[openpgp] Notes from OpenPGP meeting at IETF 115
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 08 November 2022 17:50 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4579AC152717 for <openpgp@ietfa.amsl.com>; Tue, 8 Nov 2022 09:50:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.314
X-Spam-Level:
X-Spam-Status: No, score=-1.314 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=4k6XNrXY; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=GRIsuY9+
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O8vcmOYAS6KE for <openpgp@ietfa.amsl.com>; Tue, 8 Nov 2022 09:50:12 -0800 (PST)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2E2DC152715 for <openpgp@ietf.org>; Tue, 8 Nov 2022 09:50:12 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1667929810; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=/cFqZVTJEkQD4LYwr5RGcqF4DE25mSbWXFh+7EyZwW0=; b=4k6XNrXYmQLKz8CtjgwDemE7z96+Oca1O8vgL9le3RJHCtC+SBg9l1bcBOTBGejskezXN 4i5K1rws//IVQGLDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1667929810; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=/cFqZVTJEkQD4LYwr5RGcqF4DE25mSbWXFh+7EyZwW0=; b=GRIsuY9+AvpGHXOZEHaSlodj+X0swM2cOIliXgI3ikBC1Z9WDjmNLUX1WV1yRkaeBf9S5 Dyx1KwZetaSeXFAApkffiu0b5R3b64fxF/UibXnYYoKR24AgGkKFIRCdmTgSOOSKB4NQlLW rjMZk+zoOGd2VLF4rbYqx4x/IvulgK/I97OSNw2EjWPLrR6VitI0MPuEHHw45kqQQOB19I+ 59hU1sKDqdMCmJMaxJojE1tg2R3+oDIk//ZLs6NTnsvhYXHGcIQ8hz2JQOoTuYr5WtcT9JI +FInNSiAtFtqQ5qqDvc8L/y+cnWLf7GiEuPsll9py88wNn6b4Ljq6tkiAkjw==
Received: from fifthhorseman.net (unknown [IPv6:2001:470:1f07:60d:841d:2bce:26c3:59c6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 63B15F9AE for <openpgp@ietf.org>; Tue, 8 Nov 2022 12:50:10 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 49EE220493; Tue, 8 Nov 2022 12:50:06 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Tue, 08 Nov 2022 12:50:05 -0500
Message-ID: <87sfit8hf6.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/EyFFQYjCTe4pA6AocfXka3CijYw>
Subject: [openpgp] Notes from OpenPGP meeting at IETF 115
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2022 17:50:17 -0000
Today we had an OpenPGP meeting at IETF 115. We had a good discussion of issues that have come up during WGLC for draft-ietf-openpgp-crypto-refresh. You can find more details about the meeting here: Materials: https://datatracker.ietf.org/meeting/115/session/openpgp Video recording: https://play.conf.meetecho.com/Playout/?session=IETF115-OPENPGP-20221108-1300 Many thanks to Aron Wussler and Rick van Rein for taking notes which i'm reproducing here below! I've adjusted the formatting, filled in a few spots that were thin, and normalized them a bit, hopefully without introducing too many errors. If you have any edits to make in the notes, please reply here (either to me privately, or on-list) and i'll revise the notes stored in the datatracker at the materials link above. All the best, --dkg ---------------- # IETF-115 OpenPGP WG - Tuesday Nov 8th, 1300-1430 UTC - (Richmond 1 room) Co-chairs: Stephen Farrell, Daniel Kahn Gillmor Notetakers: Aron Wussler, Rick van Rein # Agenda: ## Intro (chair, 5 mins) - Need draft readers; 3 in the room + 1 remote are pretty familiar with draft-ietf-openpgp-crypto-refresh-06 or draft-ietf-openpgp-crypto-refresh-07; that is too few. - Volunteers to send more reviews: - Robin Wilton - Rick van Rein - Jonathan Hammell - Daniel Huigens ### Avoiding conflicts with draft-koch-openpgp-rfc4880bis-00 - Both define a key v5 and sig v5, but are different - Paul: we should not allow IANA registry squatting - Aron: V5 signature and keys are not deployed yet, deconflicting is not necessary - Daniel: Werner Koch hinted on the mailing list to being open to changes for keys and sigs, since they are not implemented yet. For keys and sigs the conflict does not exist yet. - dkg: Proposal to bump PKESK, OPS, Sig, and Keys to v6 - Paul: let's not start a race to the latest version - Roman: what's the issue with a "race to the latest version"? - POLL: 13 for moving to v6, 0 against - Daniel: We should still reach out to Werner to ensure that he's not willing to adapt v5 - Action: sftcd to Reach out to Werner about v5 changes ### Salt length - v5 sigs use 16 octet salt, enlarge in preparation of PQ sigs? - Aron: Bind sig salt size to signature hash ID - dkg: Variant: Column in hash algs table, with a length of the salt for that hash. Introduce new hashes when going PQ (that are the same as the old ones but with higher collision resistance). Withdrawn. - Options: 1. keep as-is 16 octets; 2. salt size bound to sighashid; - POLL: 15 choose hash-bound salt size; 1 person chooses kee at 16, because 16 is big enough - Action: Aron volunteers to make a PR for this ### Aliased Signature Versions - v5 sigs over data < 4GiB can be turned into a v3 sig, sometimes also v4 sig, over subtly different data - cause is in old v3 format (deprecated), a modified v5 can at least be distinguished from v4 - POLL: change v5 signature trailer to avoid aliasing. in favor: 8, opposed: 2 - Action: dkg volunteers to make a PR ### Contexts for Encryption and Sigs - to allow separation of applications' uses of OpenPGP - doing this in an interoperable way (registry of known contexts; definitions of how to derive context string for each context; peer signalling support) to raises a fair amount of complexity. - If we publish nothing but the "default" context string, that is similar to what we already have, but interop risks - if a registry of even one context, string derivation, and signalling mechanism are well-defined, should be easy to adopt a non-default approach in the future. - Kick this can down the road? - no poll ### EC point wire formats - ECDH and ECDSA pubkeys can move to x-coordinate only - Aron: Opposes, only representational, small savings, but adds complexity and breaks the previous format - POLL: 0 vote for change 9 votes against, keep the status quo ### IANA updates - Aron: I-D is the desired publication format for "specification required" - Version Numbers and Packet Types are special: RFC required; any type will do - Guidance for Expert Review: Open, stable, likely to foster interoperability - Are there registries so small that numbers are scarce? Otherwise "specification required will do" - Action: Stephen and dkg write a text proposal to capture this ## Non-WG items, potential work if re-chartering ### PQC (Aron Wussler, 15 mins) - Composite multi-alg (classic+PQC) - Seek input: algorithms, binding sigsaltsize to hash ID, binding hashfunction to hash ID
- [openpgp] Notes from OpenPGP meeting at IETF 115 Daniel Kahn Gillmor