IETF Logo Mail Archive

Re: [openpgp] crypto-refresh finished? (again;-)

Paul Schaub <vanitasvitae@fsfe.org> Wed, 21 June 2023 17:32 UTC

Return-Path: <vanitasvitae@fsfe.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32ACBC15106A for <openpgp@ietfa.amsl.com>; Wed, 21 Jun 2023 10:32:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.228
X-Spam-Level:
X-Spam-Status: No, score=-6.228 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YdossM0fagh0 for <openpgp@ietfa.amsl.com>; Wed, 21 Jun 2023 10:32:36 -0700 (PDT)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A53DC14CEFE for <openpgp@ietf.org>; Wed, 21 Jun 2023 10:32:35 -0700 (PDT)
Received: from fews01-sea.riseup.net (fews01-sea-pn.riseup.net [10.0.1.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx1.riseup.net (Postfix) with ESMTPS id 4QmVv66JS8zDrKM for <openpgp@ietf.org>; Wed, 21 Jun 2023 17:32:34 +0000 (UTC)
X-Riseup-User-ID: DCEB832F53B947E65569202A05989D14EA1686748EA2BE0004DF2A01E7FE8F10
Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews01-sea.riseup.net (Postfix) with ESMTPSA id 4QmVtv0kBvzJmvH for <openpgp@ietf.org>; Wed, 21 Jun 2023 17:32:22 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------rpiTCD3Yh0KCetydorWdVvZl"
Message-ID: <27df35a4-8308-105f-c6db-20c5dcf00efa@fsfe.org>
Date: Wed, 21 Jun 2023 19:32:20 +0200
MIME-Version: 1.0
To: openpgp@ietf.org
References: <7b9d62a6-8570-ca81-c0bd-0f31d6cd136c@cs.tcd.ie> <aea6b745-0e65-ac19-077e-8f389868b658@cs.tcd.ie> <87mt0sn3rz.fsf@wheatstone.g10code.de>
Content-Language: en-US
From: Paul Schaub <vanitasvitae@fsfe.org>
In-Reply-To: <87mt0sn3rz.fsf@wheatstone.g10code.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/BbHFBFK4XpEMslKY6kjsT7zY_R8>
Subject: Re: [openpgp] crypto-refresh finished? (again;-)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jun 2023 17:32:40 -0000

Hi,

Am 21.06.23 um 19:06 schrieb Werner Koch:
> Hi!
>
> Given that question and suggestions from major implementors have not
> been properly discussed and taken in account, I doubt that there is
> sufficient consensus in the WG for a new RFC or even an IETF Last Call.
>
> In particular Kai Eggert's mail from 8 Oct 2022 "Re: [openpgp] a new
> draft overlapping the WG draft" [1] had well thought out suggestions
> which were never seriously discussed.

Perhaps that demonstrates that the majority of involved parties did not 
see the need to discuss these points in more depth ¯\_(ツ)_/¯.

But let's give it a try anyways.

(quotes below from Kai's mail)

> Maybe the following could be done:
>
> * introduce the concepts of openpgp specification versions, and minimum
> supported openpgp versions
See key format versions (4,5,6) and feature flags[1].
> * Declare that a public key packet can specify the minimum OpenPGP
> version the key owner's software supports (define how public key packets
> could signal that). Find a way to encode that in a way that doesn't make
> public key packets incompatible with current GnuPG. If it's necessary to
> define an evolution of public key packets, try to reach consensus with
> GnuPG developers on how to do that.
Same as above. If there is a v4 key without the SEIPDv2 feature flag, 
implementations can produce artifacts compatible to rfc4880,rfc5581,rfc6637.
> * Release crypto-refresh as a new OpenPGP version 5, not as a successor
> for RFC 4880.
s/v5/v6
> * For public keys that lack the new OpenPGP version flag, assume the key
> owner is limited to RFC 4880 features, only.
See my comment above.
> * Declare that for messages that are signed, only, the signature packet
> should be limited to RFC 4880, or a future universally accepted
> successor (which is currently not in sight). The reason is that for
> signed-only messages, it isn't necessary to have public keys for all
> recipients, and thus the version signaling information may be absent.
> (Optionally the presence of public keys for all message recipients could
> be used to conclude that a newer signature package can be used.)
If the sender uses v5/v6 keys there is not much to do, since recipients 
cannot use the key to verify the signature anyways. Implementers could 
still opt to create v4 signatures if v4 keys are among the recipients in 
an attempt to have compatibility with v4 implementations that understand 
v5/v6 key packet formats.
> * Declare that in order to make use of any of the features from
> crypto-refresh, it's required to have a recipient public key that
> signals support for version 5.
s/v5/v6, but yes, an implementation that strives to be backwards 
compatible can do that.
> * If a message is to be sent to multiple recipients, which signal
> different supported OpenPGP versions, the sender is required to produce
> the appropriate number of different messages, one for each group of
> recipients supporting the same version.
That might be a solution, although it feels like a clumsy workaround.
> * For transparency reasons, each message somehow signal the additional
> reicpients, which will be handled with a separate openpgp message
> (different version). Maybe this could be done by reusing the existing
> "Public-Key Encrypted Session Key Packets" with a key identifier, but
> dummy data.
There now is an Intended Recipient Fingerprint subpacket to solve this 
issue.
> This means GnuPG would continue to use its existing packets, it would
> always use what's defined in version 4.
That's up to the GnuPG developers ;)
> Applications that support crypto-refresh would be required to also
> support RFC 4880.
That's up to implementers that support v6.
> When applications that support crypto-refresh need to send data to
> owners of public keys that lack the version information, then data
> that's compatible with GnuPG and old applications would be sent.
Sounds sensible.
> Disclaimer: This is a high level attempt to find a middle ground for the
> current conflict. I haven't read the full details of the RFCs, I might
> have missed if my suggestions are already specified, or that they are
> not doable.
>
> Kai
Thank you for your thoughts Kai. I think some of your ideas can be used 
to achieve interoperability between implementations with different 
levels of sophistication.

[1]: https://openpgp-wg.gitlab.io/rfc4880bis/#name-features

v2.23.0 | Report a Bug | By Email