD+k5w6YBOdM0QuePMdc+PD5QXog@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [230928a] (kitty.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/68dat9_dkbaTD1U6pjgrp4N9LH0>
Subject: Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Oct 2023 22:46:51 -0000

   Hi Eric,

On 10/1/23 2:15 PM, Eric Rescorla wrote:
> On Fri, Sep 29, 2023 at 12:02 PM Dan Harkins <dharkins@lounge.org> wrote:
>
>
>        Hello,
>
>        First of all, there's a new version of draft-irtf-cfrg-dnhpke out.
>     Please take a look.
>
>        At IETF 116 I was told I could get IANA assigned values without
>     the draft becoming an RFC so I applied. I got KEM assignments for
>     compressed output but the experts are refusing to approve assignment
>     for DAE support because it's not IND-CCA2.
>
>        So let me digress briefly....
>
>        In [1], I noted that this requirement that "all AEADs must be
>     IND-CCA2 secure" appeared in -10 of the HPKE I-D without any real
>     discussion (it wasn't in -09 and there was no discussion on the
>     list) and that I was concerned that they were closing the door on
>     my proposal. But I was told in [2] by an author of HPKE, and the
>     guy who did the security analysis, that the door wasn't closed and
>     that adding new DAE ciphers which were not IND-CCA2 did not affect
>     the existing ciphers which were. There was even a pull request for
>     HPKE to clarify (see [3]) which I was under the impression allowed
>     for addition of new ciphers which were not IND-CCA2 since they were
>     not diluting existing security guarantees.
>
>        But now I'm being told by the experts that there is an absolute
>     prohibition on using HPKE with a cipher which is not IND-CCA2. I
>     believe that is incorrect and certainly that was not part of the
>     RGLC approval of the HPKE I-D.
>
>        I would like to hear what other people think and would like the
>     experts to be overruled and to approve assignment of the DAE ciphers
>     defined in draft-irtf-cfrg-dnhpke-02.
>
>
> Without taking a position on the merits of this issue, it's not clear 
> to me that CFRG can in fact overrule the experts. Here is what RFC 
> 8126 says about appeals of registration decisions 
> (https://datatracker.ietf.org/doc/html/rfc8126#section-10):
> Appeals of protocol parameter registration decisions can be made using 
> the normal IETF appeals process as described in [RFC2026], Section 6.5 
> <https://datatracker.ietf.org/doc/html/rfc2026#section-6.5>. That is, 
> an initial appeal should be directed to the IESG, followed (if 
> necessary) by an appeal to the IAB.
> That does seem a bit odd for a registry created by an IRTF document, 
> but nevertheless, I think the process would require you to take it to 
> the IESG.

   My point is that the experts are wrong in their interpretation of 
what RFC 9180
says. There was discussion on the list about forbidding determinstic AE 
cipher
modes and one of the editors (who I believe is also the guy who did the 
security
analysis) said they weren't prohibited. The editors even agreed to a 
pull request
to clarify this. It was certainly presented as "door not closed" when 
discussed in
RGLC, yet when RFC 9180 comes out the experts say "door is closed". So I
believe they are enforcing a rule that the RG was told was not there 
prior to
publication. If the RG agrees then I do not think this prohibition 
exists and
the experts are mistaken in their reading of the RFC.

   I do appreciate you pointing out the appeals process though. It may come
to that.

   regards,

   Dan.

> -Ekr
>
>        thanks and regards,
>
>        Dan.
>
>     [1]
>     https://mailarchive.ietf.org/arch/msg/cfrg/dAhw4TluqDfzKvtatqXvXbW0GVY/
>     [2]
>     https://mailarchive.ietf.org/arch/msg/cfrg/MOMY2a3srTUpgW2F_76kySv5IKw/
>     [3] https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/233
>
>     On 9/28/23 11:41 AM, internet-drafts@ietf.org wrote:
>     > Internet-Draft draft-irtf-cfrg-dnhpke-02.txt is now available.
>     It is a work
>     > item of the Crypto Forum (CFRG) RG of the IRTF.
>     >
>     >     Title:   Deterministic Nonce-less Hybrid Public Key Encryption
>     >     Author:  Dan Harkins
>     >     Name:    draft-irtf-cfrg-dnhpke-02.txt
>     >     Pages:   38
>     >     Dates:   2023-09-28
>     >
>     > Abstract:
>     >
>     >     This document describes enhancements to the Hybrid Public Key
>     >     Encryption standard published by CFRG.  These include use of
>     "compact
>     >     representation" of relevant public keys, support for
>     key-wrapping,
>     >     and two ways to address the use of HPKE on lossy networks: a
>     >     determinstic, nonce-less AEAD scheme, and use of a rolling
>     sequence
>     >     number with existing AEAD schemes.
>     >
>     > The IETF datatracker status page for this Internet-Draft is:
>     > https://datatracker.ietf.org/doc/draft-irtf-cfrg-dnhpke/
>     >
>     > There is also an HTMLized version available at:
>     > https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-dnhpke-02
>     >
>     > A diff from the previous version is available at:
>     > https://author-tools.ietf.org/iddiff?url2=draft-irtf-cfrg-dnhpke-02
>     >
>     > Internet-Drafts are also available by rsync at:
>     > rsync.ietf.org::internet-drafts
>     >
>     >
>     > _______________________________________________
>     > CFRG mailing list
>     > CFRG@irtf.org
>     > https://www.irtf.org/mailman/listinfo/cfrg
>
>     -- 
>     "The object of life is not to be on the side of the majority, but to
>     escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>
>     _______________________________________________
>     CFRG mailing list
>     CFRG@irtf.org
>     https://www.irtf.org/mailman/listinfo/cfrg
>

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email