Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis

Paul Wouters <> Tue, 31 October 2017 07:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 40FE313FDD4 for <>; Tue, 31 Oct 2017 00:03:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uD2oDrYLDk5G for <>; Tue, 31 Oct 2017 00:03:51 -0700 (PDT)
Received: from ( [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D7CE31394F1 for <>; Tue, 31 Oct 2017 00:03:50 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id 3yR2Pv4Zhqz35H; Tue, 31 Oct 2017 08:03:47 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1509433427; bh=rKO8l8AGZu/qpncAbpVqdOnmDYEiV6CustkF1aknqhg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=EpSzU/QTX7AWKBhqb+QPsze7NkJWj6tsNUZOlbxtE5KsVPuXRdba1dOH7dNBhyAvw khgCc6YUw97bOcIKExPqki0wTCZwjkEirYmq05gzIaVI/VL1b9VL22iDPGhWJVoXFK 82KtNuHm0Ai9H6fmmtsWhYsqf6RM+2o1izB4++iY=
X-Virus-Scanned: amavisd-new at
Received: from ([IPv6:::1]) by localhost ( [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 0EAKZgItZbA0; Tue, 31 Oct 2017 08:03:45 +0100 (CET)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS; Tue, 31 Oct 2017 08:03:44 +0100 (CET)
Received: by (Postfix, from userid 1000) id 046B862D29; Tue, 31 Oct 2017 03:03:43 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 046B862D29
Received: from localhost (localhost []) by (Postfix) with ESMTP id E1E0A40D35AF; Tue, 31 Oct 2017 03:03:43 -0400 (EDT)
Date: Tue, 31 Oct 2017 03:03:43 -0400 (EDT)
From: Paul Wouters <>
To: Gregory Maxwell <>
cc: Ronald Tse <>, "Salz, Rich" <>, "" <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <>
Subject: Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Oct 2017 07:03:53 -0000

On Tue, 31 Oct 2017, Gregory Maxwell wrote:

As the signaling of support for algorithms is better then I realised,
I'll let myself be convinced that adding a new algorithm isn't too
bad. While I still think there is an increased risk of non-interoperability
or non-adoption, I guess it is not a deal breaker for new algorithms.

>> The lesson here is, don't put arbitrary restrictions on your algorithm if
>> you want to see widespread adoption.
> This seems rather moralistic rather than a practical consideration.
> IETF protocols routinely register encodings and codepoints for highly
> restricted techniques:  OCB in OpenPGP would only get used when there
> is mutual support on both ends.
> I don't think the laudable effort of avoiding restricted techniques as
> mandatory in standardized protocols is aided by a total war on them
> that covers optional use of less restrictively licensed things.
> The standards process question should primarily be will it get use if
> it exists? If not, don't bother. The licensing of OCB appears to be
> very permissive for more than a few very broad classes (including Free
> Software implementations).  Input from implementers on if they'd
> implement it if specified should be the primary metric.

This is still a potential issue. As long as the algorithm has restrictions
on it that are discriminatory, their inclusion in a free software library
poses a risk for those companies shipping the software that have money
in the bank to attract lawsuits.

I'm worried about OCB support in openssl and/or other libraries as
part of the OS, because when a vendor's customers will use it for some
"unauthorised use", the vendor might get involved in a lawsuit.

I'm also confused about these restrictions. If opensource is allowed to
use it, anyone could use openssl under the newly minted (still minting?)
license to link against properietary code, meaning that there are in
practise, no restrictions left. So why doesn't Rogaway just release an
IPR statement to the IETF allowing its free and unrestrictive use?

Rich, do you know anything about the OCB code in openssl and how the
relicensing of openssl would mean the OCB code can remain or has to go?