Re: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)
Daniel Huigens <d.huigens@protonmail.com> Tue, 07 June 2022 14:03 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CC1FC14F73D for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 07:03:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5S66-vLE1IXR for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 07:03:12 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42D2CC157B49 for <openpgp@ietf.org>; Tue, 7 Jun 2022 07:03:12 -0700 (PDT)
Date: Tue, 07 Jun 2022 14:03:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1654610589; x=1654869789; bh=OfH/FsTyRPmTkmamYKpXuAQbK/GL/9MT0fDurBKTKCU=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=vtdNvRWkgOii0ncvkn1nnihPZYOXUI233GmLdxHN/o/fdslis0vOT1r2UCJrIFav0 FzKFzqUKgauYeOLp4YeTZH5fODeyHOqZA/1+LiZRLcFc4JQ7doI+1G5LI1v+Ii8HK3 KUyRprsT+z/uxjhfj7UBii+anPNAJrgukaB2hlyL0+hejKHbqc2auYR+wgn5L8kMwN +UdK0Eh4lcLv3fSMhGmjoYCPvwRxmS+LyNWSMKK5fxGFPcU0viED4i90xIU9/W6rMp lydAvYnc2Bi29YLid2AvbUj9WKyNycDImDCLANnqM94o49PM6z6UPG3n4tLFQ56Sw+ HpAJ3yXesLhVg==
To: Werner Koch <wk@gnupg.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <-_hGMnmWYAajs8di2nPqlVW_KRmq3ibTvbV5jawDu0zz7iiZAIaEg66cPOGOjb023my4woJOM2G26cQoWPdeATyXC7_KyKLPadJWK5gdlUg=@protonmail.com>
In-Reply-To: <87tu8xkjx4.fsf@wheatstone.g10code.de>
References: <165453577116.17285.7902041139949315015@ietfa.amsl.com> <87tu8xkjx4.fsf@wheatstone.g10code.de>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/2mUQm-s__P29mCPf6yCpYfZsWWg>
Subject: Re: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2022 14:03:16 -0000
Hi Werner, > 1. The new AEAD scheme. > > It seems that this new scheme was introduced for the benefit of > allowing GCM as yet another encryption mode. GCM is a counter mode > and as can be seen by the large changes required, hard to get right. > We do have GCM now in CMS now because Microsoft decided to go this > way. However, OpenPGP has taken its own decisions based on technical > soundness and not based on larger vendor, government or committee > decision. FWIW, while it's true that GCM was the main reason, I personally think that binding the key to a specific mode is nice regardless. It protects against crossgrade attacks, in the sense that breaking one algorithm doesn't break the others. That being said, I do agree that having only OCB, for example, would make things simpler. But, with OpenPGP.js maintainer hat on, having GCM is nice since it's in Web Crypto, meaning it's natively implemented in browsers. (That being said, we should add OCB there as well, but that might be a long process.) > The WG once decided to go with EAX and OCB. EAX was only added to > avoid possible patent problems. However, in the 4.5 years since the > introduction of EAX the patent things has expired was invalidated and > before the new mode will will be a MUST algorithm in a future OpenPGP > RFC (not in 4880bis), there will definitely be no more problem at all > with OCB. I bet that by then an updated FIPS-140 will even allow > OCB. At IETF 112, Quynh Dang said that "NIST has no plans to approve OCB" [1], unfortunately. I'm not sure whether that has changed in the meantime or what the reasoning was, but that's what we went by. (Personally I don't actually care about FIPS compliance that much but I know some people do.) > Thus my suggestion: Drop all that new AEAD ideas and use what has > been deployed and agreed upon in this very WG a long time ago. > Further, turn OCB into MUST and EAX into MAY (for backward > compatibility to deployed implementations). This last part has been done, actually, see [2] :) > 2. The removal of the Brainpool curved, as already explicitly listed in > early RFC-4880bis drafts, is not acceptable. It may even raise > suspicions that a TLA was somehow involved to keep NIST curves but > not Brainpool. Note I won't share such an opinion, but with crypto > algos we also need to look at such political things. > > Thus please immediately issue -07 with Brainpool re-added. Again purely with implementer hat on, I have some issues with Brainpool. The NIST curves are natively implemented in Web Crypto, and we have an asm.js implementation of Curve25519 which is fast and algorithmically constant-time. By contrast, for Brainpool we use a pure javascript implementation of those curves, which is slow and not constant-time. Of course, those things could be fixed as well, but now that we have the CFRG curves, I don't really see the need, tbh. Best, Daniel [1]: https://datatracker.ietf.org/doc/minutes-112-openpgp/#autoid-6 [2]: https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-06#page-101
- [openpgp] I-D Action: draft-ietf-openpgp-crypto-r… internet-drafts
- Re: [openpgp] I-D Action: draft-ietf-openpgp-cryp… Paul Wouters
- [openpgp] First remarks on the last I-D (Was: I-D… Werner Koch
- Re: [openpgp] First remarks on the last I-D (Was:… Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… Justus Winter
- Re: [openpgp] First remarks on the last I-D (Was:… Stephen Farrell
- Re: [openpgp] First remarks on the last I-D (Was:… Daniel Huigens
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Ronald Tse
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… brian m. carlson
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D brian m. carlson
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Paul Schaub
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Daniel Huigens
- [openpgp] AEAD and Rome (was: First remarks on th… Werner Koch
- Re: [openpgp] AEAD and Rome (was: First remarks o… Daniel Huigens
- [openpgp] Choices for AEAD modes [was: AEAD and R… Daniel Kahn Gillmor
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Justus Winter
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Paul Wouters
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… brian m. carlson
- Re: [openpgp] Choices for AEAD modes Ronald Tse
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes Stephen Farrell