Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis

Paul Wouters <paul@nohats.ca> Sat, 28 October 2017 08:24 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B579C139976 for <openpgp@ietfa.amsl.com>; Sat, 28 Oct 2017 01:24:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bSyrFRPelc5p for <openpgp@ietfa.amsl.com>; Sat, 28 Oct 2017 01:23:58 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB0FB139982 for <openpgp@ietf.org>; Sat, 28 Oct 2017 01:23:57 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3yPDKk4sFWz1L5; Sat, 28 Oct 2017 10:23:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1509179034; bh=+vvV4z8FchW2Hz3QKucVDRwgJLo7hGHKlKm2xSJaFbI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=uxTCG8TShcmC84rRzFApaoBT46LLU3e3jgyqyfYoajFpKTj+AkhU5WRhavc2VP6hb Fn9iw68YbtooA2kthuuj4mN9ugHRc+C5HdB2LEbKFcmLQ56IKNC+Htfv9TxJ4Aj2j5 1x077ZtgJq1VjdtlNOFae+s4UiTWeoHR1GmD2ad0=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id yzsWGN3fnw9e; Sat, 28 Oct 2017 10:23:53 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sat, 28 Oct 2017 10:23:53 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 2950462D29; Sat, 28 Oct 2017 04:23:52 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 2950462D29
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 251BB40D35AF; Sat, 28 Oct 2017 04:23:52 -0400 (EDT)
Date: Sat, 28 Oct 2017 04:23:51 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Ronald Tse <tse@ribose.com>
cc: "openpgp@ietf.org" <openpgp@ietf.org>
In-Reply-To: <06D50F48-26BD-4729-8071-576DA8E226AA@ribose.com>
Message-ID: <alpine.LRH.2.21.1710280403490.7356@bofh.nohats.ca>
References: <D0505748-E376-4CF9-8906-9AD77838FB23@ribose.com> <1508981649515.71466@cs.auckland.ac.nz> <07C9EFDF-C8C2-4433-A9F9-DC3D7AFD5499@ribose.com> <6AC83857-62D9-45DF-9DAE-928CF0E45A96@nohats.ca> <87she556tv.fsf@wheatstone.g10code.de> <1509093954061.51049@cs.auckland.ac.nz> <36023233-856C-4A6D-BAF9-28037B4DA0F7@ribose.com> <20171028003345.6y5igwx5cuxfxlkm@genre.crustytoothpaste.net> <06D50F48-26BD-4729-8071-576DA8E226AA@ribose.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/6DUXmzQ4jkue9JrZkmCqNDVnfWA>
Subject: Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Oct 2017 08:24:01 -0000

On Sat, 28 Oct 2017, Ronald Tse wrote:

> We all appreciate the work put into adding the AEAD packet specifications and making a real registry of it. It
> should be a good thing that someone proposes to actually use the AEAD registry. There’s really no reason blocking
> others from doing what they want.
> 
> Again, no one is taking anything away from the spec with a “MAY” phrase.

For protocols like IKE/IPsec or TLS, where you negotiate a cipher suite,
MAY algorithms are fine.

For a protocol where both parties are not online at the same time, and
where one party might not know the other party's capabilities at all,
a MAY algorithm can lead to non-interoperability (with human latency
involved)

Do OpenPGP public keys list all the encryption algorithms and signature
algorithms supported by that user? If not, then there should really only
be MUST algorithms (current crypto) and SHOULD algorithms (for things
being sunset). If OpenPGP public keys do list these, do we have any
information how current these are for most published public keys?

It would have been nice to have had OCB support when it was invented.
By now, the gains are pretty minimal. While there is an argument for
having a "stand by" or "backup" algorithm that is universially supported,
I would say chacha20/poly would be the better AEAD candidate.

And I don't agree with your handwaiving about the various different
licenses and use cases. The fact that there is a discussion and unclarity
about this at all shows that there is an issue here.

It's not that I dislike OCB. I looked at OCB a few years ago when TLS got
special permission to use it, to see about defining it for IKE/IPsec as
well, but the TLS draft authors made it clear they took years getting all
the permissions and licensing in place, and it listed "TLS" specifically
at places, so I could not re-use their work at the time for IKE/IPsec. So
I decided not to pursue it for IKE/IPsec.

The lesson here is, don't put arbitrary restrictions on your algorithm if
you want to see widespread adoption.

Paul