Re: SHA-xxx OIDs
bmoeller@hrzpub.tu-darmstadt.de (Bodo Moeller) Tue, 11 September 2001 09:50 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA01559 for <openpgp-archive@odin.ietf.org>; Tue, 11 Sep 2001 05:50:16 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id f8B9Zub25981 for ietf-openpgp-bks; Tue, 11 Sep 2001 02:35:56 -0700 (PDT)
Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8B9ZsD25977 for <ietf-openpgp@imc.org>; Tue, 11 Sep 2001 02:35:55 -0700 (PDT)
Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id A07282C93; Tue, 11 Sep 2001 11:03:04 +0200 (MET DST)
Received: id <m15gjKD-000Qe5C@epsilon>; Tue, 11 Sep 2001 10:55:21 +0200 (CEST)
Message-Id: <m15gjKD-000Qe5C@epsilon>
Date: Tue, 11 Sep 2001 10:55:21 +0200
From: bmoeller@hrzpub.tu-darmstadt.de
To: ietf-openpgp@imc.org
Cc: Jon Callas <jon@callas.org>
Subject: Re: SHA-xxx OIDs
In-Reply-To: <p05100318b7bb28e4ba91@[192.168.1.180]>
References: <p05100318b7bb28e4ba91@[192.168.1.180]>
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Jon Callas <jon@callas.org>: > Does someone want to volunteer to double-check the OIDs I have in bis-03 > for wide SHA? > > disastry@saiknes.lv claimed to have found them in an IEEE P1363a draft D7.9. > > Does anyone have validation that they exist, or know where to look? The URL > given for that draft is password-protected, [...] Just subscribe to one of the P1363 mailing lists (message "subscribe stds-p1363" and/or "subscribe stds-p1363-discuss" to majordomo@ieee.org) and you will immediately receive the password. That password "protection" is just a silly IEEE requirement. Received: by above.proper.com (8.11.6/8.11.3) id f8B9Zub25981 for ietf-openpgp-bks; Tue, 11 Sep 2001 02:35:56 -0700 (PDT) Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8B9ZsD25977 for <ietf-openpgp@imc.org>; Tue, 11 Sep 2001 02:35:55 -0700 (PDT) Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id A07282C93; Tue, 11 Sep 2001 11:03:04 +0200 (MET DST) Received: id <m15gjKD-000Qe5C@epsilon>; Tue, 11 Sep 2001 10:55:21 +0200 (CEST) Message-Id: <m15gjKD-000Qe5C@epsilon> Date: Tue, 11 Sep 2001 10:55:21 +0200 (CEST) From: bmoeller@hrzpub.tu-darmstadt.de (Bodo Moeller) To: ietf-openpgp@imc.org Cc: Jon Callas <jon@callas.org> Subject: Re: SHA-xxx OIDs In-Reply-To: <p05100318b7bb28e4ba91@[192.168.1.180]> References: <p05100318b7bb28e4ba91@[192.168.1.180]> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas <jon@callas.org>: > Does someone want to volunteer to double-check the OIDs I have in bis-03 > for wide SHA? > > disastry@saiknes.lv claimed to have found them in an IEEE P1363a draft D7.9. > > Does anyone have validation that they exist, or know where to look? The URL > given for that draft is password-protected, [...] Just subscribe to one of the P1363 mailing lists (message "subscribe stds-p1363" and/or "subscribe stds-p1363-discuss" to majordomo@ieee.org) and you will immediately receive the password. That password "protection" is just a silly IEEE requirement. Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8AJrWH05539 for ietf-openpgp-bks; Mon, 10 Sep 2001 12:53:32 -0700 (PDT) Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8AJrUD05534 for <ietf-openpgp@imc.org>; Mon, 10 Sep 2001 12:53:31 -0700 (PDT) Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id 6F1712C93; Mon, 10 Sep 2001 21:53:31 +0200 (MET DST) Received: id <m15gX4b-000Qe5C@epsilon>; Mon, 10 Sep 2001 21:50:25 +0200 (CEST) Message-Id: <m15gX4b-000Qe5C@epsilon> Date: Mon, 10 Sep 2001 21:50:25 +0200 (CEST) From: bmoeller@hrzpub.tu-darmstadt.de (Bodo Moeller) To: hal@finney.org Reply-To: moeller@cdc.informatik.tu-darmstadt.de (Bodo Moeller) Cc: Dominikus.Scherkl@biodata.com, ietf-openpgp@imc.org, andrey_jivsov@NAI.com, hal_finney@NAI.com Subject: Re: Comments on ECC draft In-Reply-To: <200109060128.SAA02959@finney.org> References: <200109060128.SAA02959@finney.org> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> hal@finney.org>: [...] > We suggest the initial draft use only prime fields, descriptor 3, > and trinomial/pentanomial binary fields, descriptors 11 and 12. These > three are enough to cover all the NIST curves. They seem to provide > the advantages which we seek from ECC without multiplying the options > excessively. > > If the group does want to pursue additional field types, we would like > to see some rationale for the use of prime extension field types 4-9. Our > concern with the special primes 1-2 is that this area seems to be covered > by patents. [Field decriptors 1 and 2 are for pseudo-Mersenne prime fields.] What patents? These should be patents applied for by the NSA (the optimizations for pseudo-Mersenne primes are due to Jerry Solinas). I'm not sure how they'd handle licensing -- the patents for Jerry's algorithms for Koblitz curves have already been issued earlier this year, and presumably licensing would be similar to that, whatever this means. (Hopefully no restrictions, as for DSA, which is also patented.) (Note that the FIPS recommended curves over prime fields all are based on pseudo-Mersenne primes. Of course applications that want to use optimized modular arithmetic for these primes can do so, whether or not special field descriptors are used.) > And descriptors 14-16 are for normal bases, where we see > two problems. First, they cannot be efficiently implemented in software; > and second, we do not think it is possible to convert from a normal basis > into a polynomial basis representation without additional information > regarding the specific normal basis chosen. Hence using normal bases > as an interchange format is not a good choice. So we would like to see > more discussion of that aspect if the group wishes to pursue it. Also, this is an area where patents really appear to be a severe issue. > (One organizational point: section 4.4 actually describes custom curves, > and we would prefer to see the draft focus on predefined curves. We have > ideas on how to reorganize the draft to define specific coordinate > fields and curves based on them, which we are getting into shape to > present shortly.) The draft obviously intends to provide a lot of flexibility, while in the sake of efficiency and interoperability it would be better to sacrifice flexibility and limit the class of allowed curves. Received: by above.proper.com (8.11.6/8.11.3) id f8AJOdm04885 for ietf-openpgp-bks; Mon, 10 Sep 2001 12:24:39 -0700 (PDT) Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8AJOcD04880 for <ietf-openpgp@imc.org>; Mon, 10 Sep 2001 12:24:38 -0700 (PDT) Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id 301CE2C93; Mon, 10 Sep 2001 21:24:39 +0200 (MET DST) Received: id <m15gWcw-000Qe5C@epsilon>; Mon, 10 Sep 2001 21:21:50 +0200 (CEST) Message-Id: <m15gWcw-000Qe5C@epsilon> Date: Mon, 10 Sep 2001 21:21:50 +0200 (CEST) From: bmoeller@hrzpub.tu-darmstadt.de (Bodo Moeller) Reply-To: moeller@cdc.informatik.tu-darmstadt.de (Bodo Moeller) To: ietf-openpgp@imc.org Cc: Jon Callas <jon@callas.org>, "vedaal" <vedaal@hotmail.com> Subject: Re: Reasons to include ECC to our charter In-Reply-To: <p0510030eb7bb0795e734@[192.168.1.180]> References: <OE63iEKAajHVBAIWPxg00004ca0@hotmail.com> <p0510030eb7bb0795e734@[192.168.1.180]> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas <jon@callas.org>: [...] > ECC does *not* affect the speed of large file encryption. Actually, it's > the opposite; it matters most for *small* files. You cannot expect elliptic curve based encryption to be faster than RSA encryption. Signing and decryption may be faster than for RSA or DSA/ElGamal (but not necessarily when the platform is a PC or workstations and if the modular exponentiation implementation is reasonably well optimized), but it is hard to beat RSA public key operations with small exponents. Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f88LdHL29577 for ietf-openpgp-bks; Sat, 8 Sep 2001 14:39:17 -0700 (PDT) Received: from kasiski.gnupg.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f88LdDD29573 for <ietf-openpgp@imc.org>; Sat, 8 Sep 2001 14:39:14 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.22 #1 (Debian)) id 15fqkC-0000h9-00; Sun, 09 Sep 2001 00:38:32 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.22 #1 (Debian)) id 15ff0v-0005LB-00; Sat, 08 Sep 2001 12:07:01 +0200 To: "Michael Young" <mwy-opgp97@the-youngs.org> Cc: <ietf-openpgp@imc.org> Subject: Re: Identifying revoked certificates References: <p05100309b7baf2e20a43@[192.168.1.180]> <010901c135ad$a7233000$fac32609@transarc.ibm.com> <p05100325b7bd794fd6a4@[192.168.1.180]> <20010906154624.C750@akamai.com> <p0510032fb7bd98d93fcc@[192.168.1.180]> <87bsknplyl.fsf@alberti.gnupg.de> <009e01c137e3$f3c40be0$c23fa8c0@transarc.ibm.com> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com Date: 08 Sep 2001 12:07:01 +0200 In-Reply-To: <009e01c137e3$f3c40be0$c23fa8c0@transarc.ibm.com> ("Michael Young"'s message of "Fri, 7 Sep 2001 17:27:52 -0400") Message-ID: <87r8ti2dyy.fsf@alberti.gnupg.de> Lines: 23 User-Agent: Gnus/5.090004 (Oort Gnus v0.04) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Fri, 7 Sep 2001 17:27:52 -0400, Michael Young said: > different types (generic, persona, etc.), possibly with > a specific lifetime associated with each; Better use a different key. > different notation data; > different trust for separate domains ("regular expressions"). If you can do a new signatue, you can put the old notation data in as well. > Do you not believe in any of these uses? Partly. -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus Received: by above.proper.com (8.11.6/8.11.3) id f87M8di23426 for ietf-openpgp-bks; Fri, 7 Sep 2001 15:08:39 -0700 (PDT) Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f87M8bD23422 for <ietf-openpgp@imc.org>; Fri, 7 Sep 2001 15:08:37 -0700 (PDT) Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id SAA15520 for <ietf-openpgp@imc.org>; Fri, 7 Sep 2001 18:00:43 -0400 (EDT) Received: from mwyoung (dhcp-194-28.transarc.ibm.com [9.38.194.228]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id SAA09339 for <ietf-openpgp@imc.org>; Fri, 7 Sep 2001 18:08:33 -0400 (EDT) Message-ID: <00ae01c137e9$24037ac0$c23fa8c0@transarc.ibm.com> From: "Michael Young" <mwy-opgp97@the-youngs.org> To: <ietf-openpgp@imc.org> References: <3B987EBD.27F70B44@saiknes.lv> Subject: Re: Identifying revoked certificates Date: Fri, 7 Sep 2001 18:05:01 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- <disastry@saiknes.lv> wrote: > do not forget that sigs can be revoked not only by the *same creator*, > but also by *designated revoker*. > (AFAIK currently no PGP implementation supports designated revokers for > userid signatures, but it is allowed in 5.2.1. 0x30) I couldn't believe this, so I had to reread the spec, and indeed that's what it says. Is it really intended that a designated revoker should be able to revoke other *certifications* (not just the key)? [Arguably, a revoker subpacket in a certification would permit that. We're talking about a revoker subpacket in the key self-signature here.] Indeed, PGP6.5 does not support this. It provides no way to generate one, and even if it receives such a certificate revocation, it applies only to the issuer (not keys for which it is designated). [In fact, it isn't applied to subsequent signatures by the issuer, suggesting that either: it is caching the validity computation (but asking for reverification doesn't help), or it is applying a "most recent prevails" rule.] > btw currently there is not possible to know what is > revoked by designated revoker - keys self signature or ... Indeed, this is why this is a bad idea. I feel strongly that a "designated revoker" subpacket should apply to only that certificate. Usually that's a key-only self-signature, and a revocation on that would affect *any* other signatures made by that key. > 11.1. says that key and subkey revocation is *before* signatures. > why make it different for userid revocation? Fair point... "immediately preceding" would be more consistent. But I am willing to give up on this. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO5lEgmNDnIII+QUHAQFXbQf+Ktb06chrGiXgI3c7djOQWeNcd8Hw9D5B qWGwHllrc03k8kaR3onkm1t6HYhLZqSbSLBspJWcNwBxHl+nmb8uIWSnOlBqukjO ZpMrs4eZGt7sRTFGMiYu/F+O8EezlOleOpVzGzjqJdGMC/tgenB0Avp0c6ZLYF3A 7o3WjkQ9bTmnBe+PXIehtFROVyKyYpyrQrVk9jdmiM0fhUhzekQ1w0wJGyTmppeh EX5BOKSkLcRYq6pKJtvlIVbT8liVWfJh9MWBaQBWBs4YJj/3DmoDcZzLqh0Dbsha /ijzKO9tzPsfM8phAH5NRL2yTjUN4a9fXdhG1JnZOxMYN+Upt/fD+g== =NFrt -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f87LVTT22795 for ietf-openpgp-bks; Fri, 7 Sep 2001 14:31:29 -0700 (PDT) Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f87LVMD22791 for <ietf-openpgp@imc.org>; Fri, 7 Sep 2001 14:31:27 -0700 (PDT) Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id RAA76726 for <ietf-openpgp@imc.org>; Fri, 7 Sep 2001 17:23:17 -0400 (EDT) Received: from mwyoung (dhcp-194-28.transarc.ibm.com [9.38.194.228]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id RAA09210 for <ietf-openpgp@imc.org>; Fri, 7 Sep 2001 17:31:07 -0400 (EDT) Message-ID: <009e01c137e3$f3c40be0$c23fa8c0@transarc.ibm.com> From: "Michael Young" <mwy-opgp97@the-youngs.org> To: <ietf-openpgp@imc.org> References: <p05100309b7baf2e20a43@[192.168.1.180]><010901c135ad$a7233000$fac32609@transarc.ibm.com><p05100325b7bd794fd6a4@[192.168.1.180]><20010906154624.C750@akamai.com><p0510032fb7bd98d93fcc@[192.168.1.180]> <87bsknplyl.fsf@alberti.gnupg.de> Subject: Re: Identifying revoked certificates Date: Fri, 7 Sep 2001 17:27:52 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- "Werner Koch" <wk@gnupg.org> wrote: > I don't see a reason for the revocation target specifiers. The only > sound handling of self-signature revocations (and that's what we are > talking about) is to use the latest valid self-signature, be it a If "most recent prevails" is the only sound handling, and you want senders to depend on that, then the specification should say so. There was some resistance to this, though. Are multiple certifications illegal? (If so, the spec should recommend against doing so.) I can see a couple of reasons that I might want to sign the same key/name pair multiple times: different types (generic, persona, etc.), possibly with a specific lifetime associated with each; different notation data; different trust for separate domains ("regular expressions"). Do you not believe in any of these uses? > * Sequence of packets messed up. As it stands, the ordering section doesn't say where to put self-signatures, and it doesn't specify ordering for certificate revocations, so there is no way for things to be "messed up" within a given context. [If a revocation is in the wrong context (e.g., for userId "joe" instead of userId "bob"), then reordering is not particularly easy.] Jon Callas objected to adding an ordering suggestion. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO5k71mNDnIII+QUHAQG0IQgAkbnCL9CAiO3+j0NlptEBCBn48YGyC82K UCqj2v/1dPEhGB+sitCEb8pvWJ4lc37YDW81krBbkhIhHCOBWOxM59vIFSGiejMA f76TwDlmE7eXYOhTpePZROm3/ABsMjslX2nLCAKq1g2N4DUuFmrS11pVMySN950f bAoDAkP9K0tR78QljbxOQLP73hT5NfLcZHLH8mmNa6NPRd9GHY/Df5Jg9e5/aJ35 f3HBi+s/60caB7PflpXDBT9uFJKSzWlXlmjzCxG3b9exHPYpLF9h4rjxkwwy4Hrj NR2EIftGlenCSnZ4kNkcG+AAb5m38IfE6Av4Wswgf7sDt4e6fYYPHA== =85f5 -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f878BQH12874 for ietf-openpgp-bks; Fri, 7 Sep 2001 01:11:26 -0700 (PDT) Received: from HACKSERV.saiknes.lv (hackserv.saiknes.lv [195.2.103.8]) by above.proper.com (8.11.6/8.11.3) with SMTP id f878BKD12861 for <ietf-openpgp@imc.org>; Fri, 7 Sep 2001 01:11:22 -0700 (PDT) Received: from saiknes.lv (unverified [127.0.0.1]) by 127.0.0.1 (EMWAC SMTPRS 0.83) with SMTP id <B0000084124@127.0.0.1>; Fri, 07 Sep 2001 09:01:01 +0200 Message-ID: <3B987EBD.27F70B44@saiknes.lv> Date: Fri, 07 Sep 2001 10:01:01 +0200 From: disastry@saiknes.lv Organization: .NO.SPaM.NET X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en,lv,ru MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: Identifying revoked certificates Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > On Thu, Sep 06, 2001 at 12:06:49PM -0700, Jon Callas wrote: > > Is it worth adding the timestamp from the original signature to help > > find it without having to look at the (larger) hashes? On a uid with > > many signatures, this could speed things up. Once found, of course, > > the hash could then be checked for confirmation. > > I don't mind having the timestamp there, but I don't feel a need for > it, either. While I feel a need for this subpacket, at the same time, > I expect this situation to be rare, and there are other ways to > control the cost: > > Note that this disambiguation is necessary only for signatures within > the same context (key, key/user, key/subkey) and made by the *same > creator*. do not forget that sigs can be revoked not only by the *same creator*, but also by *designated revoker*. (AFAIK currently no PGP implementation supports designated revokers for userid signatures, but it is allowed in 5.2.1. 0x30) btw currently there is not possible to know what is revoked by designated revoker - keys self signature or revokers signature if there is one. for example: key A have signed by A (self sig) and B, in self sig B is specified as designated revoker. now if B revokes his signature, but currently it looks exactly like he have revoked A's self signature. > Although the current packet ordering rules don't address certificate > revocation, I'd suggest that a prudent ordering would put each after > its target. 11.1. says that key and subkey revocation is *before* signatures. why make it different for userid revocation? == <EOF> == Disastry http://i.am/disastry/ -----BEGIN PGP SIGNATURE----- Version: Netscape PGP half-Plugin 0.14 by Disastry / PGPsdk v1.7.1 iQA/AwUBO5hiZjBaTVEuJQxkEQM2ywCcDUR8Ru7Zj12mHGGyZH7Kcdi8XqUAmwVx SyqrvY8wYoDZOyiyFItJ+RZT =2jSN -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f8768NR26001 for ietf-openpgp-bks; Thu, 6 Sep 2001 23:08:23 -0700 (PDT) Received: from kasiski.gnupg.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f8768LD25990 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 23:08:21 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.22 #1 (Debian)) id 15fFjZ-0005xk-00; Fri, 07 Sep 2001 09:07:25 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.22 #1 (Debian)) id 15fEtW-0001Yy-00; Fri, 07 Sep 2001 08:13:38 +0200 To: ietf-openpgp@imc.org Subject: Re: Identifying revoked certificates References: <p05100309b7baf2e20a43@[192.168.1.180]> <010901c135ad$a7233000$fac32609@transarc.ibm.com> <p05100325b7bd794fd6a4@[192.168.1.180]> <20010906154624.C750@akamai.com> <p0510032fb7bd98d93fcc@[192.168.1.180]> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com Date: 07 Sep 2001 08:13:38 +0200 In-Reply-To: <p0510032fb7bd98d93fcc@[192.168.1.180]> (Jon Callas's message of "Thu, 6 Sep 2001 14:33:10 -0700") Message-ID: <87bsknplyl.fsf@alberti.gnupg.de> Lines: 37 User-Agent: Gnus/5.090004 (Oort Gnus v0.04) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, 6 Sep 2001 14:33:10 -0700, Jon Callas said: > Now then, a question for implementors: If this gets put in, would you > implement it? "Yes, but not right away" is a fine answer, as are "Yes" and No. I don't see a reason for the revocation target specifiers. The only sound handling of self-signature revocations (and that's what we are talking about) is to use the latest valid self-signature, be it a revocation or a real self-signature. All other ways makes the protocol more complex and ambiguous and is error prone. Checking the timestamps of valid revocations and self-signatures is sufficient in about all cases. There are only 2 problems I can identify with this: * 2 signatures done in the same second. Solution: Don't do this and if you receive one, choose one of them by whatever means. * Sequence of packets messed up. This should not happen, but if it does there is the same chance that the UIDs or subkeys and their self-signatures are out of order and so one would need to specify the UID in the self-signature. Solution: Either drop these packets because they don't comply to OpenPGP or reorder them which might take a couple milliseconds. From experience I know that the reordering is only rarely needed and in most cases due to buggy keyserver implementations. Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f872sVv20829 for ietf-openpgp-bks; Thu, 6 Sep 2001 19:54:31 -0700 (PDT) Received: from smtprelay2.adelphia.net (smtprelay2.adelphia.net [64.8.25.7]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f872sJD20825 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 19:54:30 -0700 (PDT) Received: from mwyoung ([24.48.51.230]) by smtprelay2.adelphia.net (Netscape Messaging Server 4.15) with SMTP id GJ9UR303.33D for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 22:54:39 -0400 Message-ID: <001f01c13748$0f79d460$c23fa8c0@transarc.ibm.com> From: "Michael Young" <mwy-opgp97@the-youngs.org> To: <ietf-openpgp@imc.org> References: <p05100309b7baf2e20a43@[192.168.1.180]> <010901c135ad$a7233000$fac32609@transarc.ibm.com> <p05100325b7bd794fd6a4@[192.168.1.180]> <20010906154624.C750@akamai.com> <002301c13717$dd93a1e0$e4c22609@transarc.ibm.com> <p05100330b7bd9c51106e@[192.168.1.180]> Subject: Re: Identifying revoked certificates Date: Thu, 6 Sep 2001 22:51:48 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- From: "Jon Callas" <jon@callas.org> > > that they use order of arrival. [Just the same, would anyone object > > to suggesting this ordering in section 10?] > > Yes. A change to the standard that requires all the implementations to > change is not desirable. I don't see what good it does for them other than, > "You'll thank me for this later." Telling them how to write their programs > adds complexity, and complexity lessens security. I didn't intend to *require* any ordering, only to *suggest* one, and only for interchange. Your principle would argue for eliminating all of the ordering rules. Why should userIDs precede subkeys? (For that matter, why should signatures have to follow the key/userid/subkey to which they refer -- an implementation *could* always try them all :-). Ordering helps receivers match things up. All that said, I'll retract my suggestion. It was just a hint, but as we both noted, matching using the hash is pretty straightforward, and is dwarfed by the PK verification anyway. Sorry for the excursion. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO5g2I2NDnIII+QUHAQGAqgf/dfM0TXVzTwnsJCxl7GbPjS3sHHuPl6uC 0otpvdx/2oqfEMswhzay8xmt1aA+VJL7fflJctG3pRDxFFv4cacg+UqKoaZdWfqv cZZC7TiFZa4mdCYGCx9AzwvP05zTw7Sa7QMlAqLrxGHTtfcO2DLi/JguowGyfO8A Pjzmd6jUGGLGdlIPcJ7qInAx3EcmFOHc08xJ2r3tFyQG5Ke9Z5SWsSHMgiIzSJ8E PaAKmcuP+Kh2Szf2GRqfzFbrXU/A/bP6FC1bnGEIHrD3FcNajJ5SUbbNPyKutUdJ dq6YMRHoToqSFcRUJHWjbOWQKDMZZ+6gct61w4ATuNONCi/QBRfoVw== =3O2g -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f86Lj0315527 for ietf-openpgp-bks; Thu, 6 Sep 2001 14:45:00 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f86LixD15523 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 14:44:59 -0700 (PDT) Received: from [192.168.1.180] (64.69.113.115) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3); Thu, 6 Sep 2001 14:44:57 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: <p05100330b7bd9c51106e@[192.168.1.180]> In-Reply-To: <002301c13717$dd93a1e0$e4c22609@transarc.ibm.com> References: <p05100309b7baf2e20a43@[192.168.1.180]> <010901c135ad$a7233000$fac32609@transarc.ibm.com> <p05100325b7bd794fd6a4@[192.168.1.180]> <20010906154624.C750@akamai.com> <002301c13717$dd93a1e0$e4c22609@transarc.ibm.com> Date: Thu, 6 Sep 2001 14:38:46 -0700 To: "Michael Young" <mwy-opgp97@the-youngs.org>, <ietf-openpgp@imc.org> From: Jon Callas <jon@callas.org> Subject: Re: Identifying revoked certificates Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 5:06 PM -0400 9/6/01, Michael Young wrote: > Although the current packet ordering rules don't address certificate > revocation, I'd suggest that a prudent ordering would put each after > its target. This would an even stronger hint. I note that neither > PGP6.5 nor GnuPG produces this ordering. At first glance, it appears > that they use order of arrival. [Just the same, would anyone object > to suggesting this ordering in section 10?] > Yes. A change to the standard that requires all the implementations to change is not desirable. I don't see what good it does for them other than, "You'll thank me for this later." Telling them how to write their programs adds complexity, and complexity lessens security. Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f86LYv815362 for ietf-openpgp-bks; Thu, 6 Sep 2001 14:34:57 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f86LYtD15358 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 14:34:55 -0700 (PDT) Received: from [192.168.1.180] (64.69.113.115) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3); Thu, 6 Sep 2001 14:34:54 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: <p0510032fb7bd98d93fcc@[192.168.1.180]> In-Reply-To: <20010906154624.C750@akamai.com> References: <p05100309b7baf2e20a43@[192.168.1.180]> <010901c135ad$a7233000$fac32609@transarc.ibm.com> <p05100325b7bd794fd6a4@[192.168.1.180]> <20010906154624.C750@akamai.com> Date: Thu, 6 Sep 2001 14:33:10 -0700 To: David Shaw <dshaw@akamai.com> From: Jon Callas <jon@callas.org> Subject: Re: Identifying revoked certificates Cc: Michael Young <mwy-opgp97@the-youngs.org>, ietf-openpgp@imc.org Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 3:46 PM -0400 9/6/01, David Shaw wrote: >Is it worth adding the timestamp from the original signature to help >find it without having to look at the (larger) hashes? On a uid with >many signatures, this could speed things up. Once found, of course, >the hash could then be checked for confirmation. > My comments: * The amount of time need to compare bytes is negligible compared to the time needed to compare signatures. Byte compares are in the nanosecond to microsecond range, and doing a signature check is in milliseconds. In microsecond-land, a millisecond is a coffee break. In nanosecond-land, a millisecond is an American (but not European) vacation. * It's actually more likely to slow things down. Remember that hashes are completely uncorrelated. So the first time I compare a byte, there's a 1/256 chance that they match, yet this is not the hash I'm looking for. For ones that match the first byte, there's a 1/256 chance of a collision on the second byte, and so on. In an optimal implementation that compares bus-width quantities, (like 32, 64, or 128 bits), I'll almost never have a collision beyond the first compare. Adding in the timestamp just gives me more things to compare, things it is easier to have collisions on, and therefore slows the process down. * Having said all that, there's no good reason *not* to put the timestamp in. The whole reason for having this is as a disambiguator, and why have a disambiguator that isn't pretty darned specific, eh? Now then, a question for implementors: If this gets put in, would you implement it? "Yes, but not right away" is a fine answer, as are "Yes" and "No." Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f86L99n14476 for ietf-openpgp-bks; Thu, 6 Sep 2001 14:09:09 -0700 (PDT) Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f86L97D14472 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 14:09:07 -0700 (PDT) Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id RAA14616 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 17:01:12 -0400 (EDT) Received: from mwyoung (dhcp-194-28.transarc.ibm.com [9.38.194.228]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id RAA02699 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 17:09:03 -0400 (EDT) Message-ID: <002301c13717$dd93a1e0$e4c22609@transarc.ibm.com> From: "Michael Young" <mwy-opgp97@the-youngs.org> To: <ietf-openpgp@imc.org> References: <p05100309b7baf2e20a43@[192.168.1.180]> <010901c135ad$a7233000$fac32609@transarc.ibm.com> <p05100325b7bd794fd6a4@[192.168.1.180]> <20010906154624.C750@akamai.com> Subject: Re: Identifying revoked certificates Date: Thu, 6 Sep 2001 17:06:48 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- On Thu, Sep 06, 2001 at 12:06:49PM -0700, Jon Callas wrote: > A signature subpacket called "revocation target" that contains a 1-octet > PKalg, a 1-octet hash algorithm, and then a hash body. It denotes that a > revocation signature is intended to revoke the signature so specified. Sounds good. I didn't have the PK algorithm in my original proposal. I don't feel a need for it, but I don't mind having it there, either. From: "David Shaw" <dshaw@akamai.com> > Is it worth adding the timestamp from the original signature to help > find it without having to look at the (larger) hashes? On a uid with > many signatures, this could speed things up. Once found, of course, > the hash could then be checked for confirmation. I don't mind having the timestamp there, but I don't feel a need for it, either. While I feel a need for this subpacket, at the same time, I expect this situation to be rare, and there are other ways to control the cost: Note that this disambiguation is necessary only for signatures within the same context (key, key/user, key/subkey) and made by the *same creator*. Although the current packet ordering rules don't address certificate revocation, I'd suggest that a prudent ordering would put each after its target. This would an even stronger hint. I note that neither PGP6.5 nor GnuPG produces this ordering. At first glance, it appears that they use order of arrival. [Just the same, would anyone object to suggesting this ordering in section 10?] I expect many implementations will cache certificate verifications and revocation results upon receipt/incorporation, rather than doing them every time. An implementation that doesn't cache will have to compute the hash before using the PK algorithm to verify the original anyway. Since the PK verification is (relatively) expensive, it makes sense to look for any revocations first. A failing 20ish-byte hash match won't take longer than an (unaligned big-endian) 4-byte time match (and may fall out sooner); a successful match would require the 20ish-byte test anyway. If there's a match, the revocation certificate gets tested instead (and, assuming it verifies, the original verification can be skipped). But as I said up front, I don't object strongly to having it. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO5flQGNDnIII+QUHAQGuMwf9EIRKx/gEJ5PV2hySzvBJV/2nrGie3ZQN oNpbE0Gze/rgOZEHjviajeOTcKrCnzNk4JMeiWYT2FiWsNwXHKj/Qkbnifsl8f17 aJ6RBoUTlwjhjiiOJVFC14A0Vy3PWTBLpQ2tCJSd02D5Yvtc5L+SHOez6iwVh1/j hKv4hQUqCJbfjBH6E5o8BncsZTR4if+zlgrm24IXymr4f83yqCxoOYC+EyhZnANn 9oEzAE7WJiKYznt/wL3THXzZRDPgefVeGH6turU+LMDS7p02gsiWrHGjKU3l/3I5 QvlFsc9KKpahtJGuaq/VymBmfxw1kX/vH2GIWb8QGwMxHXbS60YJRg== =e/dy -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f86Jlbr13033 for ietf-openpgp-bks; Thu, 6 Sep 2001 12:47:37 -0700 (PDT) Received: from claude.kendall.akamai.com (akafire.akamai.com [65.202.32.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f86JlaD13029 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 12:47:36 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.9.3/8.9.3) id PAA31464; Thu, 6 Sep 2001 15:46:24 -0400 Date: Thu, 6 Sep 2001 15:46:24 -0400 From: David Shaw <dshaw@akamai.com> To: Jon Callas <jon@callas.org> Cc: Michael Young <mwy-opgp97@the-youngs.org>, ietf-openpgp@imc.org Subject: Re: Identifying revoked certificates Message-ID: <20010906154624.C750@akamai.com> Mail-Followup-To: Jon Callas <jon@callas.org>, Michael Young <mwy-opgp97@the-youngs.org>, ietf-openpgp@imc.org References: <p05100309b7baf2e20a43@[192.168.1.180]> <010901c135ad$a7233000$fac32609@transarc.ibm.com> <p05100325b7bd794fd6a4@[192.168.1.180]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <p05100325b7bd794fd6a4@[192.168.1.180]>; from jon@callas.org on Thu, Sep 06, 2001 at 12:06:49PM -0700 X-PGP-Key: 2048R/3CB3B415/4D 96 83 18 2B AF BE 45 D0 07 C4 07 51 37 B3 18 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waning Gibbous (88% of Full) X-Pointless-Random-Number: 76 X-Silly-Header: It sure is. Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Sep 06, 2001 at 12:06:49PM -0700, Jon Callas wrote: > > Are there any comments on Michael's suggestion? > > Here's a sketch design: > > A signature subpacket called "revocation target" that contains a 1-octet > PKalg, a 1-octet hash algorithm, and then a hash body. It denotes that a > revocation signature is intended to revoke the signature so specified. > > Comments? Is it worth adding the timestamp from the original signature to help find it without having to look at the (larger) hashes? On a uid with many signatures, this could speed things up. Once found, of course, the hash could then be checked for confirmation. David -- David Shaw | Technical Lead <dshaw@akamai.com> | Enterprise Content Delivery 617-250-3028 | Akamai Technologies Received: by above.proper.com (8.11.6/8.11.3) id f86J6xw12087 for ietf-openpgp-bks; Thu, 6 Sep 2001 12:06:59 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f86J6wD12083 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 12:06:58 -0700 (PDT) Received: from [192.168.1.180] (64.69.113.115) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3); Thu, 6 Sep 2001 12:06:57 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: <p05100325b7bd794fd6a4@[192.168.1.180]> In-Reply-To: <010901c135ad$a7233000$fac32609@transarc.ibm.com> References: <p05100309b7baf2e20a43@[192.168.1.180]> <010901c135ad$a7233000$fac32609@transarc.ibm.com> Date: Thu, 6 Sep 2001 12:06:49 -0700 To: "Michael Young" <mwy-opgp97@the-youngs.org>, <ietf-openpgp@imc.org> From: Jon Callas <jon@callas.org> Subject: Re: Identifying revoked certificates Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Are there any comments on Michael's suggestion? Here's a sketch design: A signature subpacket called "revocation target" that contains a 1-octet PKalg, a 1-octet hash algorithm, and then a hash body. It denotes that a revocation signature is intended to revoke the signature so specified. Comments? Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f86J5wr12067 for ietf-openpgp-bks; Thu, 6 Sep 2001 12:05:58 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f86J5uD12062 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 12:05:57 -0700 (PDT) Received: from [192.168.1.180] (64.69.113.115) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3); Thu, 6 Sep 2001 12:05:47 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: <p05100320b7bd6810c94d@[192.168.1.180]> In-Reply-To: <87y9nuw09p.fsf@alberti.gnupg.de> References: <p05100309b7baf2e20a43@[192.168.1.180]> <87y9nuw09p.fsf@alberti.gnupg.de> Date: Thu, 6 Sep 2001 12:02:47 -0700 To: Werner Koch <wk@gnupg.org> From: Jon Callas <jon@callas.org> Subject: Re: Fixing the secret keys, and a small apology Cc: ietf-openpgp@imc.org Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 9:43 AM +0200 9/5/01, Werner Koch wrote: >This is fine with me. > >Another question is the format. Should we include only the public >parameters or more stuff in the MDC? A solution I would like to see >is to just hash the fingerprint of the key along with the secret >parameters. I predict that in future, implementations will use the >fingerprint to identify a key (and not just the keyID) and therefore >it is steadily available. As a couple people noted, I was probably too glib. The byte isn't actually part of the S2K, it's a marker that says that an S2K follows. I think that 254 would denote that we have an S2K and a hash. Let's not call it an MDC, because we're going to get confused if we do. The questions I see are: Hash of what? Is it inside or outside the envelope? Where is it placed? Are there any developers that want to come up with a design? Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f86A8B015154 for ietf-openpgp-bks; Thu, 6 Sep 2001 03:08:11 -0700 (PDT) Received: from mail1.biodata.com ([62.159.113.2]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f86A8AD15150 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 03:08:10 -0700 (PDT) Received: from fra1d001.biodata.org ([10.10.1.51]) by mail1.biodata.com with Microsoft SMTPSVC(5.0.2195.2966); Thu, 6 Sep 2001 12:07:54 +0200 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Subject: RE: Comments on ECC draft X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 Date: Thu, 6 Sep 2001 12:07:53 +0200 Message-ID: <100722F3C53A484B8CF1F14B4F062E9315707A@fra1d001.biodata.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Comments on ECC draft Thread-Index: AcE2c0aNs1DEE9/xQwKDT5DCo/DqbgAQ4KuA From: "Dominikus Scherkl" <Dominikus.Scherkl@biodata.com> To: <hal@finney.org> Cc: <ietf-openpgp@imc.org> X-OriginalArrivalTime: 06 Sep 2001 10:07:54.0024 (UTC) FILETIME=[CB462280:01C136BB] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id f86A8BD15151 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hello. > We have been looking at the ECC issue and have a few comments on the > proposed draft by Dominikus Scherkl and Christoph Fausak. Thank you for your comments. > As efficiency is much of the motivation for going to EC > technology, we should try to preserve it. There are fields providing much better performance than even binary fields do (see below). > As candidates for the specific fields to use, we recommend > the selections from NIST [fips186-2], used as ECC groups in IKE > [draft-ietf-ipsec-ike-ecc-groups-03]. These fields are being deployed > and are in use in some environments. They provide for efficient > implementations. The named curves mentioned in section 9 are exactly these (and a few more), even using the same names. But as I heared, it's some of these which patents are claimed for (especialy the Kobliz curves) :-( > The last point we would like to make is about the field representation > format (section 4.4 in the draft), where again we would propose > to reduce the number of options in order to improve interoperability. > 16 options is too many. All the parameters are only nessessary for user defined curves. And they provide an efficient storage format for the named curves, too (but that's an implementation detail). If we rely only on the named curves, we don't need them ever. > If the group does want to pursue additional field types, we would like > to see some rationale for the use of prime extension field types 4-9. Especialy the field F(2^31-1)[x]/(x^7-7) [in my own description: D = 4, r = 31, c = 1, m = 7, w = 7] whose elements can be represented as serven 32bit words provide extremely fast arithmetics (an arbitrary field multiplication requires only about 6 machine multiplications - on 32bit machines of course) with over all security of 206 bit. (binary fields of equal length requires about 1400 additions) I'd add some courves over this field soon. > we do not think it is possible to convert from a normal basis > into a polynomial basis representation without additional information That is not true. You can use an arbitrary root (which can be calculated efficiently) to convert to some polynomial basis - but you need to reconvert any result to the normal basis, before using it. In Fact, this conversion also takes time, so normal bases are not that fast, I agree. > (One organizational point: section 4.4 actually describes custom curves, > and we would prefer to see the draft focus on predefined curves. I think it's easy to leave out some parts of my draft, although it's the better way to have covered all as to have only some parts and need to make something completey different if we encounter patented pars. ;-) best regards. - -- Dominikus Scherkl Biodata Application Security AG mail: dominikus.scherkl@biodata.com -----BEGIN PGP SIGNATURE----- Version: Biodata SecureDesk OpenPGP CryptoEngine Version 2.1 Comment: Biodata SecureDesk - http://securedesk.biodata.com wsBcBAEBAQAQBQI7l0r5CRArmDw6wJyywAAAtEcH/jAhv3NkJOf4+F7Q8DG6jvQR yHfRijvIvHVXlWKR8OuIdGXnMRxI3En0az28Ydr4w3WEHL6i/LPz33BYI7mI0Igy FiQ1bcuz+Ox9PLNhW4rx9uJ8mXzhjyDIZIrLElGfgntUKA7yrSkcm/NRdsohyb+k fHFHHEqGMAalziiN2tBu4ltqRJifksFaWZpBF6x3YOQXIZonGshqtcCJKyqA9p7J AXXKml0cFTUAnHCDupk7j+YEnzprsWylmpMjpUub3PVdofWXHvDHKsldKoRtcIFN MhGSmrqDp3qAgWTtbapJ51l5yxjge7TQAaioq5TjUIY87DSlNGyq4hinbvFSYj8= =/8KB -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f861StM11573 for ietf-openpgp-bks; Wed, 5 Sep 2001 18:28:55 -0700 (PDT) Received: from computer (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.11.6/8.11.3) with SMTP id f861SrD11569 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 18:28:53 -0700 (PDT) Received: (from hal@localhost) by finney.org (8.9.3/8.9.3) id SAA02959; Wed, 5 Sep 2001 18:28:32 -0700 Date: Wed, 5 Sep 2001 18:28:32 -0700 From: hal@finney.org Message-Id: <200109060128.SAA02959@finney.org> To: Dominikus.Scherkl@biodata.com, ietf-openpgp@imc.org Subject: Comments on ECC draft Cc: andrey_jivsov@NAI.com, hal_finney@NAI.com Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> We have been looking at the ECC issue and have a few comments on the proposed draft by Dominikus Scherkl and Christoph Fausak. Broadly speaking it looks very good. Obviously a lot of care and effort has gone into the work. It seems to be timely to address the issue of elliptic curve support as there is interest in this technology from a number of areas. Our main concern is the number of variations proposed. Experience with OpenPGP and other standards suggests that having a multitude of options does not lead to interoperability and security. It is better to focus on a small number of options that will be used and tested. In looking at the various forms of elliptic curves, we can separate consideration of the coordinate field (the field from which the X and Y coordinates are taken) from the curve group. Rather than describing each curve choice as a particular coordinate field and elliptic curve, we would rather specify a limited set of coordinate fields, and then to define curves using that set. Especially when implementing the binary (characteristic 2) fields, to get good performance it is necessary to optimize the code for the particular field size and basis. Knowing the polynomial you can hard-code the necessary shifts, xors, and array offsets and do the arithmetic very fast. Code which treats these values as variables will be much less efficient. As efficiency is much of the motivation for going to EC technology, we should try to preserve it. Therefore we recommend choosing a limited set of field sizes, and for each one choosing a single coordinate basis. This will let all implementers optimize their code for the fields that are actually in use. As candidates for the specific fields to use, we recommend the selections from NIST [fips186-2], used as ECC groups in IKE [draft-ietf-ipsec-ike-ecc-groups-03]. These fields are being deployed and are in use in some environments. They provide for efficient implementations. ECC groups in IKE specifies two curves for each choice of coordinate field, a random curve which is expected to provide maximal security due to absence of any exploitable structure, and a Koblitz curve which has structure that allows for optimization and high speed. We feel this is a good model to follow. It provides some flexibility while still providing a limited number of choices which will promote interoperability. No special coding is needed to support the Koblitz curve for interoperation purposes; effort is only required if you want to get the potential speed advantages. The last point we would like to make is about the field representation format (section 4.4 in the draft), where again we would propose to reduce the number of options in order to improve interoperability. 16 options is too many. We suggest the initial draft use only prime fields, descriptor 3, and trinomial/pentanomial binary fields, descriptors 11 and 12. These three are enough to cover all the NIST curves. They seem to provide the advantages which we seek from ECC without multiplying the options excessively. If the group does want to pursue additional field types, we would like to see some rationale for the use of prime extension field types 4-9. Our concern with the special primes 1-2 is that this area seems to be covered by patents. And descriptors 14-16 are for normal bases, where we see two problems. First, they cannot be efficiently implemented in software; and second, we do not think it is possible to convert from a normal basis into a polynomial basis representation without additional information regarding the specific normal basis chosen. Hence using normal bases as an interchange format is not a good choice. So we would like to see more discussion of that aspect if the group wishes to pursue it. (One organizational point: section 4.4 actually describes custom curves, and we would prefer to see the draft focus on predefined curves. We have ideas on how to reorganize the draft to define specific coordinate fields and curves based on them, which we are getting into shape to present shortly.) Hal Finney Andrey Jivsov Network Associates, Inc. URLs: NIST curves: http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf ECC groups: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-ike-ecc-groups-03.txt Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f85Lpvl08155 for ietf-openpgp-bks; Wed, 5 Sep 2001 14:51:57 -0700 (PDT) Received: from m11.jersey.juno.com (m11.jersey.juno.com [64.136.16.74]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85LpuD08151 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 14:51:56 -0700 (PDT) Received: from cookie.juno.com by cookie.juno.com for <"xS5dSbQuAOKnbKF9wbUrHJ39PYu6gR1FzOY/FcCWdJfFulbvEGnc6Q=="> Received: (from joe.tag@juno.com) by m11.jersey.juno.com (queuemail) id GELUQYRN; Wed, 05 Sep 2001 17:51:37 EDT To: jon@callas.org Cc: ietf-openpgp@imc.org Date: Wed, 5 Sep 2001 17:57:53 -0400 Subject: Re: Revised features section (brief) Message-ID: <20010905.175754.-3964411.4.joe.tag@juno.com> X-Mailer: Juno 5.0.33 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: Joe Tag <joe.tag@juno.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Thanks, folks. I have printed this; archived it. On Wed, 5 Sep 2001 13:02:40 -0700 Jon Callas <jon@callas.org> writes: > > This changes it to a bit vector. Brickbats to me. > > 5.2.3.24. Features > > (N octets of flags) > > The features subpacket denotes which advanced OpenPGP features a > user's implementation supports. This is so that as features are > added to OpenPGP that cannot be backwards-compatible, a user can > state that they can use that feature. > > This subpacket is similar to a preferences subpacket, and only > appears in a self-signature. > > An implementation SHOULD NOT use a feature listed when sending to > a > user who does not state that they can use it. > > Defined features are: > > First octet: > > 0x01 - Modification Detection (packets 18 and 19) > > If an implementation implements any of the defined features, it > SHOULD implement the features subpacket, too. > ________________________________________________________________ GET INTERNET ACCESS FROM JUNO! Juno offers FREE or PREMIUM Internet access for less! Join Juno today! For your FREE software, visit: http://dl.www.juno.com/get/tagj. Received: by above.proper.com (8.11.6/8.11.3) id f85KtFi06803 for ietf-openpgp-bks; Wed, 5 Sep 2001 13:55:15 -0700 (PDT) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85KtED06799 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 13:55:14 -0700 (PDT) Received: from [129.46.76.229] (dhcp123.qualcomm.com [129.46.76.229]) by mage.qualcomm.com (8.11.3/8.11.3/1.0) with ESMTP id f85Kt5C29483; Wed, 5 Sep 2001 13:55:05 -0700 (PDT) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com Message-Id: <p0510010eb7bc3b253ad8@[129.46.76.229]> In-Reply-To: <p0510030db7bb06f4c163@[192.168.1.180]> References: <200108101342.BAA232398@ruru.cs.auckland.ac.nz> <m15d9Cc-000Qe5C@epsilon> <3B93737C.1A87B234@algroup.co.uk> <p05100103b7baa69ace04@[129.46.76.229]> <p05100300b7bac4c03376@[63.73.97.180]> <3B954C82.D388947@algroup.co.uk> <p0510030db7bb06f4c163@[192.168.1.180]> X-Mailer: eudora51-ffc10713011434 X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Wed, 5 Sep 2001 13:46:56 -0700 To: Jon Callas <jon@callas.org> From: John W Noerenberg II <jwn2@qualcomm.com> Subject: Re: Reasons to include ECC to our charter Cc: Ben Laurie <ben@algroup.co.uk>, ietf-openpgp@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> W/r/t Certicom's patents, I'm waiting to hear from a Simon Blake-Wilson at Certicom. I don't know if he's a crypto guy, a patent guy,or something else entirely. If someone knows him and has an email address, I'll pester him directly. At 3:34 PM -0700 9/4/01, Jon Callas wrote: >I have no idea how to do that, myself. But if someone else does the work >and convinces us that it's generic, I say go for it. That's also why I said >to do an informational RFC, make a sample implementation, let someone hack >up GPG to work with it, and we'll see. Dominikus' draft has proposals for changes. Is the proposal generic? Do the proposals conflict with 2440bis in any way? Are there implementations (and do they interoperate)? These are the issues, *if* we clear the IPR hurdle. -- john noerenberg jwn2@qualcomm.com -------------------------------------------------------------------------- Peace of mind isn't at all superficial, really. It's the whole thing. That which produces it is good maintenance; that which disturbs it is poor maintenance. -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 -------------------------------------------------------------------------- Received: by above.proper.com (8.11.6/8.11.3) id f85Kl8E06625 for ietf-openpgp-bks; Wed, 5 Sep 2001 13:47:08 -0700 (PDT) Received: from claude.kendall.akamai.com (akafire.akamai.com [65.202.32.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85Kl7D06621 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 13:47:07 -0700 (PDT) Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.9.3/8.9.3) id QAA07395 for ietf-openpgp@imc.org; Wed, 5 Sep 2001 16:47:06 -0400 Date: Wed, 5 Sep 2001 16:47:06 -0400 From: David Shaw <dshaw@akamai.com> To: ietf-openpgp@imc.org Subject: Signer's User ID Message-ID: <20010905164705.E2054@akamai.com> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-PGP-Key: 2048R/3CB3B415/4D 96 83 18 2B AF BE 45 D0 07 C4 07 51 37 B3 18 X-URL: http://www.jabberwocky.com/ X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) X-Pointless-Random-Number: 32 X-Silly-Header: It sure is. Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> In 2440bis-03, the "Signer's User ID" signature subpacket is discussed, but no way to describe the data itself is included. I assume this is meant to be a string (like the User ID), so it might be good to have a "(String)" in there. David -- David Shaw | Technical Lead <dshaw@akamai.com> | Enterprise Content Delivery 617-250-3028 | Akamai Technologies Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f85K5Xi05497 for ietf-openpgp-bks; Wed, 5 Sep 2001 13:05:33 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85K5WD05493 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 13:05:32 -0700 (PDT) Received: from [192.168.1.180] (64.69.113.115) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3) for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 13:05:29 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: <p0510030ab7bc353e16fa@[192.168.1.180]> Date: Wed, 5 Sep 2001 13:02:40 -0700 To: ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: Revised features section Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> This changes it to a bit vector. Brickbats to me. 5.2.3.24. Features (N octets of flags) The features subpacket denotes which advanced OpenPGP features a user's implementation supports. This is so that as features are added to OpenPGP that cannot be backwards-compatible, a user can state that they can use that feature. This subpacket is similar to a preferences subpacket, and only appears in a self-signature. An implementation SHOULD NOT use a feature listed when sending to a user who does not state that they can use it. Defined features are: First octet: 0x01 - Modification Detection (packets 18 and 19) If an implementation implements any of the defined features, it SHOULD implement the features subpacket, too. Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f85JkYf04938 for ietf-openpgp-bks; Wed, 5 Sep 2001 12:46:34 -0700 (PDT) Received: from kasiski.gnupg.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85JkQD04931 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 12:46:26 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.22 #1 (Debian)) id 15ejXp-0002sd-00; Wed, 05 Sep 2001 22:45:09 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.22 #1 (Debian)) id 15eigt-0003Lo-00; Wed, 05 Sep 2001 21:50:27 +0200 To: "Michael Young" <mwy-opgp97@the-youngs.org> Cc: <ietf-openpgp@imc.org> Subject: Re: Fixing the secret keys, and a small apology References: <p05100309b7baf2e20a43@[192.168.1.180]> <87y9nuw09p.fsf@alberti.gnupg.de> <005501c13633$e3734960$fac32609@transarc.ibm.com> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com Date: 05 Sep 2001 21:50:27 +0200 In-Reply-To: <005501c13633$e3734960$fac32609@transarc.ibm.com> ("Michael Young"'s message of "Wed, 5 Sep 2001 13:55:02 -0400") Message-ID: <873d61wh6k.fsf@alberti.gnupg.de> Lines: 26 User-Agent: Gnus/5.090004 (Oort Gnus v0.04) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, 5 Sep 2001 13:55:02 -0400, Michael Young said: > But this wouldn't be an OpenPGP format. The OpenPGP secret key packet Right. It is an implementation detail which would help to avoid unprotecting and re-protecting when transferring keys. > Personally, I find it unlikely that an implementation would cut off > the public key parameters at all. It would have to do so very I know devices which do not have enough storage capacity for all parameters. > public parts. Lastly, it seems wise to perform consistency checks > between the public/private parts even in the presence of an MDC. I don't see a reason for this, if the MDC would not provide a sound consistency check, what else would do? Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f85HvFG02382 for ietf-openpgp-bks; Wed, 5 Sep 2001 10:57:15 -0700 (PDT) Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85Hv8D02378 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 10:57:14 -0700 (PDT) Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id NAA78282 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 13:49:15 -0400 (EDT) Received: from mwyoung (dhcp-195-50.transarc.ibm.com [9.38.195.250]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id NAA25957 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 13:57:04 -0400 (EDT) Message-ID: <005501c13633$e3734960$fac32609@transarc.ibm.com> From: "Michael Young" <mwy-opgp97@the-youngs.org> To: <ietf-openpgp@imc.org> References: <p05100309b7baf2e20a43@[192.168.1.180]> <87y9nuw09p.fsf@alberti.gnupg.de> Subject: Re: Fixing the secret keys, and a small apology Date: Wed, 5 Sep 2001 13:55:02 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- From: "Werner Koch" <wk@gnupg.org> > Another question is the format. Should we include only the public > parameters or more stuff in the MDC? A solution I would like to see > is to just hash the fingerprint of the key along with the secret I prefer hashing the full packet (v4-style, even for any v3 packets that use an MDC), but I could live with hashing the fingerprint. Old v3 fingerprints are slightly flawed (in that they don't hash the MPI sizes), but I suppose an exploit does seem unlikely here. Hashing the whole thing just feels more consistent. > think of putting the secet parameters on a hardware token and there > might be not enough space to store the public parameters - the But this wouldn't be an OpenPGP format. The OpenPGP secret key packet includes the public key material. Of course, an implementation can use its own internal key storage format (and associated protection). When such a hardware-token transformation cuts off the public key parameters, it can cut off the MDC (and add a new one if it sees fit). The spec need only deal with transmission among OpenPGP implementations. Personally, I find it unlikely that an implementation would cut off the public key parameters at all. It would have to do so very selectively, as many of them are necessary for private key operations as well. It also seems to me that you'd want the card to be able to verify past results from its own key, in which case it might want the public parts. Lastly, it seems wise to perform consistency checks between the public/private parts even in the presence of an MDC. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO5Zm4WNDnIII+QUHAQHkZwgAlvxLPocVqq1y9sumbVszcSzh/0+tvvOs 3GljV627UlSEY8CnvZa2cCJEqj3W3ZcQJJODPnJg7ZYhD1BUngQi0aar7n0FaIwz OBybBNjKoMtiQeoCiUY/TqIUuLomWSA1cT0Z0AGSDwGCwiv3UJ+q4EyxYAIQZqu2 FFD9KufBmf+w0sFXhASVkgtMj1+9NA+WIdlMiYthOFAFmwhWzC1EgvhNm4ASVhUx 6llurDAN9JhJuaCdkctYJw3zhD80gUyMzhvQb2VN0zKI1bz2PuaGnOB/OwJkifig R7B16UDthP4sjB/CaAxUCzvH1dbuQesSCw+no/KNWeiL+kMZejQPIA== =Sg/T -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id f85For127580 for ietf-openpgp-bks; Wed, 5 Sep 2001 08:50:53 -0700 (PDT) Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85FopD27575 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 08:50:52 -0700 (PDT) Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id LAA44912 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 11:42:57 -0400 (EDT) Received: from mwyoung (dhcp-195-50.transarc.ibm.com [9.38.195.250]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id LAA25321 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 11:50:47 -0400 (EDT) Message-ID: <002a01c13622$3ec3eca0$fac32609@transarc.ibm.com> From: "Michael Young" <mwy-opgp97@the-youngs.org> To: <ietf-openpgp@imc.org> References: <p05100309b7baf2e20a43@[192.168.1.180]> <tgae09ztfo.fsf@mercury.rus.uni-stuttgart.de> Subject: Re: Fixing the secret keys, and a small apology Date: Wed, 5 Sep 2001 11:48:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- From: "Florian Weimer" <Florian.Weimer@RUS.Uni-Stuttgart.DE> > Jon Callas <jon@callas.org> writes: > > there, then they can't use algorithm 254. However, not only is using a > > cipher algorithm deprecated, but our present max cipher number is 10. > > This is not quite correct, the numbers 100 to 110 are already > assigned, too, technically speaking. However, 254 was never an But, as Jon pointed out, any use of a cipher algorithm number here is deprecated. In fact, the String-to-Key section has the following commentary already. Note the explicit mention of IDEA. [2440bis-03, section 3.7.2.1]: > This last possibility, the cipher algorithm number with an implicit > use of MD5 and IDEA, is provided for backward compatibility; it MAY > be understood, but SHOULD NOT be generated, and is deprecated. I'd be perfectly happy strengthening this to "MUST NOT be generated for algorithms outside the ranges 1-10 and 100-110" (or just IDEA). -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO5ZGC2NDnIII+QUHAQGSxAf+P/ZbGOKHeRIXE/ikZq0SI5BNBvfTXta0 A8+MoeBRMvSyHWXz1csiaL/N9R/jsGAMlzjOYoTHRqi1ZvcRRaY2VrPoSyQfn+tF k3V4EpsZq9b/dMtlPkHuuK5wx3kOhXQXSfciH+qZJl49MW/XBOTzKzQZFC98GRUu hdZKkVGzEtUMlsnAB9JOaC5NmgCLSJi/rs/K81qsyvKXamazx5woqi+sCbI1XXyw oJqkSIXKu+PfzbbIqe3fbemG9s/OrhZuEZucGWSEJG/GsCvjePEDZ1+VuGxCnUlp zeHiDoovt5yC+n4WDq9H0sH9BmgHNh2rXA3G/fCMs/qBstrhh8Equg== =1wOR -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f85FKbv24634 for ietf-openpgp-bks; Wed, 5 Sep 2001 08:20:37 -0700 (PDT) Received: from kasiski.gnupg.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85FKZD24630 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 08:20:35 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.22 #1 (Debian)) id 15efOP-0002Pi-00; Wed, 05 Sep 2001 18:19:09 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.22 #1 (Debian)) id 15eXLO-0002oO-00; Wed, 05 Sep 2001 09:43:30 +0200 To: Jon Callas <jon@callas.org> Cc: ietf-openpgp@imc.org Subject: Re: Fixing the secret keys, and a small apology References: <p05100309b7baf2e20a43@[192.168.1.180]> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com Date: 05 Sep 2001 09:43:30 +0200 In-Reply-To: <p05100309b7baf2e20a43@[192.168.1.180]> (Jon Callas's message of "Tue, 4 Sep 2001 14:28:50 -0700") Message-ID: <87y9nuw09p.fsf@alberti.gnupg.de> Lines: 34 User-Agent: Gnus/5.090004 (Oort Gnus v0.04) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, 4 Sep 2001 14:28:50 -0700, Jon Callas said: > * Change the String-to-Key specifier. The solution here is adding in the > tag 254 to 3.7.2.1 and have 254 denote an improved S2K. The benefit here is This is fine with me. Another question is the format. Should we include only the public parameters or more stuff in the MDC? A solution I would like to see is to just hash the fingerprint of the key along with the secret parameters. I predict that in future, implementations will use the fingerprint to identify a key (and not just the keyID) and therefore it is steadily available. Implementations wouldn't have to worry about the public key parameters when unprotecting the secret parameters of a secret key. One might think of putting the secet parameters on a hardware token and there might be not enough space to store the public parameters - the fingerprint and the secret parameters should be enough to put on a (memory only) token. > there, then they can't use algorithm 254. However, not only is using a > cipher algorithm deprecated, but our present max cipher number is 10. I Given that we assigned 100-110 for experimental algorithms it is unlikely that higher algorithms identifiers are ever used. Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f85DurA18635 for ietf-openpgp-bks; Wed, 5 Sep 2001 06:56:53 -0700 (PDT) Received: from fs.imstumped.com (arielle.dsl.patriot.net [209.249.182.205]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85DuqD18631 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 06:56:52 -0700 (PDT) Received: from localhost (scm@localhost) by fs.imstumped.com (8.11.0/8.11.0) with ESMTP id f85DuU323335; Wed, 5 Sep 2001 09:56:30 -0400 Date: Wed, 5 Sep 2001 09:56:30 -0400 (EDT) From: "Shawn C. Masters" <scm@imstumped.com> To: Dominikus Scherkl <Dominikus.Scherkl@biodata.com> cc: "openPGP e-Mail (E-Mail)" <ietf-openpgp@imc.org> Subject: Re: AW: Reasons to include ECC to our charter In-Reply-To: <100722F3C53A484B8CF1F14B4F062E93157074@fra1d001.biodata.org> Message-ID: <Pine.LNX.4.30.0109050944550.21926-100000@fs.imstumped.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, 5 Sep 2001, Dominikus Scherkl wrote: > > > ECC does *not* affect the speed of large file encryption. > Agreed. But that's not the point. > The most convincing argument for including ECC (to me) is > having another alternative, an algorithm depending on a > completely different problem, independent to integer > factorization and discrete logarithms. > Actually it isn't independent of either integer factorization or the discrete log problem. All of the ECC systems I've seen are actually discrete log over the elleptic curve derived number field rather than the one produced by "mod n". The only real difference is that no one knows how to apply a number field sieve to the ECC. Well more accuratly, no one knows if there exists a definition of "smoothness", thus the most effecient factoring algorithm to date is Pollard's Rho which sets the equivalent key strength to a much smaller multiple of RSA before Number field seives. So you get a faster PK encryption, that uses less memory, but only because no one has figured out how to apply our best factoring algorithms to it. This may not be possible, or may just not be known. Of course , the next major advance in factoring may not even be a seive, or require smoothness. That is why many people only recommend ECC for small devices, but these are all if's. 73, Shawn Received: by above.proper.com (8.11.6/8.11.3) id f85CwDE15711 for ietf-openpgp-bks; Wed, 5 Sep 2001 05:58:13 -0700 (PDT) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85CwCD15705 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 05:58:12 -0700 (PDT) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.22 #1) id 15ecFH-0006rm-00 for ietf-openpgp@imc.org; Wed, 05 Sep 2001 14:57:31 +0200 To: ietf-openpgp@imc.org Subject: Re: Fixing the secret keys, and a small apology References: <p05100309b7baf2e20a43@[192.168.1.180]> From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> Date: 05 Sep 2001 14:57:31 +0200 In-Reply-To: <p05100309b7baf2e20a43@[192.168.1.180]> (Jon Callas's message of "Tue, 4 Sep 2001 14:28:50 -0700") Message-ID: <tgae09ztfo.fsf@mercury.rus.uni-stuttgart.de> Lines: 30 User-Agent: Gnus/5.090001 (Oort Gnus v0.01) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas <jon@callas.org> writes: > * Change the entire public key version number to 5, and add in a check. I think V5 should be started only if a few other adjustments are made, too. The certificate-does-not-cover-key-expiration-time problem comes to my mind here. ;-) > * Change the String-to-Key specifier. The solution here is adding in the > tag 254 to 3.7.2.1 and reserve 254 (and 255) in 9.2 for this kind of use. > and have 254 denote an improved S2K. The benefit here is > that it causes the least change to user software, and is as secure as > anything else. The downside is that if someone uses a cipher algorithm > there, then they can't use algorithm 254. However, not only is using a > cipher algorithm deprecated, but our present max cipher number is 10. This is not quite correct, the numbers 100 to 110 are already assigned, too, technically speaking. However, 254 was never an official private/experimental symmetric algorithm identifier, so I don't think we have to care about potential problems caused by using 254 at this particular place, especially since using symmetric algorithm specifiers in this context is deprecated anyway. -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f85AnE207900 for ietf-openpgp-bks; Wed, 5 Sep 2001 03:49:14 -0700 (PDT) Received: from wit387304.student.utwente.nl (wit387304.student.utwente.nl [130.89.234.74]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85AnCD07887 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 03:49:12 -0700 (PDT) Received: from druif.local ([10.235.121.12]) by wit387304.student.utwente.nl with esmtp (Exim 2.05 #1) id 15eaEx-0000WX-00; Wed, 5 Sep 2001 12:49:03 +0200 Date: Wed, 05 Sep 2001 12:49:51 +0200 From: Edwin Woudt <edwin@woudt.nl> To: Jon Callas <jon@callas.org>, ietf-openpgp@imc.org Subject: Re: SHA-xxx OIDs Message-ID: <271142766.999694191@[10.235.121.12]> In-Reply-To: <p05100318b7bb28e4ba91@[192.168.1.180]> References: <p05100318b7bb28e4ba91@[192.168.1.180]> X-Mailer: Mulberry/2.1.0 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas <jon@callas.org> wrote: > Does someone want to volunteer to double-check the OIDs I have in bis-03 > for wide SHA? They are also in the PKCS#1 v2.1 draft: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2.pdf The values in the bis-03 draft match the values in this document. Edwin Received: by above.proper.com (8.11.6/8.11.3) id f85Aj1g07827 for ietf-openpgp-bks; Wed, 5 Sep 2001 03:45:01 -0700 (PDT) Received: from scuzzy.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85Aj0D07821 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 03:45:00 -0700 (PDT) Received: from algroup.co.uk (wiese.ben.algroup.co.uk [193.133.15.150]) by scuzzy.ben.algroup.co.uk (Postfix) with ESMTP id 704E62E9BB; Wed, 5 Sep 2001 10:44:55 +0000 (GMT) Message-ID: <3B960227.FF20B41E@algroup.co.uk> Date: Wed, 05 Sep 2001 11:44:55 +0100 From: Ben Laurie <ben@algroup.co.uk> X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Dominikus Scherkl <Dominikus.Scherkl@biodata.com> Cc: "openPGP e-Mail (E-Mail)" <ietf-openpgp@imc.org> Subject: Re: AW: Reasons to include ECC to our charter References: <100722F3C53A484B8CF1F14B4F062E93157075@fra1d001.biodata.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Dominikus Scherkl wrote: > > > Sorry, that's not how patents work - licensing is required > > to use it at all, not only if you want to sell it. > Ok, that was nor the right wording. > We can use it _in a standard_ and _test_ it - unless it is > used in an implementation. No, you can't even do that. But even if you could, what would the point be? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: by above.proper.com (8.11.6/8.11.3) id f85AeOf07705 for ietf-openpgp-bks; Wed, 5 Sep 2001 03:40:24 -0700 (PDT) Received: from mail1.biodata.com ([62.159.113.2]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85AeND07701 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 03:40:23 -0700 (PDT) Received: from fra1d001.biodata.org ([10.10.1.51]) by mail1.biodata.com with Microsoft SMTPSVC(5.0.2195.2966); Wed, 5 Sep 2001 12:40:08 +0200 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: AW: Reasons to include ECC to our charter X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 Date: Wed, 5 Sep 2001 12:40:08 +0200 Message-ID: <100722F3C53A484B8CF1F14B4F062E93157075@fra1d001.biodata.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: AW: Reasons to include ECC to our charter Thread-Index: AcE19S288tYiOnthRtS10dzT7sMMmAAAEpHA From: "Dominikus Scherkl" <Dominikus.Scherkl@biodata.com> To: "Ben Laurie" <ben@algroup.co.uk> Cc: "openPGP e-Mail (E-Mail)" <ietf-openpgp@imc.org> X-OriginalArrivalTime: 05 Sep 2001 10:40:08.0919 (UTC) FILETIME=[2225EE70:01C135F7] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id f85AeND07702 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> > Sorry, that's not how patents work - licensing is required > to use it at all, not only if you want to sell it. Ok, that was nor the right wording. We can use it _in a standard_ and _test_ it - unless it is used in an implementation. Sure, that is much worse than what I said. :-( -- Dominikus Scherkl Biodata Application Security AG mail: Dominikus.Scherkl@Biodata.com Received: by above.proper.com (8.11.6/8.11.3) id f85AQEh06539 for ietf-openpgp-bks; Wed, 5 Sep 2001 03:26:14 -0700 (PDT) Received: from scuzzy.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85AQDD06532 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 03:26:14 -0700 (PDT) Received: from algroup.co.uk (wiese.ben.algroup.co.uk [193.133.15.150]) by scuzzy.ben.algroup.co.uk (Postfix) with ESMTP id 85AB82E9BB; Wed, 5 Sep 2001 10:26:07 +0000 (GMT) Message-ID: <3B95FDBF.E86D2B01@algroup.co.uk> Date: Wed, 05 Sep 2001 11:26:07 +0100 From: Ben Laurie <ben@algroup.co.uk> X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Dominikus Scherkl <Dominikus.Scherkl@biodata.com> Cc: "openPGP e-Mail (E-Mail)" <ietf-openpgp@imc.org> Subject: Re: AW: Reasons to include ECC to our charter References: <100722F3C53A484B8CF1F14B4F062E93157072@fra1d001.biodata.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Dominikus Scherkl wrote: > > What will we see? Clearly its possible to do - so what's > > interesting about doing it before we can be sure we can use it? > We indeed _can_ be sure that we can use it - anyone can use it > unless she want to sell it (which may require licencing). Sorry, that's not how patents work - licensing is required to use it at all, not only if you want to sell it. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: by above.proper.com (8.11.6/8.11.3) id f85AMFL06456 for ietf-openpgp-bks; Wed, 5 Sep 2001 03:22:15 -0700 (PDT) Received: from mail1.biodata.com ([62.159.113.2]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f85AMED06451 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 03:22:14 -0700 (PDT) Received: from fra1d001.biodata.org ([10.10.1.51]) by mail1.biodata.com with Microsoft SMTPSVC(5.0.2195.2966); Wed, 5 Sep 2001 12:21:59 +0200 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: AW: Reasons to include ECC to our charter X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 Date: Wed, 5 Sep 2001 12:21:59 +0200 Message-ID: <100722F3C53A484B8CF1F14B4F062E93157074@fra1d001.biodata.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Reasons to include ECC to our charter Thread-Index: AcE1lFZ7vLjBceu3QDWwvQnLt358dQAX5ktA From: "Dominikus Scherkl" <Dominikus.Scherkl@biodata.com> To: "Jon Callas" <jon@callas.org> Cc: "openPGP e-Mail (E-Mail)" <ietf-openpgp@imc.org> X-OriginalArrivalTime: 05 Sep 2001 10:22:00.0187 (UTC) FILETIME=[99369CB0:01C135F4] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id f85AMFD06453 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> > ECC does *not* affect the speed of large file encryption. Agreed. But that's not the point. The most convincing argument for including ECC (to me) is having another alternative, an algorithm depending on a completely different problem, independent to integer factorization and discrete logarithms. -- Dominikus Scherkl Biodata Application Security AG mail: Dominikus.Scherkl@Biodata.com Received: by above.proper.com (8.11.6/8.11.3) id f859mVC04554 for ietf-openpgp-bks; Wed, 5 Sep 2001 02:48:31 -0700 (PDT) Received: from mail1.biodata.com ([62.159.113.2]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f859mUD04548 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 02:48:30 -0700 (PDT) Received: from fra1d001.biodata.org ([10.10.1.51]) by mail1.biodata.com with Microsoft SMTPSVC(5.0.2195.2966); Wed, 5 Sep 2001 11:48:15 +0200 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: AW: Reasons to include ECC to our charter X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 Date: Wed, 5 Sep 2001 11:48:15 +0200 Message-ID: <100722F3C53A484B8CF1F14B4F062E93157072@fra1d001.biodata.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Reasons to include ECC to our charter Thread-Index: AcE1lP1DGB9nBwWCQHCasLZSMIppWwAVlJSQ From: "Dominikus Scherkl" <Dominikus.Scherkl@biodata.com> To: "openPGP e-Mail (E-Mail)" <ietf-openpgp@imc.org> X-OriginalArrivalTime: 05 Sep 2001 09:48:15.0817 (UTC) FILETIME=[E2984390:01C135EF] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id f859mVD04550 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hello. > > > That's precisely the issue - how do we make sure it > > > doesn't assume a patented technology if we don't know > > > what the patents are? I think we agree now that there exists patents, so ECC will not be mandatory part of the standard. But if it's optional it is not essential to know what is patented and what not - it would only be nice to know. > > If someone comes up with a layout that supports ECC > > generically, I'd say go with it. May I remember that it's exactly what I ask for? To go with what I submitted? > > if someone else does the work and convinces us that it's > > generic, I say go for it. What do you dislike in my proposal? What is not generic enough? Till mow I've not read any content-specific critics. > > That's also why I said to do an informational RFC, Ok, I can submit my draft also as an informational RFC. Is it that what you want me to do? > > make a sample implementation, let someone hack up GPG to > > work with it, and we'll see. To experiment wit elliptic curves LiDIA (Library for computational number theory - from the Technische Universitaet Darmstadt) has all you need. Also P1363 is a good point to get implementations of most the algorithms needed for ECC and ECDSA. I think there are already diverse implementations of ECC waiting for a standard to interoperate. > > What will we see? Clearly its possible to do - so what's > interesting about doing it before we can be sure we can use it? We indeed _can_ be sure that we can use it - anyone can use it unless she want to sell it (which may require licencing). Sorry if my words sound too hard. I don't mind. I don't worry about the discussion. Quite the opposit, it's worthwhile. But I would enjoy it very much to have an ECC standard at last. Best regards. -- Dominikus Scherkl Biodata Application Security AG mail: Dominikus.Scherkl@Biodata.com Received: by above.proper.com (8.11.6/8.11.3) id f859E0701904 for ietf-openpgp-bks; Wed, 5 Sep 2001 02:14:00 -0700 (PDT) Received: from mail1.biodata.com ([62.159.113.2]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f859DwD01900 for <ietf-openpgp@imc.org>; Wed, 5 Sep 2001 02:13:59 -0700 (PDT) Received: from fra1d001.biodata.org ([10.10.1.51]) by mail1.biodata.com with Microsoft SMTPSVC(5.0.2195.2966); Wed, 5 Sep 2001 11:13:43 +0200 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: AW: SHA-xxx OIDs X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 Date: Wed, 5 Sep 2001 11:13:42 +0200 Message-ID: <100722F3C53A484B8CF1F14B4F062E931496C8@fra1d001.biodata.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: SHA-xxx OIDs Thread-Index: AcE1rVG20AU2WfyHTdCiVaiepAOL5AAPT0iA From: "Dominikus Scherkl" <Dominikus.Scherkl@biodata.com> To: "Jon Callas" <jon@callas.org> Cc: "openPGP e-Mail (E-Mail)" <ietf-openpgp@imc.org> X-OriginalArrivalTime: 05 Sep 2001 09:13:43.0275 (UTC) FILETIME=[0F4373B0:01C135EB] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id f859DxD01901 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> > Does someone want to volunteer to double-check the OIDs I > have in bis-03 for wide SHA? > > disastry@saiknes.lv claimed to have found them in an IEEE > P1363a draft D7.9. Yes. I found them there too. Looks as they were correct. > Does anyone have validation that they exist, or know where to > look? The URL given for that draft is password-protected Subscribe to the P1363 discussion list and you will get the password - also interessting if you want to get a reference implementation of most ECC-related algorithms. -- Dominikus Scherkl Biodata Application Security AG mail: Dominikus.Scherkl@Biodata.com Received: by above.proper.com (8.11.6/8.11.3) id f851uHq25786 for ietf-openpgp-bks; Tue, 4 Sep 2001 18:56:17 -0700 (PDT) Received: from smtprelay3.adelphia.net (smtprelay3.adelphia.net [64.8.25.8]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f851uFD25782 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 18:56:15 -0700 (PDT) Received: from mwyoung ([24.48.51.230]) by smtprelay3.adelphia.net (Netscape Messaging Server 4.15) with SMTP id GJ62QL01.T2B for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 21:56:45 -0400 Message-ID: <010901c135ad$a7233000$fac32609@transarc.ibm.com> From: "Michael Young" <mwy-opgp97@the-youngs.org> To: <ietf-openpgp@imc.org> References: <p05100309b7baf2e20a43@[192.168.1.180]> Subject: Identifying revoked certificates Date: Tue, 4 Sep 2001 21:54:06 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- From: "Jon Callas" <jon@callas.org> > Now then, one of the remaining things really on our agenda is to discuss > fixing the secret key format. Can I get something added to the agenda? Last week, I asked how certificate revocation was supposed to work in the presence of multiple certificates for the same key/userId (or key/subkey or just key) material. I don't buy the argument that the spec shouldn't cover semantics here -- I don't care if the spec says how an implementation should treat a revocation, but I think it's critical that the sender and receiver agree on what is being revoked. My proposal was to add a signature subpacket to contain the hash algorithm and value from the certificate being revoked. Old implementations should ignore it (unless the sender marks it critical, in which case they should ignore the revocation itself). New implementations can use it to positively identify the original. Does this sound reasonable? If not, do you disagree with the premise that identification is useful? Or, do you dislike the form of the ID? (Plus, in doing so, the spec can remain silent on the meaning of duplicate certificates. I favor adding a "most recent prevails" recommendation, but if I can revoke *specific* older ones to make my intention clear, I don't need to depend on any other rules.) -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO5WFnGNDnIII+QUHAQExMgf/bWSykKCbGLUwKBwQg2etB6br0EvUO3ya 33Vz2gxjkeUN/W0v5IeWu0NJHpBFaBkjsM7SvG/jBi4E0Sso7FXn+qu0N+k/Lm2t B/7WWKnF+hZfYl2s+facScyF5rGQ6xiWsb3godcLjYRxTTcPrbfdD4qzqNEPpa9J vblPkkD+77TR0FYSsLqOjImGbV+rSgAN5SXa4qDphPT9cZ06PVUY+exD0fLiOPHo ONd31YjMrlOw8WiNYnhWpGiE7pMx7MLTe44QDWbpIRIVqOjO8B8p2Hm8MhISpC96 FiZiz5PHw7j7ViEgPnse9tV4vwiQ6yzqcV43xhnBkXB84wM33KatGg== =M5t4 -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f851Z0a22496 for ietf-openpgp-bks; Tue, 4 Sep 2001 18:35:00 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f851YxD22491 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 18:34:59 -0700 (PDT) Received: from [192.168.1.180] (64.69.113.115) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3) for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 18:35:02 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: <p05100318b7bb28e4ba91@[192.168.1.180]> Date: Tue, 4 Sep 2001 18:34:41 -0700 To: ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: SHA-xxx OIDs Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Does someone want to volunteer to double-check the OIDs I have in bis-03 for wide SHA? disastry@saiknes.lv claimed to have found them in an IEEE P1363a draft D7.9. Does anyone have validation that they exist, or know where to look? The URL given for that draft is password-protected, and I hesitate to reference a draft anyway. I've done some poking around and haven't found anything. Jon Received: by above.proper.com (8.11.6/8.11.3) id f851NMC22274 for ietf-openpgp-bks; Tue, 4 Sep 2001 18:23:22 -0700 (PDT) Received: from smtprelay1.adelphia.net (smtprelay1.adelphia.net [64.8.25.6]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f851NAD22265 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 18:23:20 -0700 (PDT) Received: from mwyoung ([24.48.51.230]) by smtprelay1.adelphia.net (Netscape Messaging Server 4.15) with SMTP id GJ612B00.VDK for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 21:20:35 -0400 Message-ID: <003601c135a9$006a5bc0$fac32609@transarc.ibm.com> From: "Michael Young" <mwy-opgp97@the-youngs.org> To: <ietf-openpgp@imc.org> References: <p05100309b7baf2e20a43@[192.168.1.180]> Subject: Re: Fixing the secret keys, and a small apology Date: Tue, 4 Sep 2001 21:20:39 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- From: "Jon Callas" <jon@callas.org> > * Change the String-to-Key specifier. The solution here is adding in the > tag 254 to 3.7.2.1 and have 254 denote an improved S2K. I concur with Jon's analysis and conclusion (favoring a new pre-S2K tag). [It really has nothing to do with the S2K, though... it's the "pre-S2K" byte, and it simply says that the encrypted data (that *follows* the S2K) includes an MDC. But I'll accept it whatever wording is used. :-] -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO5V9xWNDnIII+QUHAQFeGwgAiDTe0w/rBcoO+5MwKKOq125JW8StofkS J1kUgtTMgPBUAigSpNt1WLsajZk7IuYk+tS470k1PAx/3qj396nKeQ18TqdWNBUA lh1gSNlGeu3q2omFadC+TZTwNpuQpFvyGg9Te/qgYauENSnEaxCaMmRD3ShBEVyJ VPcGVi3qf3Q5E3C4qWnSbk48NBvQ+XbfmvGTQEVE5Ltwj/R/tY7FJReyeRbvzID6 2uHdVN7LzguqPAdPbAS7+jHX+dkWNvzkk9YN2nqQemwjpJz3pZJj/O8bj+Wb9Wy4 D8iYeSlTgHyj7qcHXhgS3SlscIuVLYrHWeuSvhgCL5wk7WRL7sqihw== =eG8B -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id f84MhOY01930 for ietf-openpgp-bks; Tue, 4 Sep 2001 15:43:24 -0700 (PDT) Received: from scuzzy.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f84MhND01926 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 15:43:23 -0700 (PDT) Received: from algroup.co.uk (wiese.ben.algroup.co.uk [193.133.15.150]) by scuzzy.ben.algroup.co.uk (Postfix) with ESMTP id BD2362E9BB; Tue, 4 Sep 2001 22:43:20 +0000 (GMT) Message-ID: <3B955908.83752F56@algroup.co.uk> Date: Tue, 04 Sep 2001 23:43:20 +0100 From: Ben Laurie <ben@algroup.co.uk> X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Jon Callas <jon@callas.org> Cc: ietf-openpgp@imc.org Subject: Re: Reasons to include ECC to our charter References: <200108101342.BAA232398@ruru.cs.auckland.ac.nz> <m15d9Cc-000Qe5C@epsilon> <3B93737C.1A87B234@algroup.co.uk> <p05100103b7baa69ace04@[129.46.76.229]> <p05100300b7bac4c03376@[63.73.97.180]> <3B954C82.D388947@algroup.co.uk> <p0510030db7bb06f4c163@[192.168.1.180]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas wrote: > > At 10:49 PM +0100 9/4/01, Ben Laurie wrote: > > >That's precisely the issue - how do we make sure it doesn't assume a > >patented technology if we don't know what the patents are? > > > >Why should this WG spend its time on stuff that may end up patented? By > >all means, once its clear what we can and can't use, then let's proceed. > >Until then, what's the point? > > > > If someone comes up with a layout that supports ECC generically, I'd say go > with it. > > I have no idea how to do that, myself. But if someone else does the work > and convinces us that it's generic, I say go for it. That's also why I said > to do an informational RFC, make a sample implementation, let someone hack > up GPG to work with it, and we'll see. What will we see? Clearly its possible to do - so what's interesting about doing it before we can be sure we can use it? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f84Mf1P01868 for ietf-openpgp-bks; Tue, 4 Sep 2001 15:41:01 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f84MexD01860 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 15:40:59 -0700 (PDT) Received: from [192.168.1.180] (64.69.113.115) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3); Tue, 4 Sep 2001 15:40:53 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: <p0510030eb7bb0795e734@[192.168.1.180]> In-Reply-To: <OE63iEKAajHVBAIWPxg00004ca0@hotmail.com> References: <200108101342.BAA232398@ruru.cs.auckland.ac.nz> <m15d9Cc-000Qe5C@epsilon> <3B93737C.1A87B234@algroup.co.uk> <p05100103b7baa69ace04@[129.46.76.229]> <p05100300b7bac4c03376@[63.73.97.180]> <OE63iEKAajHVBAIWPxg00004ca0@hotmail.com> Date: Tue, 4 Sep 2001 15:40:51 -0700 To: "vedaal" <vedaal@hotmail.com>, <ietf-openpgp@imc.org> From: Jon Callas <jon@callas.org> Subject: Re: Reasons to include ECC to our charter Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 5:56 PM -0400 9/4/01, vedaal wrote: >but that would be a very noticeable increase in speed of encryption of >very large files, >or pgp disk encryption at the gb level of pgp disk size > >agree fully with the principle of including it as an option even though it >is patented. > >once the advantages become clear enough, someone will hopefully find a way >to produce a funtionally similar patentless alternative > ECC does *not* affect the speed of large file encryption. Actually, it's the opposite; it matters most for *small* files. Remember, the bulk encryption is done with a block cipher. If you want it to be fast, you use CAST, Twofish, or Rijndael. All of them are very fast. You might spend 50ms with the public key packet, and then 1 or 2 ms with the data. The symmetric key is then wrapped in the public key encryption. For a small file, you spend a lot of time with the wrapper and then pop open the data packet. With a big file, the heavy cost of the public key operation is a smaller fraction of the total cost, and ECC matters less. ECC is a win when you have teeny processors sending small messages. Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f84MbsN01816 for ietf-openpgp-bks; Tue, 4 Sep 2001 15:37:54 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f84MbrD01812 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 15:37:53 -0700 (PDT) Received: from [192.168.1.180] (64.69.113.115) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3); Tue, 4 Sep 2001 15:37:47 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: <p0510030db7bb06f4c163@[192.168.1.180]> In-Reply-To: <3B954C82.D388947@algroup.co.uk> References: <200108101342.BAA232398@ruru.cs.auckland.ac.nz> <m15d9Cc-000Qe5C@epsilon> <3B93737C.1A87B234@algroup.co.uk> <p05100103b7baa69ace04@[129.46.76.229]> <p05100300b7bac4c03376@[63.73.97.180]> <3B954C82.D388947@algroup.co.uk> Date: Tue, 4 Sep 2001 15:34:57 -0700 To: Ben Laurie <ben@algroup.co.uk> From: Jon Callas <jon@callas.org> Subject: Re: Reasons to include ECC to our charter Cc: ietf-openpgp@imc.org Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 10:49 PM +0100 9/4/01, Ben Laurie wrote: >That's precisely the issue - how do we make sure it doesn't assume a >patented technology if we don't know what the patents are? > >Why should this WG spend its time on stuff that may end up patented? By >all means, once its clear what we can and can't use, then let's proceed. >Until then, what's the point? > If someone comes up with a layout that supports ECC generically, I'd say go with it. I have no idea how to do that, myself. But if someone else does the work and convinces us that it's generic, I say go for it. That's also why I said to do an informational RFC, make a sample implementation, let someone hack up GPG to work with it, and we'll see. But all of this has a lot of ifs wrapped around it. Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f84M8Pq01350 for ietf-openpgp-bks; Tue, 4 Sep 2001 15:08:25 -0700 (PDT) Received: from hotmail.com (oe63.law3.hotmail.com [209.185.240.79]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f84M8OD01346 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 15:08:24 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 4 Sep 2001 14:57:09 -0700 X-Originating-IP: [207.127.12.210] From: "vedaal" <vedaal@hotmail.com> To: <ietf-openpgp@imc.org> References: <200108101342.BAA232398@ruru.cs.auckland.ac.nz> <m15d9Cc-000Qe5C@epsilon> <3B93737C.1A87B234@algroup.co.uk> <p05100103b7baa69ace04@[129.46.76.229]> <p05100300b7bac4c03376@[63.73.97.180]> Subject: Re: Reasons to include ECC to our charter Date: Tue, 4 Sep 2001 17:56:55 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: <OE63iEKAajHVBAIWPxg00004ca0@hotmail.com> X-OriginalArrivalTime: 04 Sep 2001 21:57:09.0197 (UTC) FILETIME=[8B4EB7D0:01C1358C] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 - ----- Original Message ----- From: "Jon Callas" <jon@callas.org> To: <ietf-openpgp@imc.org> Sent: Tuesday, September 04, 2001 5:06 PM Subject: Re: Reasons to include ECC to our charter > Also as a real-world consideration, there's no need for any desktop or > laptop user to use ECC. Do I care if ECC means that a decrypt happens ten > times faster? Nope. The decrypt right now is happening in the blink of an > eye (like 50ms) or two. I'm not going to notice it taking place in a > tenth of an eye-blink. but that would be a very noticeable increase in speed of encryption of very large files, or pgp disk encryption at the gb level of pgp disk size agree fully with the principle of including it as an option even though it is patented. once the advantages become clear enough, someone will hopefully find a way to produce a funtionally similar patentless alternative vedaal -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt build_6_(mdc-fixed) http://www.ipgpp.com/ Comment: { Acts of Kindness better the World, and protect the Soul } Comment: KeyID: 0x6A05A0B785306D25 Comment: Fingerprint: 96A6 5F71 1C43 8423 D9AE 02FD A711 97BA iQEVAwUBO5VOJGoFoLeFMG0lAQNfNQf+JjQ91yKwYzzKymQCMCz9vH4Gzo5pcVpH 5co1x6mqpVzHlq77UtPgphlukG3byCVgCAj0BPryE51izlP2ct8zMJ1lr0L9xKjk yDiA0jGyJBHyiEMqecWq7i5EKwChADbNJdOgxBz2Pk5TPrB2nJStjFoalYHDfxPK AcW6Dw6dTaHWb/IoG2Z7p8+vvF9sfAyjQtjquddm3+gBLqFNdF8TZRgFxlCoG/x7 12qsprcm6NQOlN22jjGXQwTAP7GgLsYZGDF6w6sN2JZ9vyqCG7ijSrTGRvkiJWp3 xmmUjRs3vwHfTQl88rUt6WqI0OCllxs8OertWEG5NDvW5LXtM9Fn+g== =f4EU -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id f84Lnx501030 for ietf-openpgp-bks; Tue, 4 Sep 2001 14:49:59 -0700 (PDT) Received: from scuzzy.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f84LnwD01024 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 14:49:58 -0700 (PDT) Received: from algroup.co.uk (wiese.ben.algroup.co.uk [193.133.15.150]) by scuzzy.ben.algroup.co.uk (Postfix) with ESMTP id 985AD2E9BB; Tue, 4 Sep 2001 21:49:54 +0000 (GMT) Message-ID: <3B954C82.D388947@algroup.co.uk> Date: Tue, 04 Sep 2001 22:49:54 +0100 From: Ben Laurie <ben@algroup.co.uk> X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Jon Callas <jon@callas.org> Cc: ietf-openpgp@imc.org Subject: Re: Reasons to include ECC to our charter References: <200108101342.BAA232398@ruru.cs.auckland.ac.nz> <m15d9Cc-000Qe5C@epsilon> <3B93737C.1A87B234@algroup.co.uk> <p05100103b7baa69ace04@[129.46.76.229]> <p05100300b7bac4c03376@[63.73.97.180]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas wrote: > We aren't going to make ECC a MUST or even a SHOULD. We will try very hard > to make the formats for ECC not favor anyone's implementation. We all know > that. So why don't we encourage some ECC experts to write an informational > RFC, do some interoperability testing, and make sure that it doesn't assume > a patented technology? That's precisely the issue - how do we make sure it doesn't assume a patented technology if we don't know what the patents are? Why should this WG spend its time on stuff that may end up patented? By all means, once its clear what we can and can't use, then let's proceed. Until then, what's the point? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: by above.proper.com (8.11.6/8.11.3) id f84LcBw00885 for ietf-openpgp-bks; Tue, 4 Sep 2001 14:38:11 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f84LcAD00881 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 14:38:10 -0700 (PDT) Received: from [192.168.1.180] (64.69.113.115) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3) for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 14:38:04 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: <p05100309b7baf2e20a43@[192.168.1.180]> Date: Tue, 4 Sep 2001 14:28:50 -0700 To: ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: Fixing the secret keys, and a small apology Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I screwed up the footers on the last draft, saying 2000 where it should have said 2001 or 2002. Sorry. Now then, one of the remaining things really on our agenda is to discuss fixing the secret key format. There are a few options for a solution we've discussed: * Change the secret key version number and add in a check. The plus here is that it causes the fewest visible changes. The downside is that it causes skew between the public and private versions, and is going to create problems and confusion down the road. Enough people expressed disgust at this that I don't think it needs to be discussed further. * Change the entire public key version number to 5, and add in a check. This is the "right" way to the above. From a standards point of view, this is the most correct way to solve it. However, the downside is that it will force a lot of client software to have to be revised (nigh unto all of it). Secret key packets typically do not wander further from the disk than main memory, and it would be a pity to force everyone to upgrade software everywhere for this. Lots of people just won't. (See my previous note ECC.) I'm probably one of them, too. I am reminded of the aphorism that in theory, theory is the same as practice, but in practice, this turns out not to be the case. While this may be the best solution from a standards point of view, it is arguably the worst one from a practical point of view. * Change the String-to-Key specifier. The solution here is adding in the tag 254 to 3.7.2.1 and have 254 denote an improved S2K. The benefit here is that it causes the least change to user software, and is as secure as anything else. The downside is that if someone uses a cipher algorithm there, then they can't use algorithm 254. However, not only is using a cipher algorithm deprecated, but our present max cipher number is 10. I can't get too upset about this, myself, and it appears this is the best solution. Comments? Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f84L6LR00294 for ietf-openpgp-bks; Tue, 4 Sep 2001 14:06:21 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f84L6KD00290 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 14:06:20 -0700 (PDT) Received: from [192.168.1.180] (64.69.113.115) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3) for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 14:06:11 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: <p05100300b7bac4c03376@[63.73.97.180]> In-Reply-To: <p05100103b7baa69ace04@[129.46.76.229]> References: <200108101342.BAA232398@ruru.cs.auckland.ac.nz> <m15d9Cc-000Qe5C@epsilon> <3B93737C.1A87B234@algroup.co.uk> <p05100103b7baa69ace04@[129.46.76.229]> Date: Tue, 4 Sep 2001 14:06:05 -0700 To: ietf-openpgp@imc.org From: Jon Callas <jon@callas.org> Subject: Re: Reasons to include ECC to our charter Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I'm afraid that I don't see what the hand-wringing is over Certicom and ECC. In the IETF, we forbid technologies with intellectual property encumbrances from being *required*, but we don't forbid them from being optional. In the real world, any new public key system has an uphill battle to gain any sort of acceptance. Look at the DSS/EG keys we have now. They were invented for two reasons: (1) to address security problems in previous key versions (2) to migrate from encumbered technologies to unencumbered ones. Yet in some quarters of the user community, OpenPGP is looked on as if it were fluoridation, for any number of reasons, none of which are really relevant to this discussion. What *is* relevant is that if we put the ECC parameters in OpenPGP, they probably won't be widely adopted, intellectual property or not. So why not put them in, since they don't hurt anyone else? Also as a real-world consideration, there's no need for any desktop or laptop user to use ECC. Do I care if ECC means that a decrypt happens ten times faster? Nope. The decrypt right now is happening in the blink of an eye (like 50ms) or two. I'm not going to notice it taking place in a tenth of an eye-blink. The delays I see in encrypted email are all related to UI and layers and disk accesses and groveling through databases to *find* the darned key. I might notice an improvement if I'm encrypting a message to a dozen or more people, but maybe not. The size savings is utterly laughable. ECC will matter only on constrained devices. If you want to make a OpenPGP secured pager or SMS cell phone, then we're starting to see a reason for ECC. Why not let these people do it interoperably? I can understand some people's concern that the ECC proponents aren't pushing things. But they did. About three years ago, some Certicom guys made a presentation at an IETF meeting (Chicago?) and were basically pelted with tomatoes and hooted out of the room. It was pretty embarrassing. If I worked for Certicom, my reaction to this working group would be, "When you want to talk rationally, email me." We aren't going to make ECC a MUST or even a SHOULD. We will try very hard to make the formats for ECC not favor anyone's implementation. We all know that. So why don't we encourage some ECC experts to write an informational RFC, do some interoperability testing, and make sure that it doesn't assume a patented technology? And then if we like it, we can put it in a future draft, or a follow-on document? We already have reserved PK algorithm numbers for ECC and ECDSA. Jon Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f84IcJp09839 for ietf-openpgp-bks; Tue, 4 Sep 2001 11:38:19 -0700 (PDT) Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f84IcHD09585 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 11:38:17 -0700 (PDT) Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id 0B8222C88; Tue, 4 Sep 2001 20:38:17 +0200 (MET DST) Received: id <m15eL8Q-000Qe5C@epsilon>; Tue, 4 Sep 2001 20:41:18 +0200 (CEST) Message-Id: <m15eL8Q-000Qe5C@epsilon> Date: Tue, 4 Sep 2001 20:41:18 +0200 (CEST) To: "Dominikus Scherkl" <Dominikus.Scherkl@biodata.com> Cc: ietf-openpgp@imc.org From: Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de> Subject: Re: AW: Reasons to include ECC to our charter In-Reply-To: <100722F3C53A484B8CF1F14B4F062E9315706D@fra1d001.biodata.org> References: <100722F3C53A484B8CF1F14B4F062E9315706D@fra1d001.biodata.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Dominikus Scherkl <Dominikus.Scherkl@biodata.com>: >>> Certicom may have. Specifically, Certicom claims to have a patent >>> application covering point compression, and noone else really knows >>> what is in it. So it may be prudent to avoid compressed point >>> representations. > I agree to this. Also from a mathematical point of view compression is > somewhat unfortunate, because no proper algorithm for curves over odd > extension fields has been developed. Algorithms for computing square roots in odd-characteristic extension fields do exist (see chapter 7 in Sachar Paulus, "Algorithmen für endliche abelsche Gruppen", Diplomarbeit, Unversität des Saarlandes, 1993), but none of the current specifications (such as the IEEE P1363a drafts) defines what the compression bit should look like. I think the most obvious choice would be, given a polynomial representation of a non-zero field element with coefficients in the underlying prime field, to find the lowest-indexed non-zero coefficient and use its LSB. Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f84FvSO20005 for ietf-openpgp-bks; Tue, 4 Sep 2001 08:57:28 -0700 (PDT) Received: from mage.qualcomm.com (mage.qualcomm.com [129.46.65.64]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f84FvRD19999 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 08:57:27 -0700 (PDT) Received: from [129.46.76.229] (dhcp123.qualcomm.com [129.46.76.229]) by mage.qualcomm.com (8.11.3/8.11.3/1.0) with ESMTP id f84FugC20008; Tue, 4 Sep 2001 08:56:43 -0700 (PDT) Mime-Version: 1.0 X-Sender: jwn2@mage.qualcomm.com Message-Id: <p05100103b7baa69ace04@[129.46.76.229]> In-Reply-To: <3B93737C.1A87B234@algroup.co.uk> References: <200108101342.BAA232398@ruru.cs.auckland.ac.nz> <m15d9Cc-000Qe5C@epsilon> <3B93737C.1A87B234@algroup.co.uk> X-Mailer: eudora51-ffc10713011434 X-PGP-RSA-Fingerprint: EA53 01A6 C076 F9C2 09E8 9480 645A 8857 X-PGP-DH-Fingerprint: 4F5E 56C9 BD4D 0227 331F 6AEE 9590 24F9 6FD7 04F8 Date: Tue, 4 Sep 2001 08:49:04 -0700 To: Ben Laurie <ben@algroup.co.uk> From: John W Noerenberg II <jwn2@qualcomm.com> Subject: Re: Reasons to include ECC to our charter Cc: Bodo Moeller <bmoeller@hrzpub.tu-darmstadt.de>, ietf-openpgp@imc.org, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Florian.Weimer@RUS.Uni-Stuttgart.DE Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> At 1:11 PM +0100 9/3/01, Ben Laurie wrote: >It seems to me entirely unacceptable that we should even be discussing >I-Ds which relate to patents of unknown content. Certicom should either >reveal what they do or do not have pending, or go away. Clearly there is significant interest in ECC in this WG. Unfortunately, Ben is right, IPR issues are always troubling - there can be no mandatory requirements that have IPR restrictions. Still, I have no desire to see this group ignore useful techniques, if it improves the utility of OpenPGP. I'll contact some people at Certicom to see whether this can be definitively settled. If there is no resolution soon, we'll have to drop discussion of it w/r/t to DRAFT status. I may ultimately need some help from the IESG on this. I'll keep you posted. -- john noerenberg jwn2@qualcomm.com -------------------------------------------------------------------------- Peace of mind isn't at all superficial, really. It's the whole thing. That which produces it is good maintenance; that which disturbs it is poor maintenance. -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 -------------------------------------------------------------------------- Received: by above.proper.com (8.11.6/8.11.3) id f84EgwO13323 for ietf-openpgp-bks; Tue, 4 Sep 2001 07:42:58 -0700 (PDT) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f84EguD13314 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 07:42:57 -0700 (PDT) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.22 #1) id 15eHP8-0008Gv-00 for ietf-openpgp@imc.org; Tue, 04 Sep 2001 16:42:18 +0200 To: ietf-openpgp@imc.org Subject: User ID certificates vs key certificates From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> Date: 04 Sep 2001 16:42:18 +0200 Message-ID: <tgheujaugl.fsf@mercury.rus.uni-stuttgart.de> Lines: 28 User-Agent: Gnus/5.090001 (Oort Gnus v0.01) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Sieuwert van Otterloo's paper, 'A security analysis of PGP' (http://www.bluering.nl/pgp/pgp.ps), describes a more general problem in a few OpenPGP implementations (but fails to state that it affects most OpenPGP implementations, not only NAI PGP 5.x to 7.x): OpenPGP defines certificates as (public key, user ID) pairs, but most implementations tend to present 'key certificates', and the mapping from the former to the latter often leaves something to be desired (especially with PGP 2.6.x, but GnuPG, too, is not yet perfect). For example, PGP 2.6.3in prints the following messages for a valid signature created with the key below: Good signature from user "bad test key". Signature made 2001/09/04 13:52 GMT using 1024-bit key, key ID E2BB3EE5 However, only the 'good test key' user ID is certified: pub 1024R/E2BB3EE5 2001-09-04 bad test key sig E2BB3EE5 2001-09-04 bad test key uid good test key sig C06EC3B5 2001-09-04 Florian Weimer #RC=no RA=RUS CR=own# <Florian.Weimer@rus.uni-stuttgart.de> sig E2BB3EE5 2001-09-04 bad test key -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: by above.proper.com (8.11.6/8.11.3) id f849GmD23449 for ietf-openpgp-bks; Tue, 4 Sep 2001 02:16:48 -0700 (PDT) Received: from mail1.biodata.com ([62.159.113.2]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f849GlD23445 for <ietf-openpgp@imc.org>; Tue, 4 Sep 2001 02:16:47 -0700 (PDT) Received: from fra1d001.biodata.org ([10.10.1.51]) by mail1.biodata.com with Microsoft SMTPSVC(5.0.2195.2966); Tue, 4 Sep 2001 11:15:49 +0200 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: AW: Reasons to include ECC to our charter X-MimeOLE: Produced By Microsoft Exchange V6.0.4712.0 Date: Tue, 4 Sep 2001 11:15:48 +0200 Message-ID: <100722F3C53A484B8CF1F14B4F062E9315706D@fra1d001.biodata.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Reasons to include ECC to our charter Thread-Index: AcE0dzbH+etp8TeeRgOoF4PA+HR5fAAqFgDg From: "Dominikus Scherkl" <Dominikus.Scherkl@biodata.com> To: "Ben Laurie" <ben@algroup.co.uk> Cc: "openPGP e-Mail (E-Mail)" <ietf-openpgp@imc.org> X-OriginalArrivalTime: 04 Sep 2001 09:15:49.0481 (UTC) FILETIME=[30133590:01C13522] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id f849GmD23446 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hi. > > Certicom may have. Specifically, Certicom claims to have a patent > > application covering point compression, and noone else really knows > > what is in it. So it may be prudent to avoid compressed point > > representations. I agree to this. Also from a mathematical point of view compression is somewhat unfortunate, because no proper algorithm for curves over odd extension fields has been developed. So we better say implementations MAY use it for prime and char-2 based curves instead of SHOULD. > > It seems to me entirely unacceptable that we should even be discussing > I-Ds which relate to patents of unknown content. Certicom > should either reveal what they do or do not have pending, or go away. I'm also somewhat concerned that noone of certicom said any word about the whole discussion over ecc-patents on this list. Even if it's not our job to care which parts of a standard require licences from any corporation to be sold in an implementation, I would be proud to hear for which parts patents are claimed - or else we couldn't insert any hints to these patents in the draft (which would be nice). -- Dominikus Scherkl Biodata Application Security AG mail: Dominikus.Scherkl@Biodata.com Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f83Cc4G23222 for ietf-openpgp-bks; Mon, 3 Sep 2001 05:38:04 -0700 (PDT) Received: from scuzzy.ben.algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f83Cc2D23218 for <ietf-openpgp@imc.org>; Mon, 3 Sep 2001 05:38:03 -0700 (PDT) Received: from algroup.co.uk (wiese.ben.algroup.co.uk [193.133.15.150]) by scuzzy.ben.algroup.co.uk (Postfix) with ESMTP id A12702E9BA; Mon, 3 Sep 2001 12:11:40 +0000 (GMT) Message-ID: <3B93737C.1A87B234@algroup.co.uk> Date: Mon, 03 Sep 2001 13:11:40 +0100 From: Ben Laurie <ben@algroup.co.uk> X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Bodo Moeller <bmoeller@hrzpub.tu-darmstadt.de> Cc: ietf-openpgp@imc.org, Peter Gutmann <pgut001@cs.auckland.ac.nz>, Florian.Weimer@RUS.Uni-Stuttgart.DE Subject: Re: Reasons to include ECC to our charter References: <200108101342.BAA232398@ruru.cs.auckland.ac.nz> <m15d9Cc-000Qe5C@epsilon> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Bodo Moeller wrote: > A caveat is that we do not know about additional pending patents that > Certicom may have. Specifically, Certicom claims to have a patent > application covering point compression, and noone else really knows > what is in it. So it may be prudent to avoid compressed point > representations. It seems to me entirely unacceptable that we should even be discussing I-Ds which relate to patents of unknown content. Certicom should either reveal what they do or do not have pending, or go away. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: by above.proper.com (8.11.6/8.11.3) id f81Bb5d18137 for ietf-openpgp-bks; Sat, 1 Sep 2001 04:37:05 -0700 (PDT) Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f81Bb3D18133 for <ietf-openpgp@imc.org>; Sat, 1 Sep 2001 04:37:04 -0700 (PDT) Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id 963FD2CA7; Sat, 1 Sep 2001 13:36:52 +0200 (MET DST) Received: id <m15d9Cc-000Qe5C@epsilon>; Sat, 1 Sep 2001 13:44:42 +0200 (CEST) Message-Id: <m15d9Cc-000Qe5C@epsilon> Date: Sat, 1 Sep 2001 13:44:42 +0200 (CEST) From: bmoeller@hrzpub.tu-darmstadt.de (Bodo Moeller) To: ietf-openpgp@imc.org, pgut001@cs.auckland.ac.nz (Peter Gutmann), Florian.Weimer@RUS.Uni-Stuttgart.DE Subject: Re: Reasons to include ECC to our charter In-Reply-To: <200108101342.BAA232398@ruru.cs.auckland.ac.nz> References: <200108101342.BAA232398@ruru.cs.auckland.ac.nz> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Peter Gutmann <pgut001@cs.auckland.ac.nz>: > Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>: >> IIRC, not all ECC stuff is patented, only curves over GF(q), q even, which can >> be implemented efficiently using two-valued logic. > The rule of thumb for ECC is something like "ECC curves are divided into three > groups, weak curves, inefficient curves, and curves patented by Certicom". While Certicom certainly would like everybody to believe this, there is few evidence that it is true. Apart from patents on specific cryptographic schemes, most patents relevant for ECC are on normal bases for GF(2^m), which were originally thought to be useful because they allow for very efficient implementation in custom-made hardware, but turned out to be pretty irrelevant in practice. (None of the recommended curves in Certicom's recent SEC2 specification uses normal bases.) Curves over finite prime fields or curves over GF(2^m) when field elements are represented using polynomial bases do not appear to have such patent problems. (Major manufacturers of cryptographic coprocessors for smartcards implement these without worrying about Certicom licences.) For software implementations, they are not automatically more time efficient than using conventional public key cryptography in DSA-style groups, though. The two important speed-up techniques that can be used for the NIST recommended curves are due to Jerry Solinas (NSA, not Certicom): All NIST recommended curves over prime fields are based on specifically chosen primes (pseudo-Mersenne primes) to allow for fast modular reduction; some of the NIST recommended curves over GF(2^m) are Koblitz curves to allow for fast point multiplication (see Jerry Solinas' CRYPTO '97 paper). This makes ECC efficient in software without, as far as I am aware, requiring any Certicom patent licences. A caveat is that we do not know about additional pending patents that Certicom may have. Specifically, Certicom claims to have a patent application covering point compression, and noone else really knows what is in it. So it may be prudent to avoid compressed point representations.
- SHA-xxx OIDs Jon Callas
- Re: SHA-xxx OIDs Edwin Woudt
- Re: SHA-xxx OIDs Bodo Moeller