Re: [openpgp] First 4880bis drafts

Ian G <iang@iang.org> Thu, 05 November 2015 19:30 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF1141B2C04 for <openpgp@ietfa.amsl.com>; Thu, 5 Nov 2015 11:30:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGhnjVmbx8ZL for <openpgp@ietfa.amsl.com>; Thu, 5 Nov 2015 11:30:54 -0800 (PST)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 491FC1A87BC for <openpgp@ietf.org>; Thu, 5 Nov 2015 11:30:54 -0800 (PST)
Received: from Agent86.local (iang.org [209.197.106.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by virulha.pair.com (Postfix) with ESMTPSA id 842F56D748; Thu, 5 Nov 2015 14:30:53 -0500 (EST)
To: openpgp@ietf.org
References: <87lhaet2cq.fsf@vigenere.g10code.de> <20151104182705.86af2e43c8@baae13974eb4556> <20151105013051.GD3896@vauxhall.crustytoothpaste.net>
From: Ian G <iang@iang.org>
Message-ID: <563BAE6C.6070100@iang.org>
Date: Thu, 5 Nov 2015 19:30:52 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151105013051.GD3896@vauxhall.crustytoothpaste.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/53kRjypu6HbL5INA-C8R_vNIg04>
Subject: Re: [openpgp] First 4880bis drafts
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 19:30:55 -0000

On 05/11/2015 01:30, brian m. carlson wrote:
> On Wed, Nov 04, 2015 at 06:34:33PM +0100, Aaron Zauner wrote:
>> * Werner Koch <wk@gnupg.org> [04/11/2015 12:51:25] wrote:
>>>     o  Added Camellia cipher from RFC 5581.
>> Hrm. I'm against this.

++1++


>> CAMELLIA is going to be deprecated in e.g.
>> TLS because barely anyone uses it. I'm explicitly excluding anything
>> other than AES128 or 256 from my GnuPG config currently, I haven't
>> noticed any breakage in almost a year:
>> https://github.com/azet/dotfiles/blob/master/.gnupg/gpg.conf
> As Werner pointed out, Camellia has been around for some time.


Whatever - let implementations provide Camellia if they want to; they 
will to handle archives and so forth.

The *standard* should do better, work for the benefit of all.

The standard should have an aggressive role in deprecation.

> It's
> also good to have enough diversity that if someone comes out with a
> major attack against AES, we're not totally sunk.

This is hypothetical.  It's never happened in our time.  Our 
cryptographers are better than that, let's rely on them.

> Camellia is a Feistel
> cipher, while AES is a substitution-permutation network, which means
> that attacks are unlikely to work against both.


Sorry - can we worry about realistic user problems not hypothetical 
academic issues?


> Currently, if AES were to be broken, TLS implementations would not
> interoperate at a 128-bit or higher security level.  OpenPGP would
> continue to function without much thought, which is a major asset.

? AES isn't going to be broken.  Software is going to be buggy - let's 
reduce complexity. Protocols might be flawed, let's make it simpler.  
But AES broken?  No.  Get realistic.


> I'm for deprecating algorithms which provide less than a 128-bit
> security level, such as SHA-1 and 3DES.


It is the case that we face a threat around the 80 bit mark.  Sure.

So, I'd suspect we're going to set a mark for future OpenPGP at the 256 
bit level.  This would have been a no-brainer until recent NSA Suite B 
news.  Does anyone have a feeling for where we'd like to draw the line now?

iang