IETF Logo Mail Archive

[openpgp] Re: WGLC for draft-ietf-openpgp-pqc

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 14 May 2025 18:31 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5D3262897E01 for <openpgp@mail2.ietf.org>; Wed, 14 May 2025 11:31:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="ph0Pekou"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="KJBxqLeS"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIDLMb0zlPTv for <openpgp@mail2.ietf.org>; Wed, 14 May 2025 11:31:17 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6B2512897DE5 for <openpgp@ietf.org>; Wed, 14 May 2025 11:31:17 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1747247477; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=OtVCRK32a4z134neXDJMo1AJU5XUsmUayf9qOP4u9JE=; b=ph0Pekou8KJaTPI+gLNi6DMmsYDpWqr4LcBZ1bxDblcSs3WqfEHPv9kUk/MUpeVW4j2ch DSjPY2G2yjsYgM6DQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1747247477; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=OtVCRK32a4z134neXDJMo1AJU5XUsmUayf9qOP4u9JE=; b=KJBxqLeSdLn5E92+Oh30ApYiH2Zx5sHNiaiBzj/v3MOsI/To+HG5WHipRVFS/yBQVWPvs g9UcNjY2wQ/RF7yKtBQ23YF3yj2ATgHhKEwIGP6ewKvX1wzdOl6k8Xcsf1CrefcUm4nWHDn 4PiYYGBXc3IJWaEj0PgXKS0MOenqbA9qJccGMYbfuW6oWxWmOEjCRBbSlytTNEq8xvwSKLc rSOISfVE09hB/8wAsdv83W0wuF/Pn/yXVPHZWKWrOWReVUszLo/tGqC8K/W1SAszMzjkd0H 1ZN5kzf0auHi2mViwdhYqhEg9Vcb7daU2IKb3G98CagHiFBth7/CUkKsjgwA==
Received: from fifthhorseman.net (AMERICAN-CI.ear2.NewYork6.Level3.net [4.59.214.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id F25B5F9B1; Wed, 14 May 2025 14:31:16 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 96B0A13F6A6; Wed, 14 May 2025 14:31:13 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, openpgp@ietf.org
In-Reply-To: <1a15934d-50be-46dc-8300-189834c70e3f@cs.tcd.ie>
References: <174470653269.1286532.14892820163225351018@dt-datatracker-64c5c9b5f9-hz6qg> <LSicuu3DyGQdz5FlANti-HGJ6GuAucc5BKufbsCa603EsSZ0q1XMXYvt_OubLd0UQkg0gh2F--9y9WpoqWfQu5XU-KEcJ15GG66cSFk9ByU=@wussler.it> <87wmblcr8i.fsf@fifthhorseman.net> <87ikm5eoey.fsf@fifthhorseman.net> <1a15934d-50be-46dc-8300-189834c70e3f@cs.tcd.ie>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/YO+5Zi7HNFzxk a2dAZmlmdGhob3JzZW1hbi5uZXQ+wsARBBMWCgB5AwsJB0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmcS78JIJ7JbALqPiKEmva7/Pp16WwXWm9hbe5+B/UvnfwMVCggCmwEC HgEWIQTUdwQMcMIValwphUm7fpEBSV5r9wUCZadfkAUJBdnwRQAKCRC7fpEBSV5r9yNXAP442N0c zvisBroQSKKpo+OWm2JpnEJWoVheeJvoRtkBGQEA+edHylby8IGcNccq7rmM2rAXdofvrU1o6qow V+mmDwbOMwRnio4OFgkrBgEEAdpHDwEBB0Cw9HzJFl9lZn3UBaUqSMSgxjcdbd0MwNVcGZ8t8wdN EcLAvwQYFgoBMQWCZ4qODgkQu36RAUlea/dHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p YS1wZ3Aub3JnhcN+tn41cAg01Kk56zcAfpdsh8j98PDe00mqKPfFvaYCmwK+oAQZFgoAbwWCZ4qO DgkQeAuFTtnCtJZHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnxsD8Sk5P Wgx8c/Zseo6OlCjyDC+Ogm17gTaUUIpxjWYWIQRjrBGOWy5dZsiKhad4C4VO2cK0lgAAdcQA/1RG dmrmvVxkBY2qNPjtERNwPga8Pf4IdlenrZ03NXM4AQC+TDHMpD7d5obEvUy8GYI3oThzYItPP8vv ChY+wbaIBRYhBNR3BAxwwhVqXCmFSbt+kQFJXmv3AAAKbgD+K1MZXnRKPdmA8DgNysyGRZY8cSVH HQcC7ZAAtV3i2+wA/0CyOYrbFYbyTRALgoERR07OHFoP+fJopQLMNQARVUELzjgEZ4qN+RIKKwYB BAGXVQEFAQEHQDTGlR+Qmn334e+bPqvojJVdFsiBf0leAAHP+ESqop8NAwEIB8LAAAQYFgoAcgWC Z4qN+QkQu36RAUlea/dHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnA5Lw b3wOOcoodImuVNw4PYq1U65FDC1Q2JMFIcJXqF0CmwwWIQTUdwQMcMIValwphUm7fpEBSV5r9wAA 6egA/j3QANSmogZ5VTF5KlI+BBye9ud/w9j7RLcCHU6u8AA1AQC3FGaNuv+uWOSa+eeEoI/aZrGd X5el8b/m6aXDDxDjDg==
Date: Wed, 14 May 2025 14:31:13 -0400
Message-ID: <87sel7cadq.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Message-ID-Hash: UIRDK3WULWB3ZMG4Q4RY4IZRIGXI2BNX
X-Message-ID-Hash: UIRDK3WULWB3ZMG4Q4RY4IZRIGXI2BNX
X-MailFrom: dkg@fifthhorseman.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: WGLC for draft-ietf-openpgp-pqc
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/eQ4xXG1t6rUbCY7A98k9yi00ajQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

On Tue 2025-05-13 23:11:33 +0100, Stephen Farrell wrote:
> - I think (but am not 100% sure) we want it to be true that
>    no implementation makes unexpected multiple uses of any
> secret or private value at any time. For example, KEM
> private values when sending a mail to multiple recipients
> or signature private keys when signing twice with algs
> 32/33. Is that the case?  If so, should we say it (more)
> explicitly? We almost do say this in a few places, some of
> which RECOMMEND not re-using, others of which call for
> "independent" generation. Is this something we could
> tighten up on without breaking any use-cases? If we do have
> some real use-case that needs to re-use a secret or private
> value, (basically other than multiple alg-specific signing
> private key use), can we describe that as the
> counter-example to just saying RECOMMENDED rather than MUST
> NOT?

I have the impression that it's a RECOMMENDED because ⓐ some people
might have hardware keys that they feel obliged to reuse (yet another
reason why hardware keys are problematic), but also ⓑ it would be
unenforceable as a MUST.  It's not going to be an interoperability issue
unless the keyholder's peers reject certificates that share public key
material.

I don't think anyone is seriously contemplating asking OpenPGP
implementations to reject a certificate with shared public key material.

I wouldn't object if the draft were to explicitly call out the ⓐ case as
the exception to the SHOULD, though it makes me sad to justify bad
protocol choices based on bad hardware/software choices.  Are there any
other plausible reasons why someone would want to re-use?

> - 2.1: Five is IMO too many signature options. Can we not
>    reduce that number?  If not (as I suspect, I always lose
> this argument;-) then it'll help with later document
> processing if we can document why we need five in e.g. an
> email, in case someone asks, which they probably will.  (I
> forget if we covered this specifically in earlier debates
> sorry, if a reference provides a good answer, that's just
> fine.)

I agree that 5 is a lot, but it's not much compared to the full zoo.
Count yourself lucky, Stephen ☺

I'd welcome a simple MR that tries to describe the justifications.

> - I didn't check the appendices/examples, but I know others
>    have (thanks!).  We should also get somoene to confirm on
> the list that the set of examples in the version we forward
> for publication are (still) ok, again in an email to the
> list so we can point to that later.

Agreed, this would be great to have in a reportback on-list from the
interoperability test suite, as the test vectors stabilize.

> - nit: We use ":=" without definition, and I'd say just
> "=" would be just as good?

sounds reasonable:
https://github.com/openpgp-pqc/draft-openpgp-pqc/pull/186

        --dkg

v2.31.3 | Report a Bug | By Email | System Status