Re: [Sam Hartman] Openpgp comments

hal@finney.org ("Hal Finney") Mon, 18 September 2006 20:20 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPPbb-0002sV-9h for openpgp-archive@lists.ietf.org; Mon, 18 Sep 2006 16:20:39 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GPPMR-0000cK-Ca for openpgp-archive@lists.ietf.org; Mon, 18 Sep 2006 16:05:11 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IJh1l8069270; Mon, 18 Sep 2006 12:43:01 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8IJh1nt069269; Mon, 18 Sep 2006 12:43:01 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IJgwl2069260 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 12:43:00 -0700 (MST) (envelope-from hal@finney.org)
Received: by finney.org (Postfix, from userid 500) id 1C12B14F6BC; Mon, 18 Sep 2006 12:43:08 -0700 (PDT)
To: derek@ihtfp.com, ietf-openpgp@imc.org
Subject: Re: [Sam Hartman] Openpgp comments
Message-Id: <20060918194308.1C12B14F6BC@finney.org>
Date: Mon, 18 Sep 2006 12:43:08 -0700 (PDT)
From: hal@finney.org ("Hal Finney")
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464

Derek forwards from Sam Hartman of IETF:
> However Russ and I have two large issues that we need fixed before I can bring the document to the IESG.
>
> The first is the lack of IANA registries....

It sounds like we can use some boilerplate language here without much
difficulty.

> The second issue is the encryption with integrity packet.  Today this
> is hard-wired to use SHA-1.  That's not OK.  We need an upgrade path
> for that and I think we need to support SHA-256 now.

This is a major setback.  It took years to get this change in place, the
whole issue of compatibility and installed base of software that doesn't
recognize the new packet formats.  I wonder if we could add a new set of
MDC packets as the "upgrade path" while retaining the old ones.  Then we
can gradually switch over to using the new ones over the next few years.
In that case we could change the draft expeditiously without commiting to
an immediate changeover in fielded implementations.

If we do pursue this, given the subsequent cryptographic progress since we
designed the MDC mechanism, we should probably look at the now-standard
mechanism of doing a keyed MAC over the ciphertext, rather than using
an encrypted hash of the plaintext.  The MAC could be HMAC with a hash
algorithm specifier for future upgrade.  The paper that first analyzed
this construction is: http://www-cse.ucsd.edu/~mihir/papers/oem.html .
It uses CBC mode, however the proof probably goes through for CFB mode
as well - the modes have similar security properties.

Hal Finney