Re: [openpgp] v5 in the crypto-refresh draft
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 06 June 2021 15:12 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D4BA3A1E40 for <openpgp@ietfa.amsl.com>; Sun, 6 Jun 2021 08:12:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=zZsmX+aJ; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=4eljZ4dC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUrgFIFZj0sZ for <openpgp@ietfa.amsl.com>; Sun, 6 Jun 2021 08:12:30 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DC923A1E3D for <openpgp@ietf.org>; Sun, 6 Jun 2021 08:12:30 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1622992347; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=CVbZ3P3p2b6+YLZbQqlnrAcrtBqf56SXH6X3vTA25To=; b=zZsmX+aJfuLZXdFqX3yt9BCMx3yXa33D+K8pEcUIaLdnH/+ywGwy5QBO46WULZbJgDb/s Dm5WwxjKPwlWr50Cg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1622992347; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=CVbZ3P3p2b6+YLZbQqlnrAcrtBqf56SXH6X3vTA25To=; b=4eljZ4dC46/fKT4L6vj7tEJ8dSkYUoUvLNYv4F1EdRyXyrgcomfBGYEmh5e+Z3Rr6ujC8 zUHzVy2HmqlaubZJEgpdS0tWbVRpuKjycz3UkeoTd1aV1J4E5aPKeh8v1tLK1Fg4Q3121F+ wRQe8n/H8Nm8KjoLo35QXguLSg6Ya9DfN9oKwHJRs13G3tbtujXDZuIfYdQkDi7ExrA1LFS RuHC0eAgKBHScBL00bEuHgCtUuI3auva91epyQ3tTr1C0wnmBGuzwpdMfobJsvCq3b5JLFF SjvCR0TasC1vqRFDxxyGCRwcPCXGiGVvAtQ54owBb7Z0InuLtyO7YWvMjI1Q==
Received: from fifthhorseman.net (ip68-0-212-178.ri.ri.cox.net [68.0.212.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 9B6CAF9A5; Sun, 6 Jun 2021 11:12:27 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 274CA204D8; Sun, 6 Jun 2021 11:01:09 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>, openpgp@ietf.org
In-Reply-To: <14974.1622924947@localhost>
References: <87lf7q6sh0.fsf@fifthhorseman.net> <376548.1622830236@dooku> <87v96sqke0.fsf@fifthhorseman.net> <14974.1622924947@localhost>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Sun, 06 Jun 2021 11:01:08 -0400
Message-ID: <87mts3qbpn.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/OHlKE76IZKUxW4IAHWLKl1ioxL4>
Subject: Re: [openpgp] v5 in the crypto-refresh draft
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jun 2021 15:12:36 -0000
On Sat 2021-06-05 16:29:07 -0400, Michael Richardson wrote: > Assume in the future that we have keys larger than 64K octets. We are doing > that, not because there has been a quantum event, but because we are preparing for it. > We may still not even be sure which PQ scheme is the right one. I think these are the right assumptions. > (There are multiple keys present, and possibly multiple signatures over both > end-user-data, and over keys) Each "key signature" (certification) is its own OpenPGP packet, right? and the context we're talking about here is a hash context that is used to calculate a key signature. While there is some zoomed-out view that might well have multiple signatures, and there might be other data signatures that happen over collections of information that do include keys, those contexts aren't relevant for this specific calculation. If the concern is how to "skip over" an artifact from an algorithm that you don't understand, i don't think this increased size field is relevant, because any implementation can just "skip over" the signature by skipping to the end of the signature packet (whose length is already known; this field doesn't appear on the wire), or not calculating the digest itself at all. > A v5-capable tool, which does not speak these new formats can still process > the packets. It could also verify that these large keys are signed by our > legacy algorithms. yes, i agree with this, though it is not "skipping over" -- it's "preparing for certifications of larger keys". We still don't know whether this is *sufficient* for dealing with whatever eventual PQ algorithm arises, but i agree with you that it seems to be *necessary* to handle them. It might be worth including change (2) as a precautionary gamble, since it doesn't appear to have any downside other than a slightly tweaked codepath during certification creation and verification. What do other folks in the WG think? --dkg
- [openpgp] v5 in the crypto-refresh draft Daniel Kahn Gillmor
- Re: [openpgp] v5 in the crypto-refresh draft Daniel Huigens
- Re: [openpgp] v5 in the crypto-refresh draft Michael Richardson
- Re: [openpgp] v5 in the crypto-refresh draft Peter Gutmann
- Re: [openpgp] v5 in the crypto-refresh draft Peter Gutmann
- Re: [openpgp] v5 in the crypto-refresh draft Daniel Kahn Gillmor
- Re: [openpgp] v5 in the crypto-refresh draft Daniel Kahn Gillmor
- Re: [openpgp] v5 in the crypto-refresh draft Daniel Kahn Gillmor
- Re: [openpgp] v5 in the crypto-refresh draft Paul Wouters
- Re: [openpgp] v5 in the crypto-refresh draft Michael Richardson
- Re: [openpgp] v5 in the crypto-refresh draft Peter Gutmann
- Re: [openpgp] v5 in the crypto-refresh draft Paul Wouters
- Re: [openpgp] v5 in the crypto-refresh draft Daniel Kahn Gillmor
- Re: [openpgp] v5 in the crypto-refresh draft Nickolay Olshevsky
- Re: [openpgp] v5 in the crypto-refresh draft Peter Pentchev
- Re: [openpgp] v5 in the crypto-refresh draft Peter Gutmann
- Re: [openpgp] v5 in the crypto-refresh draft Peter Pentchev
- Re: [openpgp] v5 in the crypto-refresh draft Michael Richardson
- Re: [openpgp] v5 in the crypto-refresh draft Peter Gutmann
- Re: [openpgp] v5 in the crypto-refresh draft Daniel Kahn Gillmor
- Re: [openpgp] v5 in the crypto-refresh draft Paul Wouters
- Re: [openpgp] v5 in the crypto-refresh draft Justus Winter
- Re: [openpgp] v5 in the crypto-refresh draft Daniel Kahn Gillmor
- Re: [openpgp] v5 in the crypto-refresh draft Peter Gutmann
- Re: [openpgp] v5 in the crypto-refresh draft Daniel Kahn Gillmor
- Re: [openpgp] v5 in the crypto-refresh draft Peter Gutmann
- Re: [openpgp] v5 in the crypto-refresh draft Daniel Kahn Gillmor