IETF Logo Mail Archive

[openpgp] To bind or not to bind

Aron Wussler <aron@wussler.it> Thu, 21 March 2024 20:26 UTC

Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48CB0C14F6A1 for <openpgp@ietfa.amsl.com>; Thu, 21 Mar 2024 13:26:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uWjP4ZFXgR0T for <openpgp@ietfa.amsl.com>; Thu, 21 Mar 2024 13:26:37 -0700 (PDT)
Received: from mail-40136.proton.ch (mail-40136.proton.ch [185.70.40.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9B24C14F68D for <openpgp@ietf.org>; Thu, 21 Mar 2024 13:26:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail3; t=1711052792; x=1711311992; bh=x234KxjyaUY5aodTbqLHCrMv4Px0rfCcUZaZKMOXbt4=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=w4tKsIHBYfDKazhUEJt60VNEm7gWqkbDxNr41xcN/Huup0vHft1vS7IdUNoZTxGfo iBshgePAaj5aqP7A5tbf8QXGJu4D3YSzJdkUKBwkMn1rqg1jOhaSlAQtr30VFkGfeU AknGR7SUKTI/W+N2JPdQrlQyIi/iSASw7uvhikVcLF7EsS5f0IbZU601JHLyNVbUE6 FyAuHbzxpK9U5mMiEaHkdGhtUCxNEM8O0u/jycEpWfDV1VdVJBf7AYK/dN2e7+nvGH YIBc+oDe5HhRGh2gKt02kQzQ2YJ1VOpv2nsBQBaqUDMc2sjSsPn4cafRKM3zqZbhuu hdWiLp0OFUcHQ==
Date: Thu, 21 Mar 2024 20:26:26 +0000
To: "openpgp@ietf.org" <openpgp@ietf.org>
From: Aron Wussler <aron@wussler.it>
Message-ID: <EGivTgyfjNm_TAvhds1OPA2c0O6LP9lFnkwWHHKLJY8ReJOgtDh3tnYsCSR8yrrBLbpeehtUgIJEhynae8L3daRimNiGO7BAb3cVvC66q-4=@wussler.it>
Feedback-ID: 10883271:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------e11dfc60ebd5c304fe9e3e1f2e5c729d9fe34f64f9f606e6514374fc30900d81"; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/a1D8Sivi1lk_22yBETE0QSqN8aU>
Subject: [openpgp] To bind or not to bind
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 20:26:42 -0000

Hello list,

Here's the follow-up on the dilemma we had at the IETF 119 session, whether PQC encryption should be bound to V6 or allowed with V4.

Note that this translates into two different issues:

 (1) Whether PQC encryption algorithms can be used only in v6 keys
 (2) Whether PQC encryption algorithms can be used only with SEIPDv2

Note that (2) implies (1).

Please provide feedback on your preferences, use-cases, and motivations!

At the session the following arguments were already raised:
 - (1) may be justified because some implementations fail parsing keys [1]. Of this plot is particularly relevant the 3rd line (Unknown algo, opaque encoding, small), that would be equivalent to attach an ML-KEM + X25519 subkey to an existing v4 certificate. All V6 implementations are required not to choke on unknown algorithms.
 - TLS disallowed PQC in version 1.2 to promote the migration to 1.3
 - (2) implies a new failure mode for OpenPGP, where a message can not be sent to two different recipients having a v4 and a PQC key.

Cheers,
Aron    



[1] https://tests.sequoia-pgp.org/#Mock_PQ_subkey


--
Aron Wussler
Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930

v2.23.0 | Report a Bug | By Email