Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis

[Paul Wouters <paul@nohats.ca>]

On Mon, 30 Oct 2017, Derek Atkins wrote:

> On Mon, October 30, 2017 3:22 pm, Paul Wouters wrote:
>
>> It was an example of how some people having IDEA and other not having it
>> causes interop issues to the point that I need to manually hack my
>> implementation to talk to those people.
>
> Yes, and IMHO, IDEA should get added back in.  In this day and age there
> is zero reason to prohibit it.

You miss my point. Implementors made decisions and as a result, non-expert
endusers ended up not being able to send each other encrypted email. I
am sayong don't repeat that mistake.

> Note that it's not "PEOPLE" who are choosing them, per se.  It's the
> implementers, who one would think would have a better idea of what to
> implement and why.

That still does not help much against someone using a new algorithm and
someone else using old software that does not have that algorithm.

How long does it take for any now added algorithm to be commonly
supported? By paranoid people who dont want to upgrade their offline
systems? :)

> Maybe that implementer is doing something privately, but still wants to do
> it in a standard way.  We should let them.

That's what private number ranges are for.

> Maybe the implementer who wants to add OCB doesn't care if your
> implementation can read it, because your implementation is very unlikely
> to ever see an OCB message.  Why do you want to say that they may not do
> that (which is what you're saying by implying that your implementation
> must support every feature and that the protocol may not support features
> that your implementation does not support).

As long as you can detect the support when you have the public key, that's
probably okay. But that's still a weak argument to allow vanity
algorithms, as it will still increase the chance that multiple parties
don't share those in their implementation.

And how does this work when my phone supports some algorithms, and my
laptop supports other. How do I announce that in my public key? It
looks like you'd be forced to only publish the shared algorithms. I
wouldn't even know how to announce that.

>>> But if the protocol does NOT support some methods
>>> it might prevent some users from using the protocol.
>>
>> Which is a good thing?
>
> No.  It's not.  We should encourage people to use OpenPGP.  It's a great
> protocol, and anything we do that prohibits adoption is a bad thing.

Swiss army knives are great tools. Raise your hand if you never cut
yourself with one.

> I'm running OpenPGP specifically because the data formats are smaller and
> easier to generate/parse than X.509, so I *CAN* actually run it in an IoT
> device.  Of course I'm extremely limited in what methods I support, but I
> happen to control both ends of the communication so I can work in an
> enclave and control the implementation.
>
> This is exactly why we should be open in what we accept.  In my case, I
> don't care if your implementation does not support my methods, but I want
> to ensure that I can implement my methods in a standard way such that it
> wont interfere with you (and you wont interfere with me).

Ok, well if all of that needs to be supported I guess we will be cursed
with an amount of failure as the price to pay for the freedom to
shoehorn openpgp on everything. I still think it is wise to try and
limit the number of algorithms with similar cryptographic and
architectural properties.

Paul