[openpgp] Re: Fw: New Version Notification for draft-ietf-openpgp-pqc-05.txt

Falko Strenzke <falko.strenzke@mtg.de> Wed, 23 October 2024 05:58 UTC

Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 447A8C14F6E3 for <openpgp@ietfa.amsl.com>; Tue, 22 Oct 2024 22:58:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x9VdtzqQC3GK for <openpgp@ietfa.amsl.com>; Tue, 22 Oct 2024 22:58:03 -0700 (PDT)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EFAAC14F69D for <openpgp@ietf.org>; Tue, 22 Oct 2024 22:58:02 -0700 (PDT)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.1/8.18.1) with ESMTPS id 49N5w1jO031559 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Wed, 23 Oct 2024 07:58:01 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1729663081; bh=I2zW1GjTKH7wc623XOYrUiEnQExWDHJIuK5+9JVVPqo=; h=Date:Subject:To:References:From:In-Reply-To; b=joaKdFh/Z2mYRfnmIWjjp5gbrP47CjZtwe6Nd25or1+JxaagMv6oKT3/PvyHoVhmF eoSpmx5EnFgdz8oJhx7aDZS510jeRutJAwvOn0KjEtMpEIXLFzGSPBxZndY28u/BHk WGLzzC3gg33lFwtrRY9O9xqeFFLIaR5g0trjrWHRa0cePryGSz0U+4Bmvhi1CX641N dsbj4kUltHy0TyGMtlqYCp9ukNxKJ3TjS5kuTNw1EARI9AlNlgavcrVJqAoobwbK68 utJAVpjAjXkg6YLvdXo6eP6SwWRB3KfD9MzGQ/5kq/Y9Ga/au0fK9n+TlTKwfClXx0 GuGmGyAxtjBPQ==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.18.1/8.18.1) with ESMTPS id 49N5w0bV014604 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Wed, 23 Oct 2024 07:58:00 +0200
Message-ID: <060947a6-96ce-4be1-9a59-ce857c347d87@mtg.de>
Date: Wed, 23 Oct 2024 07:58:00 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Simo Sorce <simo@redhat.com>, Aron Wussler <aron@wussler.it>, "openpgp@ietf.org" <openpgp@ietf.org>
References: <172952468697.1996193.18317768871302868182@dt-datatracker-78dc5ccf94-w8wgc> <lgzJzv6GX9ZQ_K3bRqIi9ASxbjwaZFahcghzBaHLReMHIfVpudSlnWe9wCrKniruARt3AzOpEkT8WBWjO4N1ksP9LLcq4pBu0VhrzOyqbJE=@wussler.it> <a40dad1bdb5f67586cff31469ee08d58accef8d5.camel@redhat.com> <e7d89e79829bb2af14d45c18195a77d31b93ffe0.camel@redhat.com>
From: Falko Strenzke <falko.strenzke@mtg.de>
Content-Language: de-DE, en-GB
Organization: MTG AG
In-Reply-To: <e7d89e79829bb2af14d45c18195a77d31b93ffe0.camel@redhat.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms030400050802040408010403"
Message-ID-Hash: KFMPW2DYUMHOXMERKWZRWWXF5S5N2V4K
X-Message-ID-Hash: KFMPW2DYUMHOXMERKWZRWWXF5S5N2V4K
X-MailFrom: falko.strenzke@mtg.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Fw: New Version Notification for draft-ietf-openpgp-pqc-05.txt
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/eZLsOOD2WhI1Ihd8nUaWVRSruM4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi Simo,

Am 22.10.24 um 22:49 schrieb Simo Sorce:
> On Tue, 2024-10-22 at 16:42 -0400, Simo Sorce wrote:
>> Hi Aaron,
>>
>> great work on the update!
>>
>> That said I have to ask is there is apce for adding NIST ECC curves
>> here.
>>
>> While Ed25519/Ed448 have been recently approved for use in FIPS modules
>> via revision 5 of FIPS-186 there is yet no approval for the use of
>> X25519/X448 as SP 800-56A has not been extended to cover them.
>>
>> It would be useful if at least one KEM option would be defined using
>> NIST curves for the classic algorithm part.
>>
>> Ideally bot KEM and Signatures can use the classic NIST approved
>> curves, as adding an Edwards curve implementation to existing modules
>> may not be trivial and time would be better spent properly implementing
>> ML-DSA and ML-KEM while reusing a proven and hardened P256/P384/P521
>> implementation for the classic part.
>>
>> I understand the desire to avoid too many combinations, but a standard
>> should also look at the practicalities of deployment IMHO.
>>
>> HTH,
>> Simo.

Just as you argue with good reasons in favour of including the NIST 
curves, from the perspective of those domains that fall under the 
regulations or recommendations of the BSI, one could argue for the 
inclusion of the Brainpool curves. The WG had decided that these 
additional curves (NIST, Brainpool) be moved to a different draft: 
https://datatracker.ietf.org/doc/draft-ehlen-openpgp-nist-bp-comp/. And 
that is what will stick to –unless there is consensus to overrule this 
WG decision again, but that is currently not at all apparent in my view.

This draft will be presented to working group again. For the moment, the 
authors of draft-ehlen-openpgp-nist-bp-comp have decided to wait with 
approaching the WG (again) until the constructions in the main draft 
(draft-ietf-openpgp-pqc) are stable.

- Falko

> That 'apce' above is a typo for "space" ... sigh.
>
> And I forgot to add that if classic NIST curves where available, then
> existing and certified HW tokens that implement those curves could be
> used in conjunction with a non certified software implementation of ML-
> KEM and ML-DSA resulting still in a FIPS compliant tool as for KEM
> combiner the PQ part is just seen as additional data and does not
> "break" FIPS compliance, while for Signatures the certified signature
> function is sufficient to claim a compliant verification is done.
>
> This means existing tokens could be used while we wait for new ones
> that can provide certified ML-KEM and ML-DSA implementations.
>
> Simo.
>
-- 

*MTG AG*
Dr. Falko Strenzke

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>

------------------------------------------------------------------------

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>