IETF Logo Mail Archive

[openpgp] Re: WGLC for draft-ietf-openpgp-pqc [was: Re: I-D Action: draft-ietf-openpgp-pqc-08.txt]

Falko Strenzke <falko.strenzke@mtg.de> Tue, 06 May 2025 06:08 UTC

Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E19762532852 for <openpgp@mail2.ietf.org>; Mon, 5 May 2025 23:08:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YH4MFI8ZdR2j for <openpgp@mail2.ietf.org>; Mon, 5 May 2025 23:08:11 -0700 (PDT)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 157172532848 for <openpgp@ietf.org>; Mon, 5 May 2025 23:08:10 -0700 (PDT)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.1/8.18.1) with ESMTPS id 546681Sl015211 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 6 May 2025 08:08:01 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1746511681; bh=r3+vGsDfG0aUBRWvWmFz2PTp32tx9KUxsqqm4Lo+O5I=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=oBOxh7TDB+m1vBnSjzwmr2KF6VKsRKxt25bBEJ9iSkBuwx6cu0wmF9X0C1fRzdyg9 Eju0Z0wTDaD70Tho9iCdSlW8qzdwtW4j9DUr2cHtEnbObUInYnJiI5tig1KqQvR8oJ J8/aUljUlbg2giExnHZSvAYaNt0xtQaFCB4hewk2GJJsS+2CYieU0f8dVdPuIEo8z6 9GnxG4DJUwUa2bvrcQf5aeIfT+SvzScYWP8OvdJQwb4L6B7ZnQwSchKkCPpKLOX+DO oVKBDt2fwI84ba+OLU91Y13FQbDi5Q5fd+OqsC3n4dEXiS9NYePG10XLTRMiPn6qxz Q12ulanUJkgjw==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.18.1/8.18.1) with ESMTPS id 546680iQ019967 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 6 May 2025 08:08:00 +0200
Message-ID: <cd0c95ae-07ef-41fb-aa82-cf7dcaf2f44b@mtg.de>
Date: Tue, 06 May 2025 08:08:00 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
References: <174470653269.1286532.14892820163225351018@dt-datatracker-64c5c9b5f9-hz6qg> <LSicuu3DyGQdz5FlANti-HGJ6GuAucc5BKufbsCa603EsSZ0q1XMXYvt_OubLd0UQkg0gh2F--9y9WpoqWfQu5XU-KEcJ15GG66cSFk9ByU=@wussler.it> <87wmblcr8i.fsf@fifthhorseman.net> <3uEh1vLBaG5Cnfic_80Z3QJK3eh_rSNuuX0ZGlrItoy2_HuZ2vtUfqPDjQC-uxdQ2CurgFVG79ET4QyQ3zSgiX8xvTwVERPeA3vOhqjSHpc=@protonmail.com>
Content-Language: en-GB
From: Falko Strenzke <falko.strenzke@mtg.de>
Organization: MTG AG
In-Reply-To: <3uEh1vLBaG5Cnfic_80Z3QJK3eh_rSNuuX0ZGlrItoy2_HuZ2vtUfqPDjQC-uxdQ2CurgFVG79ET4QyQ3zSgiX8xvTwVERPeA3vOhqjSHpc=@protonmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms070600000000020706080500"
Message-ID-Hash: MTBJW7AJT6ETGILJWAJIGU3P4QTEYYE6
X-Message-ID-Hash: MTBJW7AJT6ETGILJWAJIGU3P4QTEYYE6
X-MailFrom: falko.strenzke@mtg.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: openpgp@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: WGLC for draft-ietf-openpgp-pqc [was: Re: I-D Action: draft-ietf-openpgp-pqc-08.txt]
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/4s9GAqUZZmD95mMEJ30PsVKXqwU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi Daniel,

I don't see a problem in different implementations selecting different 
subkeys from the test vectors. While I understand that this is not an 
ideal situation, I also don't think that it is in the responsibility of 
the PQC draft to present test vectors that only allow an unanimous 
subkey selection. As you say yourself, we had agreed that this draft 
will not make a prescription on the subkey selection process. The 
natural effect of this is that different implementations may arrive at 
different sets of encryption subkeys.

We should also not forget that the actual purpose of the so-called 
encryption subkey selection process is to allow the certificate holder 
to express their preference regarding encryption subkey selection. But 
certainly there is always the possibility that the sender also enforces 
their own policy regarding the encryption key selection. One such policy 
might be, for example, to only use PQC keys. Moreover, the 
implementation of the encryption subkey selection mechanisms to be 
defined by the WG will remain a the discretion of the relevant OpenPGP 
implementation / mail client / user (sender) in any case. Accordingly, 
varying results for the encryption subkey selection process will remain 
normal.

Thus I don't see the need for either alternative 1. & 2. you give below. 
I also think the current statements in the draft saying that adding a 
PQC encryption subkey enables their use by senders that can parse them 
is valid and doesn't require to be changed. In my view, these statements 
do not trespass into the domain of an encryption subkey selection 
mechanism. They are simply stating the fact that, given that PQC 
encryption subkeys are present, these keys *can* be used by the sender. 
Whether the sender decides to do that in a specific case is another 
question – which is outside the domain of the PQC draft, as I think 
there is currently general agreement.

Best regards,
Falko

Am 01.05.25 um 19:07 schrieb Daniel Huigens:
> Hi all,
>
> I've updated the PQC test vectors in the interoperability test suite to
> those from draft-08, and we have interop between development versions of
> rpgpie, gopenpgp and rnp:https://tests.sequoia-pgp.org/?impls=16420&q=pqc.
> OpenPGP.js will follow soon(tm).
>
> Although the tests are green, the behavior isn't fully consistent
> between the implementations for the keys that have multiple subkeys,
> due to the lack of consensus on encryption subkey selection [1]:
> rpgpie encrypts to all subkeys, gopenpgp uses the PQC subkey, and
> rnp uses the ECC subkey. Two out of the three of those options
> obviously don't achieve post-quantum security.
>
> In previous discussions, we said that encryption subkey selection should
> be orthogonal to the PQC draft. However, there is still other text in
> the draft suggesting that it should be possible to achieve post-quantum
> security by adding a subkey, namely in Section 3.5 (Key version binding):
>
>> ML-KEM-768+X25519 (...) is also allowed in v4 encryption-capable subkeys.
>> This permits the keyholder of an existing v4 certificate to add such a
>> subkey to defend against store-now, decrypt-later attacks from quantum
>> computers without moving to a new primary key.
> and Section 8.3 (Key generation strategies):
>
>> Two migration strategies are recommended:
>> (...)
>> 2. Attach PQ(/T) encryption or signature subkeys to an existing
>>     traditional v6 OpenPGP certificate. (...)
> (also, if we want to keep this text, it should say "v6 or v4").
>
> So, I see two options:
>
> 1. We remove or water down that text, and change the test vectors to
>     only have one subkey. (We can make test vectors with multiple subkeys
>     once we decide how implementations should behave in that case.)
>
>     However, this would also weaken the justification for allowing
>     ML-KEM-768+X25519 to be used in v4 certificates a bit, as it wouldn't
>     be possible to add a PQC subkey to an existing certificate to
>     (reliably) get post-quantum security, for now.
>
> 2. We try to, after all, get consensus that for the test vectors
>     presented in the draft, implementations should select the PQC
>     subkey, only, and revert some of the changes in draft-08 to make
>     that more clear/explicit, perhaps qualified by saying that future
>     drafts may amend this guidance. For example, we could say
>     (adapted from draft-07):
>
>         In the absence of other indications or guidance on which
>         encryption key(s) to select, implementations SHOULD prefer PQ(/T)
>         keys when multiple options are available.  When encrypting to a
>         certificate that has both a valid PQ/T and a valid traditional
>         encryption subkey, an implementation SHOULD use the PQ/T subkey
>         only.  Furthermore, if an application has any means to determine
>         that encrypting to a PQ/T certificate and a traditional
>         certificate is redundant, it should omit encrypting to the
>         traditional certificate.
>
>     I'll also make a separate posting to the encryption subkey selection
>     thread to try to justify this further.
>
> I originally leaned towards the first option, because of previous
> discussions here, but now lean more towards the second, as I think
> it'll require fewer changes to this draft, and thus hopefully cause
> less of a delay (if the text proposed above is acceptable to folks).
> It'd also allow people to achieve post-quantum (encryption) security
> sooner.
>
> Apologies for catching / bringing this up a bit late, and on Labor Day
> no less :)
>
> Best,
> Daniel
>
>
> [1]:https://mailarchive.ietf.org/arch/msg/openpgp/FMzCI78v8fcRyGovPHpv8ZvxVnI/
>
> _______________________________________________
> openpgp mailing list --openpgp@ietf.org
> To unsubscribe send an email toopenpgp-leave@ietf.org
-- 

*MTG AG*
Dr. Falko Strenzke

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>

------------------------------------------------------------------------

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>

v2.31.3 | Report a Bug | By Email | System Status