Re: [openpgp] Weird OIDs in the 4880bis draft

Daniel Huigens <d.huigens@protonmail.com> Fri, 17 February 2023 22:20 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AF49C1524DE for <openpgp@ietfa.amsl.com>; Fri, 17 Feb 2023 14:20:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yheh05ad2NXS for <openpgp@ietfa.amsl.com>; Fri, 17 Feb 2023 14:20:05 -0800 (PST)
Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch [185.70.40.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B4EDC15152E for <openpgp@ietf.org>; Fri, 17 Feb 2023 14:20:05 -0800 (PST)
Date: Fri, 17 Feb 2023 22:19:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1676672402; x=1676931602; bh=XCKLe0A/Nz4Q0g7j3Vk3XiHQMygrfrFHiabN4AxNi5A=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=AoDpo9gyrDneIv6RscF2LWqBnDNbwRb/EvNjlfjZ9yIGmuFPt6KIaAnDWRJBfo8PZ Te6Lz50mtL7PQC52LBbHEmRjb0w1f/6gPdDBno7+EkFkTpNxJ289PQpS1pC4NOobqE ZSPbETR/jRWZLPiSttWqazaN7oFbcQxJtjVqWeHyh6f57s0Bz0njas862Vbm9oPLW4 6LdynYaB2g0TVOEPqeKGfMkP64O89pgVMTavOGTn6X8Fx+978lGE00214ClGDvsSvy 2/F+WDLSF/ancKiYwGZirdM8RPvVjccQTJ5Pf+oHyKTYtpALupmUn/l8H9VIXRrZS9 Ce50jkR/hBr/Q==
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: Justus Winter <justus@sequoia-pgp.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Peter Gutmann <pgut001@cs.auckland.ac.nz>, "openpgp@ietf.org" <openpgp@ietf.org>
Message-ID: <uyfPffB5ZDa2AJavNntu4iKXNnG4m0TlhoaDcT5fAW9lh_QkhKaJiKNAL9kelDovGhUC_xcnTsdfQjPskuXL2Byy323mlgVsR8d8AWxXVz8=@protonmail.com>
In-Reply-To: <4123011c-ba72-e36f-c3c9-b1da3ed33d85@cs.tcd.ie>
References: <SY4PR01MB6251BD1B19BAD5DE910A1C0EEED99@SY4PR01MB6251.ausprd01.prod.outlook.com> <5bbca9f6-9fc5-3e8b-51eb-103637a6a4b5@cs.tcd.ie> <877cwg9n2y.fsf@europ.lan> <87sff4jfrp.fsf@fifthhorseman.net> <874jrk9eq9.fsf@europ.lan> <4123011c-ba72-e36f-c3c9-b1da3ed33d85@cs.tcd.ie>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/2gIicNxBWrPBsgW-nXwCmGSqYEU>
Subject: Re: [openpgp] Weird OIDs in the 4880bis draft
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2023 22:20:09 -0000

Hi all,

I support this change.

I don't want to muddy the waters too much, but I've also created [!242]
as an alternative to this, which defines new algorithm IDs for Ed25519,
Ed448, X25519, and X448.

Unlike Justus's MR, it rips out the OIDs for these algorithms, and the
scaffolding around them to put them in MPIs. So, it's a fairly large
change, but a lot of it is removing stuff.

For backwards compatibility with Curve25519 keys out there, people will
of course still have to support the Curve25519 and Ed25519 OIDs, but we
can refer to the previous crypto refresh for those, IMO.

As a more minor note, in my view this MR also replaces [!223] -
"Remove session key checksum and padding for v5 [soon v6] ECDH keys" -
in the sense that it doesn't add the checksum and padding in these new
algorithms, reducing the need to remove them from v5/v6 ECDH PKESKs.
That way, we also keep the invariant that the behavior of a public-key
algorithm doesn't depend on the version of the PKESK.

In other words, it basically would mean that (if we merge this, and not
!223) the crypto refresh would make almost no changes at all to ECDH and
ECDSA compared to RFC6637, except for the addition of Brainpool.
(In my personal opinion, we could even rip out ECDH and ECDSA entirely,
and keep referring to RFC6637 and the previous crypto-refresh for those
as well, but perhaps that's a bit too radical, so I'm not proposing it
as part of this :))

In any case, even without that, I think this would simplify the spec a
lot. That being said, if you all think this is too large a change, I'm
happy to withdraw it in favor of !242.

Best,
Daniel

[!242]: https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/242
[!223]: https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/223