Re: [openpgp] a new draft overlapping the WG draft

[Werner Koch <wk@gnupg.org>]

Hi!

and sorry for responding a bit late.  Kai called me to point me to this
discussion.  I simply missed that my openpgp folder had new activity.

On Tue, 27 Sep 2022 15:41, Daniel Huigens said:

> minus the parts that Werner thinks the DT got wrong". It's simply a
> continuation of ietf-rfc4880bis-10, without any of the changes the DT
> made after that (afaict). Perhaps that means Werner thinks the DT got
> everything wrong, I don't know.

Right and wrong: It is a continuation of ietf-rfc4880bis-10 but with the
changes the DT agreed upon up until only editorial changes were in the
queue and I left the DT.  Here is the list:

 - Rename the Additional Encryption Subkey key flag
 - Add Literal Data Meta Hash subpacket.
 - AEAD chunk size update as per openpgp-dt meeting on 2021-08-20
 - Explain the reset back to rfc4880bis-10.

The only major thing from the DT is the "AEAD chunk size update".  IN
fact that was the reason why the design time was set up after a
discussion between Stephen, dkg, and me on how to get out the stuck
rfc4880bis process we had been in for years after -10 (or maybe -08)
when new people turned up in the WG.

I left the DT after we agreed that only minor changes are left to be
done, like describing 448 exactly.  It came very much to a surprise when
I noticed that almost everything had been thrown over later on.

My new draft specifies what has been implemented and deployed by GnuPG
and RPN for many years now.  There is one additional thing (Literal Data
Meta Hash) which can help to fix a sometime claimed problem for signed
only data.

The next revision will include an updated AEAD spec for protected
private keys in case people really send protected private keys without
using an additional container.  I think 448 needs to be added too.

> In general, there are a number of things in the crypto refresh that seem
> to have strong indications of WG consensus. For example, there was a

Please don't forget that for each iteration of 4880bis we had a
consensus in the WG as well.  The new crypto-refresh thing has been
thrown into the WG without much discussion.  The original idea of the DT
was to get out of a lock/conflict in the WG but it turned out that the
private discussion and work by DT introduced more questions than it
should have solved.

> refresh (or some open MRs intended to update it) reflects the consensus
> better than rfc4880bis.

I am likely not the only one here who doubts that merge request are a
good way to discuss changes to a protocol.  Thus I challenge the idea
that there is a roigh consensuns in the WG on the crypto-refresh.

> reading of this suggestion would mean to keep neither of them. I think
> (almost) everyone in the WG agrees we want AEAD, and it's also part of

The question here is whether to add a third mode (GCM) instead of
restricting the new AEAD thing to just one mode (OCB) and dropping EAX
which is not needed anymore.

To me GCM is a no-go for OpenPGP.  It is bad enough that CMS seems to
have settled for it; no need for OpenPGP to follow that faulty path.

> OTOH, for AEAD encrypted private keys (using S2K identifier 253), the
> definitions in rfc4880bis and the crypto refresh are currently clashing.

Frankly, I see no problem to modify the use of AEAD to protect private
keys because that part has not been widely deployed and our suggestion
has always been not to rely on that protection.  Exchange of private key
material is anyway very special and requires organizational effort.


Salam-Shalom,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein