Re: [openpgp] I-D Action: draft-ietf-openpgp-crypto-refresh-04.txt

Daniel Kahn Gillmor <> Wed, 20 October 2021 21:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C4EB23A1304 for <>; Wed, 20 Oct 2021 14:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.307
X-Spam-Status: No, score=-1.307 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.b=RoqlrIc7; dkim=pass (2048-bit key) header.b=eo11bt4e
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QBaXxhF022P2 for <>; Wed, 20 Oct 2021 14:26:35 -0700 (PDT)
Received: from (unknown []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 479FE3A12ED for <>; Wed, 20 Oct 2021 14:26:33 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple;;; q=dns/txt; s=2019; t=1634765191; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=xEOUXXU5TakOrqtE+AWgEPsMy8wPn9dLx1w6M7P9KaI=; b=RoqlrIc74FRAkpzXIUTqwWFnosHcdUsb3XXM1XiJwUthJhVpzzNvU6rBPA378u1mxb/g7 jDHyNuhVaaMT3ZnAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; q=dns/txt; s=2019rsa; t=1634765191; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=xEOUXXU5TakOrqtE+AWgEPsMy8wPn9dLx1w6M7P9KaI=; b=eo11bt4etsTdmgAxUjBau8wm8TJoth0iZYNPg+uQdD85CNyCG/Cs4nBq9L5Wni2bUVghb V5A6rE2ZJrTctYRUkw84vkkXuqjidVNgAMj8eiU21RUKi1E4Z6/Iasg62n3HndfLmafbJLS qtgb3jkt57I1OULs/kUJO3fU5G13UjJ9z+KHbc6dFi9LDc8+rSJdsZHWqjvrIWq2UlxGwo9 xUpKRNQClK6tXyZzGySv9ebQS8Wrtqku7/+RXDqrRpIggehvW2AUhdkxumVCsCEnmkmWVIn DtgHHEuROLc8PcnAx/5L2SHBC/dWYMWvXiSilHPVyviryPg9p6d+bUdiSiVg==
Received: from (unknown []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPSA id 4D2E2F9A5 for <>; Wed, 20 Oct 2021 17:26:31 -0400 (EDT)
Received: by (Postfix, from userid 1000) id A4E4B20D59; Wed, 20 Oct 2021 17:26:27 -0400 (EDT)
From: Daniel Kahn Gillmor <>
In-Reply-To: <>
References: <>
Autocrypt:; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Wed, 20 Oct 2021 17:26:24 -0400
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <>
Subject: Re: [openpgp] I-D Action: draft-ietf-openpgp-crypto-refresh-04.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Oct 2021 21:26:43 -0000

Hi folks--

On Mon 2021-10-18 14:19:13 -0700, wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Open Specification for Pretty Good Privacy WG of the IETF.
>    Title           : OpenPGP Message Format
>    Authors         : Werner Koch
>                          Paul Wouters
>    Filename        : draft-ietf-openpgp-crypto-refresh-04.txt
>    Pages           : 136
>    Date            : 2021-10-18

As you can see, the design team has pushed out the latest version of the
crypto refresh draft.

This incorporates variations on several of the features that were in the
older draft-ietf-openpgp-rfc4880bis-draft-10, and some new features
that haven't been incorporated in a previous draft:

Feature inclusions:

 - AEAD packets are now defined (they differ from the older draft-10 in
   a few subtle ways, most notably that the chunk size is more tightly
   constrained, and that what was called the "nonce" is now explicitly
   the IV)

 - AEAD protection of secret key material (note that public key material
   is now included in the encrypted form as additional data)

 - Intended Recipients Subpacket (allows a defense against signature
   replay in redirected encrypted messages)

 - SKESKv5 (works only with AEAD)

 - Argon2 as S2K

 - Curve448: X448 for ECDH, Ed448 for signing


 - forbid creation of weaker S2K types, except when string is known to
   be high-entropy.

 - more strongly deprecate non-integrity-protected symmetric encryption

 - drop (reserve) bit 0x04 from Features packet ("v5 keys"), due to not
   being actionable and potentially causing interop issues.


 - Corrections to the OpenPGP message grammar
 - Corrections to OpenPGP certificate structure
 - Algorithm-specific details are now presented in tabular form, for
   public keys and for specific elliptic curve choices

The design team is meeting regularly, and making good progress in
collaboration.  We hope the larger WG will review the latest draft that
the DT has produced!

You can see (and contribute to) outstanding issues and merge requests at if you're interested.

The design team has several issues in active discussion that did not
make it into draft-04, but will likely to come up soon:

 - Mandatory-to-implement choices (aka "MTI"): see recent summaries of
   design-team meetings on the openpgp-dt mailing list:

 - v5 signatures: see active discussion at

 - v5 keys: see different possible proposed changes at and

I'm hoping that after the next revision, we can start talking about what
"done" looks like ☺ -- we already have some interoperable tests
happening, which is a good sign.

Note, we also have an upcoming meeting at IETF 112, tentatively
scheduled for Wednesday, 10 November 2021, in Session I.

Happy Hacking,