[openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)
Werner Koch <wk@gnupg.org> Tue, 07 June 2022 07:34 UTC
Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8156C15AE2A for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 00:34:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id onzCoPpGf1tK for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 00:34:12 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 805B4C15AE27 for <openpgp@ietf.org>; Tue, 7 Jun 2022 00:34:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wGIp4SDrU1+CQkx9fm/pxJslsNY/JXcr9/jRAUuBEqQ=; b=iCZVq2+9X9i0VATtgU663/j4s6 Wlo5WpP7xpqT89yFVMDvTUG9V5VHiWPYmjT5BYa+zu1mxrEZDlYuFioBdPEe7/JRRB+7wKZ8QVjv3 5s0E55Pg6+aElj3A6nYfTXYyi5vOd3BaLKJHneUx8VF2TDWM5LKwD0Zq5dh2Fbfb78rE=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1nyTj5-00069k-Iy for <openpgp@ietf.org>; Tue, 07 Jun 2022 09:34:07 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.92 #5 (Debian)) id 1nyTi2-0001oC-5z for <openpgp@ietf.org>; Tue, 07 Jun 2022 09:33:02 +0200
From: Werner Koch <wk@gnupg.org>
To: openpgp@ietf.org
References: <165453577116.17285.7902041139949315015@ietfa.amsl.com>
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Jabber-ID: wk@jabber.gnupg.org
Mail-Followup-To: openpgp@ietf.org
Date: Tue, 07 Jun 2022 09:32:55 +0200
In-Reply-To: <165453577116.17285.7902041139949315015@ietfa.amsl.com> (internet-drafts's message of "Mon, 06 Jun 2022 10:16:11 -0700")
Message-ID: <87tu8xkjx4.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=B.D.M._grey_data_MP5k_Sundevil_SONANGOL_Secure_Border_Initiative_SUS"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/bk1cltCWwhjT71UT5LmFywVqIkE>
Subject: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2022 07:34:17 -0000
Hi! I have a few brief remarks on the new I-D and the crypto-refresh series at all by the design team (DT). I am listed as Editor, a role which I did not not want to take up again when we had the first talks about relaunching the WG and starting a DT in January 2021. However, Stephen and Paul said that they want to have me in even if Paul agreed to do the actual work. I have not been involved in the design team since last October due to my time constraints. Back then it seemed that all contentious parts had been solved and only a few editorial changes, the introduction of X448, and updated IANA considerations were missing. Later it turned out that we also need to fix the private key protection scheme. However, the DT added a lot of more things in the meantime which was pretty surprising to me. The parts of the new I-D which I strongly disagree with are: 1. The new AEAD scheme. It seems that this new scheme was introduced for the benefit of allowing GCM as yet another encryption mode. GCM is a counter mode and as can be seen by the large changes required, hard to get right. We do have GCM now in CMS now because Microsoft decided to go this way. However, OpenPGP has taken its own decisions based on technical soundness and not based on larger vendor, government or committee decision. The WG once decided to go with EAX and OCB. EAX was only added to avoid possible patent problems. However, in the 4.5 years since the introduction of EAX the patent things has expired was invalidated and before the new mode will will be a MUST algorithm in a future OpenPGP RFC (not in 4880bis), there will definitely be no more problem at all with OCB. I bet that by then an updated FIPS-140 will even allow OCB. Thus my suggestion: Drop all that new AEAD ideas and use what has been deployed and agreed upon in this very WG a long time ago. Further, turn OCB into MUST and EAX into MAY (for backward compatibility to deployed implementations). 2. The removal of the Brainpool curved, as already explicitly listed in early RFC-4880bis drafts, is not acceptable. It may even raise suspicions that a TLA was somehow involved to keep NIST curves but not Brainpool. Note I won't share such an opinion, but with crypto algos we also need to look at such political things. Thus please immediately issue -07 with Brainpool re-added. There are probably other things I will eventually comment. That will take more time due to the hard to handle merge request style development by the DT in contrast to the former step by step draft release and discuss process. Salam-Shalom, Werner ps. I am not sure whether having one of the chairs being the main contributor to the crypto-refresh draft was actuallyu helpful. Even if a large amount of his commits are due to his re-formatting of the source code. $ git shortlog -sn # That's for crypto-refresh-06.tx 190 Daniel Kahn Gillmor 104 Werner Koch 5 Heiko Stamer 4 brian m. carlson 3 Paul Wouters 3 Ronald Tse 2 Derek Atkins 2 Vincent Breitmoser 1 Clint Adams 1 Guillem Jover 1 NIIBE Yutaka 1 Paul Wouters ☕️ $ git shortlog -sn 5db9fe2 # That's for rfc4880bis-10 101 Werner Koch 24 Daniel Kahn Gillmor 5 Heiko Stamer 4 brian m. carlson 3 Ronald Tse 2 Derek Atkins 1 Clint Adams 1 Guillem Jover 1 NIIBE Yutaka 1 Vincent Breitmoser -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein
- [openpgp] I-D Action: draft-ietf-openpgp-crypto-r… internet-drafts
- Re: [openpgp] I-D Action: draft-ietf-openpgp-cryp… Paul Wouters
- [openpgp] First remarks on the last I-D (Was: I-D… Werner Koch
- Re: [openpgp] First remarks on the last I-D (Was:… Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… Justus Winter
- Re: [openpgp] First remarks on the last I-D (Was:… Stephen Farrell
- Re: [openpgp] First remarks on the last I-D (Was:… Daniel Huigens
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Ronald Tse
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… brian m. carlson
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D brian m. carlson
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Paul Schaub
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Daniel Huigens
- [openpgp] AEAD and Rome (was: First remarks on th… Werner Koch
- Re: [openpgp] AEAD and Rome (was: First remarks o… Daniel Huigens
- [openpgp] Choices for AEAD modes [was: AEAD and R… Daniel Kahn Gillmor
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Justus Winter
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Paul Wouters
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… brian m. carlson
- Re: [openpgp] Choices for AEAD modes Ronald Tse
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes Stephen Farrell