IETF Logo Mail Archive

Re: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)

Justus Winter <justus@sequoia-pgp.org> Tue, 07 June 2022 13:24 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEF74C13C2CE for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 06:24:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MSGID_FROM_MTA_HEADER=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kDZQ8uqNKse8 for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 06:24:29 -0700 (PDT)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C40C7C13C2DE for <openpgp@ietf.org>; Tue, 7 Jun 2022 06:24:27 -0700 (PDT)
Received: (qmail 11582 invoked by uid 500); 7 Jun 2022 13:24:24 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
From: Justus Winter <justus@sequoia-pgp.org>
To: Paul Wouters <paul@nohats.ca>, Werner Koch <wk@gnupg.org>
Cc: openpgp@ietf.org
In-Reply-To: <1378eec-4255-930-736-ffd27f292d48@nohats.ca>
References: <165453577116.17285.7902041139949315015@ietfa.amsl.com> <87tu8xkjx4.fsf@wheatstone.g10code.de> <1378eec-4255-930-736-ffd27f292d48@nohats.ca>
Date: Tue, 07 Jun 2022 15:24:15 +0200
Message-ID: <87fskgy5c0.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: --
X-Rspamd-Report: MIME_GOOD(-0.2) SIGNED_PGP(-2) BAYES_HAM(-0.003684)
X-Rspamd-Score: -2.203684
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/2.8.28) with ESMTPSA; Tue, 07 Jun 2022 15:24:24 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/OkjMvJKjh0X6C8py2NOj69ZIFjg>
Subject: Re: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2022 13:24:33 -0000

Paul Wouters <paul@nohats.ca> writes:

> On Tue, 7 Jun 2022, Werner Koch wrote:
>
>>   The WG once decided to go with EAX and OCB.  EAX was only added to
>>   avoid possible patent problems.  However, in the 4.5 years since the
>>   introduction of EAX the patent things has expired was invalidated and
>>   before the new mode will will be a MUST algorithm in a future OpenPGP
>>   RFC (not in 4880bis), there will definitely be no more problem at all
>>   with OCB.  I bet that by then an updated FIPS-140 will even allow
>>   OCB.
>
> If we have more indication than only your bet, that might be a persuavive
> argument. But right now, GCM is the only FIPS compatible method. So I
> think removing that would be problematic.

We have customers that care about FIPS, and we need a FIPS-compatible
subset of OpenPGP now, rather than wait and hope that some existing
algorithm like OCB will become FIPS-compliant in the future.

>> 2. The removal of the Brainpool curved, as already explicitly listed in
>>   early RFC-4880bis drafts, is not acceptable.  It may even raise
>>   suspicions that a TLA was somehow involved to keep NIST curves but
>>   not Brainpool.  Note I won't share such an opinion, but with crypto
>>   algos we also need to look at such political things.

There are open questions around Brainpool that needs answering.  For
example, why isn't brainpoolP384r1 included?  How do we encode points
and scalars?

Not cherry-picking the commit that partially added Brainpool support to
the bis is the design-team's way of looking for someone to answer these
questions in a constructive fashion.

Justus

v2.23.0 | Report a Bug | By Email