IETF Logo Mail Archive

[openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)

Werner Koch <wk@gnupg.org> Tue, 07 June 2022 07:34 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8156C15AE2A for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 00:34:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id onzCoPpGf1tK for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 00:34:12 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 805B4C15AE27 for <openpgp@ietf.org>; Tue, 7 Jun 2022 00:34:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wGIp4SDrU1+CQkx9fm/pxJslsNY/JXcr9/jRAUuBEqQ=; b=iCZVq2+9X9i0VATtgU663/j4s6 Wlo5WpP7xpqT89yFVMDvTUG9V5VHiWPYmjT5BYa+zu1mxrEZDlYuFioBdPEe7/JRRB+7wKZ8QVjv3 5s0E55Pg6+aElj3A6nYfTXYyi5vOd3BaLKJHneUx8VF2TDWM5LKwD0Zq5dh2Fbfb78rE=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1nyTj5-00069k-Iy for <openpgp@ietf.org>; Tue, 07 Jun 2022 09:34:07 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.92 #5 (Debian)) id 1nyTi2-0001oC-5z for <openpgp@ietf.org>; Tue, 07 Jun 2022 09:33:02 +0200
From: Werner Koch <wk@gnupg.org>
To: openpgp@ietf.org
References: <165453577116.17285.7902041139949315015@ietfa.amsl.com>
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Jabber-ID: wk@jabber.gnupg.org
Mail-Followup-To: openpgp@ietf.org
Date: Tue, 07 Jun 2022 09:32:55 +0200
In-Reply-To: <165453577116.17285.7902041139949315015@ietfa.amsl.com> (internet-drafts's message of "Mon, 06 Jun 2022 10:16:11 -0700")
Message-ID: <87tu8xkjx4.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=B.D.M._grey_data_MP5k_Sundevil_SONANGOL_Secure_Border_Initiative_SUS"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/bk1cltCWwhjT71UT5LmFywVqIkE>
Subject: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2022 07:34:17 -0000

Hi!

I have a few brief remarks on the new I-D and the crypto-refresh series
at all by the design team (DT).

I am listed as Editor, a role which I did not not want to take up again
when we had the first talks about relaunching the WG and starting a DT
in January 2021.  However, Stephen and Paul said that they want to have
me in even if Paul agreed to do the actual work.

I have not been involved in the design team since last October due to my
time constraints.  Back then it seemed that all contentious parts had
been solved and only a few editorial changes, the introduction of X448,
and updated IANA considerations were missing.  Later it turned out that
we also need to fix the private key protection scheme.  However, the DT
added a lot of more things in the meantime which was pretty surprising
to me.

The parts of the new I-D which I strongly disagree with are:

1. The new AEAD scheme.

   It seems that this new scheme was introduced for the benefit of
   allowing GCM as yet another encryption mode.  GCM is a counter mode
   and as can be seen by the large changes required, hard to get right.
   We do have GCM now in CMS now because Microsoft decided to go this
   way.  However, OpenPGP has taken its own decisions based on technical
   soundness and not based on larger vendor, government or committee
   decision.

   The WG once decided to go with EAX and OCB.  EAX was only added to
   avoid possible patent problems.  However, in the 4.5 years since the
   introduction of EAX the patent things has expired was invalidated and
   before the new mode will will be a MUST algorithm in a future OpenPGP
   RFC (not in 4880bis), there will definitely be no more problem at all
   with OCB.  I bet that by then an updated FIPS-140 will even allow
   OCB.

   Thus my suggestion: Drop all that new AEAD ideas and use what has
   been deployed and agreed upon in this very WG a long time ago.
   Further, turn OCB into MUST and EAX into MAY (for backward
   compatibility to deployed implementations).

2. The removal of the Brainpool curved, as already explicitly listed in
   early RFC-4880bis drafts, is not acceptable.  It may even raise
   suspicions that a TLA was somehow involved to keep NIST curves but
   not Brainpool.  Note I won't share such an opinion, but with crypto
   algos we also need to look at such political things.

   Thus please immediately issue -07 with Brainpool re-added.


There are probably other things I will eventually comment.  That will
take more time due to the hard to handle merge request style development
by the DT in contrast to the former step by step draft release and
discuss process.




Salam-Shalom,

   Werner



ps.
I am not sure whether having one of the chairs being the main
contributor to the crypto-refresh draft was actuallyu helpful.  Even if
a large amount of his commits are due to his re-formatting of the source
code.

$ git shortlog -sn      # That's for crypto-refresh-06.tx
   190  Daniel Kahn Gillmor
   104  Werner Koch
     5  Heiko Stamer
     4  brian m. carlson
     3  Paul Wouters
     3  Ronald Tse
     2  Derek Atkins
     2  Vincent Breitmoser
     1  Clint Adams
     1  Guillem Jover
     1  NIIBE Yutaka
     1  Paul Wouters ☕️

$ git shortlog -sn 5db9fe2  # That's for rfc4880bis-10
   101  Werner Koch
    24  Daniel Kahn Gillmor
     5  Heiko Stamer
     4  brian m. carlson
     3  Ronald Tse
     2  Derek Atkins
     1  Clint Adams
     1  Guillem Jover
     1  NIIBE Yutaka
     1  Vincent Breitmoser


--
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein

v2.23.0 | Report a Bug | By Email