IETF Logo Mail Archive

Re: [openpgp] First remarks on the last I-D

Jon Callas <joncallas@icloud.com> Sat, 11 June 2022 22:53 UTC

Return-Path: <joncallas@icloud.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95654C157B3E for <openpgp@ietfa.amsl.com>; Sat, 11 Jun 2022 15:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbPMIGGrKlLl for <openpgp@ietfa.amsl.com>; Sat, 11 Jun 2022 15:53:46 -0700 (PDT)
Received: from mr85p00im-ztdg06021201.me.com (mr85p00im-ztdg06021201.me.com [17.58.23.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C473FC15791C for <openpgp@ietf.org>; Sat, 11 Jun 2022 15:53:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1654988026; bh=v/zqOvKnq1LW1Gizoxi0rlOXIy+Jbs8q1Oz7Cz8K1EY=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=KC7qng8qQQy6AN0HQOBoVHoMVeJlQuGpGfLPkLnw1TXEHYhs0YpNbQtiGrHnBs5lU C3NPP9Zuc9bmpmo8xABYecOuHhz5B5/YDHn9MRSX4fWDjlfRziCpXWoMeCMYhJgTMQ 5RFObKSQScgNkRWHXwfSJWPssjdZngvJWIYWZ/K3bOK65nmBEi0QLekgziCURmE+l1 Y79rLL+AK/Dra28PyclRlhMDOPyZ6NvRHd1yl67VAxTdOH3sRkrRFPK48OGBvBeDme Hw49+ac7vQsVcWDpZubG4GyRUwwsl2NjhCCrRbPNf7BbFpfBF7mNyQwjwhJpOZlbte /adM8vk7X1XKw==
Received: from smtpclient.apple (mr38p00im-dlb-asmtp-mailmevip.me.com [17.57.152.18]) by mr85p00im-ztdg06021201.me.com (Postfix) with ESMTPSA id E9F4E3204D0; Sat, 11 Jun 2022 22:53:45 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Jon Callas <joncallas@icloud.com>
In-Reply-To: <a91a41f2-a388-4fdf-9d4c-97def5230af3@riseup.net>
Date: Sat, 11 Jun 2022 15:53:44 -0700
Cc: Jon Callas <joncallas@icloud.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DED3539D-AD4C-404A-BB07-02F91C4F8E3F@icloud.com>
References: <BB9D0AB9-CC8C-420E-8082-E9F64B09BF46@ribose.com> <790E2D75-3B92-4322-A72A-DC8ABED899BF@nohats.ca> <87czfji7w1.fsf@wheatstone.g10code.de> <18396bf2-5319-87c3-095e-f804632618f2@cs.tcd.ie> <5100C338-C6DC-4BB1-86A4-DAC353AA82CC@icloud.com> <7547a547-bb71-2bdd-f85e-91d46476bc6@nohats.ca> <54B2F360-C996-4A5D-BE3D-6EA405406C68@icloud.com> <YqPEw8OIlf0PG40T@camp.crustytoothpaste.net> <25c3a7b5-07ef-1521-1a14-43ef0c7b4043@cs.tcd.ie> <SY4PR01MB6251D365368552630ECCD720EEA99@SY4PR01MB6251.ausprd01.prod.outlook.com> <a91a41f2-a388-4fdf-9d4c-97def5230af3@riseup.net>
To: openpgp@ietf.org
X-Mailer: Apple Mail (2.3696.100.31)
X-Proofpoint-GUID: lXm-uUyJcbTpYvgK9-id-5dx8UX8PfLl
X-Proofpoint-ORIG-GUID: lXm-uUyJcbTpYvgK9-id-5dx8UX8PfLl
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.1.170-22c6f66c430a71ce266a39bfe25bc2903e8d5c8f:6.0.425,18.0.572,17.0.605.474.0000000 definitions=2022-01-14_01:2022-01-14_01,2020-02-14_11,2020-01-23_02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 bulkscore=0 clxscore=1015 malwarescore=0 suspectscore=0 mlxlogscore=770 phishscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2206110096
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Z56qX2XMOYJasWoFBlhBvPy5FUo>
Subject: Re: [openpgp] First remarks on the last I-D
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jun 2022 22:53:50 -0000

As charming as it is to be considered an authority, I decline it. Moreover, my advice on this issue is merely to be careful, especially with GCM. GHASH is brittle as all heck; someone's going to get it wrong and it will be a brouhaha we don't need. I think our past foray into Elgamal signatures is relevant, as it was also something cool but brittle and it blew up in our face.

That cascades into the FIPS 140 issue, and that that's actually important for widespread use of the standard, particularly because there are related standards worldwide that either directly descend from FIPS 140, or people wanted something better. That larger goal does not *require* GHASH. There are plenty of other options: OCB if we need the speed, I don't think we do; CCM is safe and boring and explicitly on lots of lists; EAX is just fine it's just a spite mode; rolling one's own check with CMAC/OMAC or HMAC is also totally fine; SIV is also nice. Pick two.

In as much as I am an authority, my advice is to err on the side of safety. Peter used to make the wonderful snarky comment that OpenPGP would do whatever the new thing was. That made sense in the nineties and aughties. It's no longer a good strategy. Moreover, we are no longer in an era where memory sizes are as constrained as they were. The hot microcontroller of our era is the Cortex M0, not the 8051. I recently worked on a project that had an M0+ with an AES core along side it. It was so nice not to have to bend into a pretzel to get decent security.

Anyway, brittle things *will* bite us in the ass, we know this because when we were clever in the past, we got bitten in the ass by our own cleverness. Go pick something safe, there are plenty of options.

	Jon

v2.23.0 | Report a Bug | By Email