Re: [openpgp] Must-Implement Algorithms (was:Summary of WG status)

"brian m. carlson" <sandals@crustytoothpaste.net> Fri, 14 July 2017 00:21 UTC

Return-Path: <sandals@crustytoothpaste.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C74B11317B2 for <openpgp@ietfa.amsl.com>; Thu, 13 Jul 2017 17:21:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (3072-bit key) header.d=crustytoothpaste.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zVVBy0pD4iqX for <openpgp@ietfa.amsl.com>; Thu, 13 Jul 2017 17:21:02 -0700 (PDT)
Received: from castro.crustytoothpaste.net (castro.crustytoothpaste.net [75.10.60.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17DD512ECB3 for <openpgp@ietf.org>; Thu, 13 Jul 2017 17:21:02 -0700 (PDT)
Received: from genre.crustytoothpaste.net (unknown [IPv6:2001:470:b978:101:254c:7dd1:74c7:cde0]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by castro.crustytoothpaste.net (Postfix) with ESMTPSA id 3A60C280AD for <openpgp@ietf.org>; Fri, 14 Jul 2017 00:21:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=crustytoothpaste.net; s=default; t=1499991660; bh=BS7LvrOV/SSfHWxIOEErbuY7foTF43h2CO6pX1Ya1Us=; h=Date:From:To:Subject:References:In-Reply-To:From; b=eewR1XQqQVY0zSVGQHUrDQj0QVAdD69sBKRIq5Nvm8ZsOWQnkLitq3RXqxw5K4yzB IbCQLFHKTYIXBZ8ETq9c+KHbMxIihc/yokWvyoMA1elfkY0Kl9RtvDBD1ypONaSsuX Cjn+uFM+l49c/5mv8iXLmleONsokeROg476AaX+a9M0Ztco8FGX0SF8KBrHl3b+aWY wvpjfleP2Quii7h6WTNFXA/E8F7wJWflYhLFRTbJKkwzgqLhpzKtVvt/U3S/wc9mVr YVoK1YwFOwXyIsENQO7keLxuLdmwk2V3CkOqPFw++I4cJgq3o3a4LFQ6kLCFMNRY4K ebyNOdm93eAzVuc+jUebKr5zu4VW7vwAoduPsyvDcqTB7FEfCA8WAIAvhaUbgdKnzH kYgf/bhaaptweRFZfT3xK4eJ2wgdQQAG5mRtNYDsTS5RffM8USymXg2887MU8hu+VP 8snRV2AG9yEYIZaci9hmiha0h3RLY7Yigy0smFZdsrURIT1ISiJ
Date: Fri, 14 Jul 2017 00:20:56 +0000
From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: openpgp@ietf.org
Message-ID: <20170714002055.ek6h2d42k3jht2zz@genre.crustytoothpaste.net>
References: <20170712223852.zmnvw4iwvziqsynq@genre.crustytoothpaste.net> <8737a0kccr.fsf@wheatstone.g10code.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rmsuvtzybi2vcynb"
Content-Disposition: inline
In-Reply-To: <8737a0kccr.fsf@wheatstone.g10code.de>
X-Machine: Running on genre using GNU/Linux on x86_64 (Linux kernel 4.11.0-1-amd64)
User-Agent: NeoMutt/20170609 (1.8.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/NwNYEVnrxlG_F8_QbkHUxL9cUNM>
Subject: Re: [openpgp] Must-Implement Algorithms (was:Summary of WG status)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jul 2017 00:21:04 -0000

On Thu, Jul 13, 2017 at 09:47:00AM +0200, Werner Koch wrote:
> On Thu, 13 Jul 2017 00:38, sandals@crustytoothpaste.net said:
> 
> > 3DES is still the must-implement encryption algorithm.  AES128 seems
> > like the logical choice here, since it's already MTI because of ECDH.
> 
> I am fine with that choice.
> 
> There is also the suggestion to make AES-nnn mandatory and 3DES optional
> when used with v5 keys.  I would be in favor of that; I don't care on
> whether this is AES-128 or AES-256.

I think that's a good idea.  AES-128 seems like the obvious choice to
make MTI because of ECDH, and I anticipate almost all implementations
will support AES-256 as well.

> > I suggest that we make the AEAD mode, whatever we pick, mandatory as
> > well.
> 
> We can only do that when used with v5 keys.  We can't do that in
> general.

Mandatory to implement, yes.  Mandatory to use, no.  We also have to
consider that someone might encrypt data to both v4 and v5 keys, in
which case they might have to fall back down to MDC.  We probably need a
feature flag for AEAD packets like we have with MDC.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204