Re: [openpgp] German BSI, PQC for OpenPGP in Thunderbird,

Daniel Kahn Gillmor <> Thu, 24 June 2021 15:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8D3783A2122 for <>; Thu, 24 Jun 2021 08:40:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.306
X-Spam-Status: No, score=-1.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.b=IXirzcCU; dkim=pass (2048-bit key) header.b=Ka+p47uA
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KROGXUfBEgqT for <>; Thu, 24 Jun 2021 08:40:37 -0700 (PDT)
Received: from (unknown []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8CCAC3A211F for <>; Thu, 24 Jun 2021 08:40:37 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple;;; q=dns/txt; s=2019; t=1624549236; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=VVYpZZ/oCP6TJShyz/ij78niPMxMj7IOvGn9o+kmBpk=; b=IXirzcCU5u0eWELo/yGOqk1Nexif0dUbCS9n0QmVcXt0NqyTg2LuUBY4/kcj0SbX7PN3a qkH2vpP3SX6EZbVBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; q=dns/txt; s=2019rsa; t=1624549236; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=VVYpZZ/oCP6TJShyz/ij78niPMxMj7IOvGn9o+kmBpk=; b=Ka+p47uA1/eFQtV+nY8zIVG5WJNglVCpCSNdKR3LWPq6woPx1ztwthnrdnutSfSED21tD eh4Q5zqIiqBLUUHiYASgx5xjRKrV/GwLDCQBESbp9JcGZI/6zaAhZsLNQz6PnTVdV0IJZa+ Z/aweMsdIoW7WPz2BNWzrXB6gnB/2DQZmpPVxhOVF5McsOG4XI05zCEoH3ZqAa36FqSOOCt c063lSUTEDPiLVdyilJflBq4rjegnH2xJGs3vvIKSBj6rLP1/uvwnqzUeQ/KMx6+Ek363fr u9WARS+xNFbBq/s06Ys9BLtHQ23zj0aes5C0asIpdTiaoUlG4SB8uL3CG33g==
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPSA id 1CB68F9A6; Thu, 24 Jun 2021 11:40:36 -0400 (EDT)
Received: by (Postfix, from userid 1000) id E46E220554; Thu, 24 Jun 2021 11:40:22 -0400 (EDT)
From: Daniel Kahn Gillmor <>
To: Kai Engert <>,
In-Reply-To: <>
References: <>
Autocrypt:; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Thu, 24 Jun 2021 11:40:21 -0400
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <>
Subject: Re: [openpgp] German BSI, PQC for OpenPGP in Thunderbird,
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Jun 2021 15:40:43 -0000

Thanks for the heads up about this, Kai!

On Thu 2021-06-24 15:52:06 +0200, Kai Engert wrote:
> I've posted some information on it on the Thunderbird planning mailing 
> list, see the following thread, which has multiple messages from me:
> In my understanding they intend to pay a contractor for a wide set of 
> tasks to bring PQC to Thunderbird, including the work to standardize the 
> use of PQC with OpenPGP, including implementations for RNP, Botan, GnuPG 
> and libgcrypt.

I appreciate your providing an English summary of the call for
contractors.  I'm glad that the BSI is interested in this topic -- i am
too, though i share Derek's concerns about whether standardization is
premature given the state of PQ cryptanalysis.  I'm a little surprised
to see the BSI simultaneously proposing standardization of PQ schemes in
OpenPGP *and* advocating for implementation of a specific scheme.  I'd
expect the standardization to involve selecting which PQ scheme(s) seem
reasonable for the context, rather than pre-determining the scheme for

If we can get the crypto refresh done relatively soon, it would be a
great way to demonstrate that we are ready as a community to figure out
how to get PQ mechanisms mixed into OpenPGP.  And, as the thread from
earlier this week discussed, one of the ways that we're likely to see
proposals for PQC to work would be to have multi-key combinations -- so
that we don't introduce a relatively new algorithm that makes things
weaker than the established traditional asymmetric crypto; this
requires some nuance and planning that are not part of the simple
"crypto refresh" mandate we have right now.

I'd welcome the BSI to send their own members (and/or delegates) to the
WG to talk about their goals and plans, but i'd hope it wouldn't
interfere with the current chartered work.