IETF Logo Mail Archive

Re: [openpgp] Weird OIDs in the 4880bis draft

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 22 February 2023 14:27 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A6B4C151553 for <openpgp@ietfa.amsl.com>; Wed, 22 Feb 2023 06:27:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="MsNgdvjq"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="HK1XUdSn"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-gzCSoPDE9S for <openpgp@ietfa.amsl.com>; Wed, 22 Feb 2023 06:26:58 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E26F1C14CE42 for <openpgp@ietf.org>; Wed, 22 Feb 2023 06:26:57 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1677076016; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=iR+64CwjZD3yrjkQCgi/qdvS7s/LulYREo8NDEQTrsg=; b=MsNgdvjqsO1P7r9oIRZfh/V9ahRIEraJe8TujfGJCk3f81dY3FsQW+CYFqnW5hC6737qv GtM81E2Onh25LZdCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1677076016; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=iR+64CwjZD3yrjkQCgi/qdvS7s/LulYREo8NDEQTrsg=; b=HK1XUdSnAVBPt20CE9EsQtP/rdf97hBfLZBFqt/e7UTxtoLGpDJpXvtsQ+Qsdntv4X6dR ERCZGgpAIr2wH7bYyzEQYuRUfI5wyN4RbeHWnubbhoz8erfJXNZxBULM4l6SmLS6oDyuMJe mDFFovrVYDBgdVciuHbdprshIbxjhJLpImdxr92lzVZJAE3aH19jq3JyuZn+U3+JBRw4Ypx gHoiE7z4XnzU0sC4bP1TU/gRXdw8cVi6EbZWVJyojyjfotmU0bIWvJr9r9EZFLCMTqbCsCR 33EvtMGjZE/oTB9JNcW3KDioDIL6KLbs2a+nXHLlCSGSViSuIxXRwcfVYGfw==
Received: from fifthhorseman.net (unknown [69.94.57.91]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 1814DF9AF for <openpgp@ietf.org>; Wed, 22 Feb 2023 09:26:55 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 2B61520481; Tue, 21 Feb 2023 20:49:18 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <d0a872ba-d917-0c04-845b-5862a251b444@cs.tcd.ie>
References: <SY4PR01MB6251BD1B19BAD5DE910A1C0EEED99@SY4PR01MB6251.ausprd01.prod.outlook.com> <5bbca9f6-9fc5-3e8b-51eb-103637a6a4b5@cs.tcd.ie> <877cwg9n2y.fsf@europ.lan> <87sff4jfrp.fsf@fifthhorseman.net> <874jrk9eq9.fsf@europ.lan> <4123011c-ba72-e36f-c3c9-b1da3ed33d85@cs.tcd.ie> <uyfPffB5ZDa2AJavNntu4iKXNnG4m0TlhoaDcT5fAW9lh_QkhKaJiKNAL9kelDovGhUC_xcnTsdfQjPskuXL2Byy323mlgVsR8d8AWxXVz8=@protonmail.com> <cddeb76e-59f7-5abb-e980-5b7bd8c3a419@cs.tcd.ie> <9smwivJ9SgD6TyUrzBwAWZRror46JwRIG5AqFvvCssKV98Gxu3C0H731XgfRyTZwwh4tG0ZDehjXTXX7CpqK4Z9468j_C2mi0TM1QdJRXVA=@protonmail.com> <d0a872ba-d917-0c04-845b-5862a251b444@cs.tcd.ie>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Tue, 21 Feb 2023 20:49:17 -0500
Message-ID: <875ybujwpu.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/DEspz8oa7coUwTTXWicrPR5zTN0>
Subject: Re: [openpgp] Weird OIDs in the 4880bis draft
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2023 14:27:02 -0000

On Mon 2023-02-20 19:17:47 +0000, Stephen Farrell wrote:
> On 20/02/2023 19:01, Daniel Huigens wrote:
>> After discussing with Justus, dkg and Stephen, I've added the Curve25519
>> OIDs back into [!242], but marked as legacy (as Justus did in !240).
>> That way, they can still be referenced easily, but we still make it
>> clear that the new algorithm IDs are preferable. This doesn't simplify
>> the spec as much as before, but it's also a less radical change, and it
>> will still simplify greenfield implementations a lot. In a way, I think
>> it's a good compromise between the two MRs. And I believe that it now
>> represents the option we'd both be most happy with :)
>
> Ok, so given the proponents are now happy with this merge
> request can other people please take a look and express an
> opinion on the list as to whether we should make these
> changes now.
>
> Please do so by the end of Wednesday if you can.

With no hats on, I've reviewed the changes proposed in !242 and I am
fine with them.  It's a departure, but not a hugely radical one, and it
offers a *very* simple/clean approach to the use of CFRG curves in any
greenfield OpenPGP implementation.

The one substantive change is see (which Justus also observed [0]) is:

The new structure of X25519 and X448 inputs for KDF are simplified: RFC
6637-style ECDH binds the PKESK to the recipient by including the
recipient key's fingerprint in the KDF inputs, but X* algorithms do not.
So !242's approach means that the X25519 and X448 inputs could
potentially be modified with some sort of proxy "re-encryption" approach
[1], which wouldn't be possible under the RFC 6637 ECDH mechanism.

[0] https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/242#note_1285298560
[1] https://en.wikipedia.org/wiki/Proxy_re-encryption

I'm OK with this change, even though i'm not particularly wild about the
semantics or mental models involved with proxy re-encryption schemes.

RFC 6637 offered no clear justification for including the recipient's
fingerprint in the KDF in the first place, and as Daniel Huigens
observed, anyone interested in confirming who the message was intended
for should be using signed messages and the Intended Recipients
subpacket for that purpose.

There are a handful of cleanups that should probably be done if MR !242
is applied (i noted them on the gitlab issue), but i don't think any of
them are blockers to !242 itself.

And just a final note about the Subject line here: This change does
*not* get rid of the "weird OIDs" at all.  Rather, it acknowledges their
widespread use, and marks them explicitly as legacy OIDs that should not
be used with v6 keys.  I think that's a reasonable outcome for
standardization.

          --dkg

v2.23.0 | Report a Bug | By Email