Re: [Last-Call] [openpgp] Last Call: <draft-ietf-openpgp-crypto-refresh-12.txt> (OpenPGP) to Proposed Standard
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 05 November 2023 09:45 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00FEC1519BE for <last-call@ietfa.amsl.com>; Sun, 5 Nov 2023 01:45:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.008
X-Spam-Level:
X-Spam-Status: No, score=-2.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ngl5M_zBm2r6 for <last-call@ietfa.amsl.com>; Sun, 5 Nov 2023 01:45:41 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2115.outbound.protection.outlook.com [40.107.21.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAB18C1522D9 for <last-call@ietf.org>; Sun, 5 Nov 2023 01:45:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XeKiptl+Dfdc/3uDNxuV+BaOTY59Y298fMNCfQw8VT+crTVPxutSDkXPiIJcZ1rJV3c9HRmStiqGrkdGSBrbss2kKHzpDeKLqv4H/UMSBrUrH2sUAc5vcfkaUZAsVRajDkY6CDvAlBTQVUKcsCepAgPNhUxNcf3lDqWUcd9hNEMmaZZ72Yn595hCOccAbct7nE3fPG5hVjqnCwyseIR8TiMpBQn14+f7YhW4A21/fmuAJQ3AJvujVzCcg/wxN2sB13a7R5RHF+2GBbMVXCB3YOEaoEpz+6xZwdDOqi7GOLZ7tF1m5lmUXjPMfRmOsOorPSEpGHnt0iS7OtsepLUDCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VKHYcBJwaxY4ciGrnoHsca5M2Z3Y8gqnCt7o5c2KAqM=; b=JoTu1VRcMKbf2usSpEPYHrbzrbNQviWP2G9fVE1Rky9HLAO74RIxGRwcb5r1qQ1aSOP28Fy5+H4qYHS4ZG4XNYHzck8H2rc8y9JT0NFQvDQdm0jZV29lzNHNiU2EQhTlGPtMS030cUj4ySGjE+tkJcmM/YFd4S1gF0035glOp89+Hw9fvVtMTYTmtMPTyAyckR2IV6GXzEU/odSLMO3iI4gTqusX6jwkAjh74eky/9t7sJNMq8OlAeVE3p7LwFGWj/hSY7GriqfpIQ0viAhDNDi0BDbWZlOlakowawVCxQImb4I8f5Wv+96qyJ48sjYx0ersW4zIHPLngV3bZ2WgTw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VKHYcBJwaxY4ciGrnoHsca5M2Z3Y8gqnCt7o5c2KAqM=; b=cEWn9EVw9aDAnN9Nk2QQo58mR+iEVAWtYGPdinVwPdhp/LfTKCnkp1944irY9mA8z8yBJ1QUQxAJQQPD9gPOekmAw/qvsCet5AbyYHLqZc+YBvLXGOOb7s6ewNVkE2VCwWEWCzbOsr2APxF1R2qzqRzYHAsn5zBweUVa8OYceZRCJ/KRrlA5Y/R3TAplkK03mDDajh0w+HFiP2mYBgN9ylTPS5fB+UI5W1D0nnqH4pKygn2SiaHMwSKMuszaPRp2UhUsQiPaEwJ83bqcV3M1NBz4Cdf9b3BgiGZWnefAc5arbNwH5EMgvqNXMkJkfIO4f1Cw6KL9meGdWzj+THYmJg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DU0PR02MB9324.eurprd02.prod.outlook.com (2603:10a6:10:417::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.21; Sun, 5 Nov 2023 09:45:36 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::10cd:ea7a:606f:3860]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::10cd:ea7a:606f:3860%6]) with mapi id 15.20.6954.025; Sun, 5 Nov 2023 09:45:36 +0000
Message-ID: <9f28a5a9-de52-4eb6-a9f5-3dc89a408f6b@cs.tcd.ie>
Date: Sun, 05 Nov 2023 09:45:32 +0000
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Werner Koch <wk@gnupg.org>, last-call@ietf.org
References: <169861156708.56445.1745773510604358899@ietfa.amsl.com> <87r0lbvxih.fsf@jacob.g10code.de>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <87r0lbvxih.fsf@jacob.g10code.de>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------h97NJvsFrGDyxjcEkYHLoAF0"
X-ClientProxiedBy: VI1P191CA0003.EURP191.PROD.OUTLOOK.COM (2603:10a6:800:1ba::7) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|DU0PR02MB9324:EE_
X-MS-Office365-Filtering-Correlation-Id: bbe5f8d9-b7ca-411c-00ae-08dbdde3f5f5
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: FUurR7NJ8Fy8czDpXhr3oryga2RjUVpErNahC/imQTAEMdQHUqpMoV2iLqqqOeVHLEc9Op61U/r6IuouhFSSb14SvRIFp6jFOmhWSE6W2XhxPjQgca77z8FCILtQxuhlhKY/Butrc3gCwPHyO5QImV3ZcfH9s08w7hjnYpL/NKRjXGfLmJPMbojlU/jwOltA1f8sFki/s+XU/H++IEjPz6dS5zBvJdse8S/q0cBWZvHoEy3FYQBokfXA+1BybOAR/vR9X0JtF3aKRohgUF8qx8V7eJFkLvQdsHfU5iyHWZxkv0sselM++QiT7o1AnJi4Xu35xaNiEnTtIwqDefJTaH456W0nEi1i7qZineddZnoAuOeiuXd8QlhvF6u48eici5cuYyQfk5sbydTzrp0iRACIvytrnkjXkOBbaWQC0KinPel1s7L0eP24v4dTwe7IAJIlHM13iFbtnwQOsnt+sfa2gKS7eDuUViy3XX/Hw5+nHdi+V5veGBzpleiL5AzEOAiWFHafdD+1UzN371KOk7xs8n7uv7fCyPmRjRZkWoCu9ss2j77rik4vD9GQTSReFUW9nhsmPWc1+o7QIPS4Z750xkontJSNL68E3JqHm2q5nYY+C1CyTGuL/GARATBKMIb/y34msGih6OlAN0Qn1Q==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(39860400002)(366004)(376002)(396003)(346002)(230922051799003)(451199024)(64100799003)(1800799009)(186009)(45080400002)(8676002)(2906002)(6506007)(4001150100001)(41300700001)(8936002)(36756003)(5660300002)(235185007)(33964004)(478600001)(6512007)(53546011)(6666004)(2616005)(21480400003)(786003)(66476007)(66556008)(44832011)(316002)(66946007)(31686004)(966005)(6486002)(83380400001)(31696002)(38100700002)(86362001)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: oqZuwUbiyxe9Eugd20zDZvrhS4fN7ENMtNwLXcZIz45g0/ZmAJeHVETRhCseVjVneAQCUEuV6W9d6JzoRInl4obkSQd3hXDJnxbZTh28ehuONT794zFoJ+z7VKGVkxUaxm//nW11A9e2DgT7XvenPXUmRFW9EqZ9qUJtFAwnE0+n0ptVp7Ou5P3Qk+Ejt4j0+m5+RTYQdEDyWOOONA2vwEFdqjMggfc/9sess0BvHymF3Bll49KZURYk3bSdYH4YNyhudfMutZkRPN+cVuzKLwdU+9euqDR6BAwzrcETzguXcsL5oZF9CzUEFgcjpSW71zWjRdib0KZsCtKqvWnZJgiKV6RpBAvMRXL1I4PvMVV3nXUzM9VHbXVDC1wGgWFbkZzr4v+CUbC6zZZCAicqFYnsk4rdBVYWCTEOeGKemQU+q4fcrSMta7DG9geWBlC7hUsY9QqZuc4uqJjZcMihKEl8h682iIp/gn3boxvPwyXaRQJyZdIl8KXRYj3n4R2Ptg85CyM33bST5pBcLeROgHSXTk3R9Scd4ecxx2xnBnUMriAwZwLD2q806fcnVCNz5WM6oCwu0F3uf6YXcVXz1JoIZeriozrQn0cKHLyUBjvKa1URdUCuTPpR98+8zQiYOjZ4bWZ+SgkpBteKZfSA0j8XCyDWY2cMjGz6voUnEzXouQJFl5Ol8GE87wlKGxPP0934KNc8WnKbYBSoLSGUvP+ShQyaED11wCq2++Pb9jpUvjdNIGcMsnR9o2T59MyS0H/WkfuHRWfylWgFh40DwvyTvcBSzUjOdGL2WgL6gOQrHg3uLGBK9QGzzXkNG+AlFO7+3oybcQdpFv1286sHUiU0nVTj6p0wHroNcE9DPkftmeNI45s1KNNQhDnOsv0OvmTu1uqn3VJ6QDtLc4ZVhq23NhO09VsJ5yCrGO6A7EfUIbZWerWD0xCzCRxT2FRfotB0GcDCXakTsLle5VI9MOTZ3aWA3Ao7jXH0qf4MzNjRVVGhlu6NVVdSbnczytBeqnj83VRx3Yn0MmDHYWM/ERW3hRFtbNY9DzDoS2odQVuzgsMxOlxB/SJJiMvsccotVdxefJYI6HdFBdO3yAqazBcWjryn/H8TvCbCYaZPRgqyX9ZEdMl2biJHr8OGLnOZlIJUi+RLslJQVqk3TU/mbJ/YS0n7Jg2DHB9+F3Fh/RLx4+S16pKftlg7a9GdvpIixvCzbq5F+xFNvNZIn28G1AwMuNG27BcWKmEGbV7bM0WjBl5BupGziCNzYs70IkCYf0qSUT4Y62h8O+/hSfUDZElikekNuhBn4vs+c5x+5NJgC8OurB4Agbw/7W9wag/fbof1FX2ZbInn4Qvs4IIXdDRAR3BcJoIyB2hYQ5+PEwfOSY9vy58/zIpwveBaNvyTz+x5c0/i4ouTmOpHdk3bopZrdvoQYpGS8qjleWuHyW+uIJzdH02lgojpyo1MQJLEpyXilkVkFkuyOGl7C3lCYnui3oFEVJ8AU0JaTplvDoV+nQhlBOL2pYX5NEvtrM6NY40AR+cjUR9nbWIhIHguoLp0ea7TqZKYBK9VUiKlDTMbqS++QY3iFeOvlWhTCUmQ4UruN0bpDGVxXGUPepkFz7YOjkwVKA9c5Z6kt9X4eLemnirGBv44ytOFu6oAdBjs
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: bbe5f8d9-b7ca-411c-00ae-08dbdde3f5f5
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Nov 2023 09:45:36.1992 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: kHLExN7MBLegGrKKHWNlC7sWsuvGKcTJKFtv0Z4yKLuL4ipXl0jegLM3wgb4Zyfx
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR02MB9324
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/b5LQGVlvWvudI3qF42ntvd8wblU>
Subject: Re: [Last-Call] [openpgp] Last Call: <draft-ietf-openpgp-crypto-refresh-12.txt> (OpenPGP) to Proposed Standard
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Nov 2023 09:45:45 -0000
Hi Werner, The high level answer to pretty much all your points below is that these issues were raised by you as the WG did it's work and the WG decided to proceed as it has. In particular, in September 2022 we (as chairs) polled the WG [1] to see if people preferred to continue with the WG draft (that's now the subject of this IETF last call), or to adopt the draft you wrote (on the lines below) as an alternative. After many participants had chimed in the WG explicitly chose to continue and to not adopt the set of changes you prefer. Cheers, Stephen & dkg (as openpgp WG chairs) PS: Normally we'd bemoan the fact that someone was re-raising issues already discussed in the WG during IETF LC, but in this case we do think it's fair for Werner to bring our attention to the fact that the main developer of a significant implementation is in the "rough" part of rough consensus. That's regrettable of course, but the WG did explicitly consider that during the work. [1] https://mailarchive.ietf.org/arch/msg/openpgp/PWp3ZcZ_qnDNLhuT-zR7gA2ddeg/ On 31/10/2023 11:31, Werner Koch wrote: > Hi! > > As initiater of the updated OpenPGP specification, as long time editor > of that draft, and as principal author of GnuPG (a major implementation > of the standard and de-facto successor of PGP) I see severe problems > with the draft. > > Earlier versions of the following comments have been circulated in > closed groups of stakeholders. > > Salam-Shalom, > > Werner > > --------------------------------- > A CRITIQUE ON A FORK OF OPENPGP > --------------------------------- > > 2023-10-31 > > > The IETF OpenPGP Working Group (WG) at some point decided to give up on > its charter to produce an updated specification and instead started to > re-invent that standard. Whether this is in line with IETF rules is > questionable: > > The charter says: > Other work related to OpenPGP may be entertained by the > working group as long as it does not interfere with the > completion of the RFC4880 revision. As the revision of > RFC4880 is the primary goal of the working group, other work > may be undertaken, so long as [...] > > Given that new features and discussions for larger updates of the > specification delayed a new RFC for many years and were the reason for > closing the WG in 2017 and re-opening in 2020, I propose to go back to > the last commonly agreed upon draft or to conclude the WG on the grounds > that no rough consensus could be found. > > > Symmetric Mode > ══════════════ > > It seems that this new scheme was introduced for the benefit of > allowing GCM as yet another encryption mode. GCM is a counter mode > and, as can be seen by the large changes required, hard to get right. > Meanwhile we have GCM in CMS (the core of S/MIME) because Microsoft > decided to go this way. However, OpenPGP has taken its decisions > based on technical soundness and not based on larger vendor, > government or committee decision. > > The WG once decided to go with OCB and EAX. EAX was only added to > avoid possible patent problems. However, in the 4.5 years since the > introduction of EAX the OCB patent expired. Thus there is no more > reason to reject OCB and it should be declared as RECOMMENDED mode > with the intention to make it a MUST mode in some future OpenPGP. It > can also be expected that FIPS-140 will eventually allow OCB. > > My suggestion: Drop all the new AEAD ideas and use what has been > deployed and agreed upon in this very WG a long time ago. Further, > turn OCB into MUST and EAX into MAY (only for backward compatibility > to deployed implementations). > > > Padding Packet > ══════════════ > > A padding packet is introduced with the idea to mitigate traffic > analysis. However, it is suggested to use random data for the content > of this packet and thus this packet opens a huge covert channel. This > is especially concerning for institutional users efforts regarding > Data Leak Prevention (DLP). Suggestions to use padding based on a > verifiable seed, were rejected despite that this is the standard > method to do padding. > > This padding idea has come up in discussion every once in a while over > the last 25 years and has always been rejected because it does not > belong into the encryption layer but into the application (plaintext) > layer. > > > Changes to the ECDH Encryption > ══════════════════════════════ > > ECDH is the standard way to do encryption with elliptic curves. For > OpenPGP ECDH has been specified in RFC-6637 from 2012 and been > implemented by PGP and GnuPG even a year earlier. Instead of keeping > this solid specification some details have been changed without a > sound reason. > > > Proliferation for Algorithms > ════════════════════════════ > > The new draft not only allow the use of GCM as a third encryption mode > but adds a couple of other required algorithms: > > • HKDF > • Argon2 [1] > • Optional modes [2] > > I joined the AES conference in 2000 on Phil Zimmermann's wish to talk > about algorithm proliferation. We agreed on pushing the forthcoming > AES along with our MDC extension, get Twofish and so out of the focus, > and in general resist to add new algorithms. That is for the simple > reason that neither PGP nor GnuPG wanted to maintain all new > algorithms until eternity. Later we had to do a political compromise > to allow Camellia for the use in Japan and Brainpool curves for > European use. We should really stick to this and not support > algorithms which are just a substitute for existing crypto building > blocks. Since added complexity makes a review harder and the larger > codebase has to be maintained indefinitely for backwards > compatibility. > > > Removal of Useful Real World Features > ═════════════════════════════════════ > > For example: in 2016 a 'm' flag was introduced to indicate that the > plaintext shall be interpreted as MIME data. This has been removed > along with deprecating the traditional 't' flag to distingusih between > binary and text data. Having the ability to easily detect MIME data > is for example required to process attachments from web mail clients > or in air-gaped environments. > > The designated revoker feature has also been deprecated with the > rationale that a better method is to achieve this with an “escrowed” > revocation, pre-created by the user. In fact, GnuPG creates such a > revocation certificate since version 2.1 (release in 2014), to > mitigate the common problem of a forgotten password. But this is not > a replacement for corporate needs: The designated revoker is an > important feature to manage a large scale deployments of OpenPGP keys > and acts as a CRL replacement. > > > Removal of Security Fixes > ═════════════════════════ > > Due to an implementation bug in PGP 5 the meta data of a signed file > was not covered by the signatures. RFC-4880 didn't fixed that for > backward compatibility. However, users were often surprised when they > learned that the shown filename and file data could be changed while > keeping the signature intact. With the introduction of the new v5 > signature packet format, the opportunity to fix that was taken. > However, the crypto-refresh group then introduced v6 signatures and > removed the fix [3] with the flimsy explanation that the way to > populate that the field is not clear in a theoretical > encrypt-then-sign scenario and that signatures could not be detached > and reattached (which is obvioulsy wrong). A later proposed fix for > v4 signature packets (Meta Hash subpacket) [4] was not considered. > > > Salted signature issue > ══════════════════════ > > Salted signature have been introduced with the idea that they might > mitigate a choosen prefix attack in the same way as they will do for a > certain SHA-1 based Web-of-Trust attack. No research for that > statement has been cited just an assumuption and a concern related to > fault attacks on EdDSA for Wireguard-like protocols [5]. However, > such fault attacks can be more securely detected by checking the > signature after verification in the same way as the mitigation to > Lenstra's attack on RSA's CRT. > > Anyway, the major concern here is that this adds another 32 octet > covert channel to each message (and also blow the signature up by 64 > octets) In this case it is not an optional feature as with the padding > packet. This is a clear violation of best current practices in > sensitive areas where signed mails are mandatory and encryption is not > enforced (or monitored by a gateway). > > > Regression from Deployed Formats and Standard Behavior > ══════════════════════════════════════════════════════ > > In general the crypto-refresh draft tends to ignore the requirements > of long term storage needs and considers online communication and > software deployment pattern as the major OpenPGP usage. Data and > software life-cycle management has not been adequately taken in > consideration and thus the draft regresses heavily from 30 years of > PGP history. > > > > Footnotes > ───────── > > [1] “It is RECOMMENDED that implementations use Argon2.” > > [2] EAX, OCB, GCM and a way to define even more > > [3] See commit 390055d408d8611bc37707f81c13215cf5a05348 > > [4] See commit a397df29704ab65c2565d12ec29a703efbaf7f8c > > [5] https://mailarchive.ietf.org/arch/msg/cfrg/Ev8hgyojKeObXMZ7SF2m3_yekMo/ > > >
- Re: [Last-Call] [openpgp] Last Call: <draft-ietf-… Werner Koch
- Re: [Last-Call] [openpgp] Last Call: <draft-ietf-… Stephen Farrell