IETF Logo Mail Archive

[openpgp] Re: WGLC for draft-ietf-openpgp-pqc [was: Re: I-D Action: draft-ietf-openpgp-pqc-08.txt]

Aron Wussler <aron@wussler.it> Fri, 09 May 2025 18:41 UTC

Return-Path: <aron@wussler.it>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3914E26F4D4C for <openpgp@mail2.ietf.org>; Fri, 9 May 2025 11:41:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4vjg7C09fOUt for <openpgp@mail2.ietf.org>; Fri, 9 May 2025 11:41:20 -0700 (PDT)
Received: from mail-24420.protonmail.ch (mail-24420.protonmail.ch [109.224.244.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1B26726F4D3E for <openpgp@ietf.org>; Fri, 9 May 2025 11:41:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail2; t=1746816078; x=1747075278; bh=UQAN4Vqu16GFw1FuHIvmGWCuqtGKTFhngnRGF6byDKQ=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=DgTf0avIAmcVahmNL/5t8VMnOzQ07wW+6b/Md78ojzf1tYt17Jk7isttXBgMwdUqH YdUnuJ6nYuZ1DPKVEaIRW1s+FpeRejDHUefbsVLKYvQ8l71595B0xNoDNBSvAREkX9 B8y1ESKjDiBB+EIMA61cCLV/rPpnycmBlIm0bWqvM7AsF0jrsPhEQniE90+FXqVuVr Om9aOKy3r4YkVGu9kS+oyPpy9RpCsTqkPk9BZn+5pcusBzDsiD8dJy3Tp/Ell6Uwf2 NbBal6dy4HgGx7kaWwJFpbdrntLTA9KrYqy2T6P1OxQ9NEd6UEPvQkHX31J2IzBt4l 1iZOrbaTRSDdQ==
Date: Fri, 09 May 2025 18:41:13 +0000
To: Heiko Schäfer <heiko.schaefer@posteo.de>
From: Aron Wussler <aron@wussler.it>
Message-ID: <wdglinnIS2eRgDtdqE1SyvQDF76uTvkA6lPxPqU9xb7WhCUJBygr_4U_HjMjlWRX5441i47SmB1jByKhDonRG1nBpGqt0wzlHnmPlA3wSvQ=@wussler.it>
In-Reply-To: <a8818ced-1cd4-4c66-8dd0-19cb40ec6c9a@posteo.de>
References: <174470653269.1286532.14892820163225351018@dt-datatracker-64c5c9b5f9-hz6qg> <LSicuu3DyGQdz5FlANti-HGJ6GuAucc5BKufbsCa603EsSZ0q1XMXYvt_OubLd0UQkg0gh2F--9y9WpoqWfQu5XU-KEcJ15GG66cSFk9ByU=@wussler.it> <87wmblcr8i.fsf@fifthhorseman.net> <a2fa1a9b-7094-4487-a014-c3e623fec8ad@posteo.de> <tjL4ynTE9NJFn8rNxUVyb2s-NxorQ_1GKD4SHCl6DgFRSsb9A05B4Oq9PZMqTUYc7jTxb3pf-d_CkcrrAIDoFwv1QJIIbGfMjhj7Md6fyQo=@protonmail.com> <QaP8eC7kShQ4wP25aIZPw-3iXIZByHmpa9X30EG1t0NuV8iTXKqsgYdTp5AKSLB5jho_NdgTjppUmaBI8kThnvpkp8moB8-Fp2XWLOuA9oA=@wussler.it> <a8818ced-1cd4-4c66-8dd0-19cb40ec6c9a@posteo.de>
Feedback-ID: 10883271:user:proton
X-Pm-Message-ID: 832f81ac51dbf2f8171309b80fca36d4bb86f160
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------5d04fc4441115e4d6735931cc08a9fa6bd71a23099a2689dbfc663294f42cf90"; charset="utf-8"
Message-ID-Hash: CNBZN36INDJTQVTGXOLBSZLFYSHQSPLV
X-Message-ID-Hash: CNBZN36INDJTQVTGXOLBSZLFYSHQSPLV
X-MailFrom: aron@wussler.it
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: openpgp@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: WGLC for draft-ietf-openpgp-pqc [was: Re: I-D Action: draft-ietf-openpgp-pqc-08.txt]
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/2uLdfEQoTDvbrhB9NcH52hyOMC4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi Heiko,


> But I do wonder idly if it would be possible and useful to add some kind of informational text that clarifies that senders can consider encrypting only to PQ(/T) keys to achieve post-quantum security, when a sender encounters a case where it finds this possible.


For now, we opted to just leave the following statement


   As explained in Section 1.4.2, the OpenPGP protocol inherently
   supports parallel encryption to different keys. Note that the
   confidentiality of a message is not post-quantum secure when
   encrypting to different keys if at least one key does not support
   PQ(/T) encryption schemes.


While this provides no guidance, it is a straight fact about PQ(/T) encryption, and can be used to justify an implementation-specific policy decision (such as: if PQ is available for recipient X, then prefer PQ).
After all the discussion among authors and the community, we decided that this was the only un-objectable statement we could include.



> While this is somewhat arbitrary


I don't think it's that arbitrary. If you generate PQ keys, it's because you want PQ-encrypted traffic. If not, stick to 32-byte ECC keys, faster and smaller ;)

Cheers,
Aron


--
Aron Wussler
Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930



On Friday, 9 May 2025 at 13:49, Heiko Schäfer <heiko.schaefer@posteo.de> wrote:

> Hello Aron, all,
> 

> 

> > After gathering all the feedback, we decided to simplify the guidance, and consistently remove the remaining statements regarding sub-key selection.
> > This is reflected in the editor copy [1].
> 

> 

> I agree with removing guidance, while consensus is clearly not in immediate reach.
> 

> Thank you for diligently working towards getting this draft out the door soon! I look forward to seeing it finalized.
> 

> > We thank the people involved in this discussion and ask them to review this change.
> 

> 

> I'm happy with the draft, as is. But I do wonder idly if it would be possible and useful to add some kind of informational text that clarifies that senders can consider encrypting only to PQ(/T) keys to achieve post-quantum security, when a sender encounters a case where it finds this possible.
> 

> Just to state, in the most general of terms, that senders *can* apply such policy decisions, and might want to.
> But without prescribing any particular approach.
> 

> Thanks,
> Heiko
> 

> 

> PS: FWIW, in the experimental "rsop-pqc" implementation, I have decided to adjust key selection for encryption as follows:
> 

> For each recipient certificate, if any valid PQC encryption keys exist, rsop now encrypts only to the set of valid PQC subkeys, while ignoring any non-PQC subkeys.
> 

> While this is somewhat arbitrary, and I look forward to one day implementing official guidance instead, this seems like a reasonable interim solution. I assume most recipients will want this kind of approach to be taken.
> 

>

v2.31.3 | Report a Bug | By Email | System Status