Re: [openpgp] Review of draft-ietf-openpgp-crypto-refresh-07
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 25 March 2023 06:09 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7318EC1516E0 for <openpgp@ietfa.amsl.com>; Fri, 24 Mar 2023 23:09:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="9CC0mun5"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="K+FjfmIM"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8DTT_xbGkSBA for <openpgp@ietfa.amsl.com>; Fri, 24 Mar 2023 23:09:55 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4DE3C1516F8 for <openpgp@ietf.org>; Fri, 24 Mar 2023 23:09:54 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1679724590; h=from : to : subject : in-reply-to : date : message-id : mime-version : content-type : from; bh=yLqPciYJ9G5aXS+eCrIl0XOzlREYsdayujkd2sTTgQg=; b=9CC0mun5y+QTX+a0N+e997OkPi+NlGODbnwbm9TuRudDxeOo+yVRdy/TrE8tzqgORhAac zIB4AOZOsmbP3mDDg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1679724590; h=from : to : subject : in-reply-to : date : message-id : mime-version : content-type : from; bh=yLqPciYJ9G5aXS+eCrIl0XOzlREYsdayujkd2sTTgQg=; b=K+FjfmIMMlV3EApTPhyex8BJbg6UAzKnLCZ24X/oRHMcl+ntPPs2oM6EfkvbETnlh4oLR d0g3IrrcoVGrZMXItVVx9HA3NJc5gXArbgJYORnm/H5pOAybkPKLCdm/2TyObIi1YB2RZxB /S0t9r2PEL17B7UQvmPj0SCKNNXneWM6rr393Ti0EqDOWRyRblEoOkLnDFJ+kFMZ9w7OxOV mE4esciQNJjGQ76kGYwR/UETf8VGTPDMW60YfEatzkQ5/vOMCOQR69z3t3CA4MTDMcfv01f Z32Z8m3CTyrOMs/HPkiILk4yD8e5mQieC3nv9a3KgoD2FuOz/1YxhTcP6GnA==
Received: from fifthhorseman.net (dhcp-8966.meeting.ietf.org [31.133.137.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id D410DF9AD; Sat, 25 Mar 2023 02:09:49 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 6072620508; Sat, 25 Mar 2023 15:00:12 +0900 (JST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Jonathan F Hammell <Jonathan.Hammell@cyber.gc.ca>, "openpgp@ietf.org" <openpgp@ietf.org>
In-Reply-To: <YT2PR01MB8886D5611138129BDEBF8FACC8E69@YT2PR01MB8886.CANPRD01.PROD.OUTLOOK.COM>
Date: Sat, 25 Mar 2023 02:00:11 -0400
Message-ID: <87355tpdzo.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/eyFjxbkY9yaVaReHNJbd4Ky9xjU>
Subject: Re: [openpgp] Review of draft-ietf-openpgp-crypto-refresh-07
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2023 06:09:59 -0000
On Fri 2022-12-16 16:33:22 +0000, Hammell, Jonathan F wrote: > As promised at IETF 115, I've reviewed draft-ietf-openpgp-crypto-refresh-07 Thanks very much for this review, Jonathan, and sorry for the delay in responding. some of your comments have already been addressed, and i've tried to make concrete changes that address the bulk of what remains in https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/270 (this also incorporates a lot of what looks to me like solid, non-controversial editorial work already done by Daniel Huigens and Falko Strenzke. Rather than giving each of your notes a line-by-line response, i'm just going to cite the things that the above MR *doesn't* cover with something reasonably close to what you recommended. > Perhaps it should also be recommended that a sender encrypt to their > own public key to allow decryption of replies without having to lookup > the sent PKESK packet. I'm not sure i fully understand this, but i think encrypt-to-self guidance is generally probably domain-specific (that is, it has more to do with, say, how the mail user agent works than OpenPGP itself). There is some related text in https://datatracker.ietf.org/doc/draft-ietf-lamps-e2e-mail-guidance that is not OpenPGP specific. Maybe this guidance belongs there? > - Sections 5.1.3 and 5.1.4 say "The value 'm' in the above formula is > the plaintext value described above...", but "plaintext" is not > mentioned above. I assume it is "The resulting octet string" from the > last sentence of 5.1.2, but the linking of this could be more clear. I think this has been fixed in Daniel Huigens' "no-v3-pkesk-cfrg-padding" branch, part of outstanding MR !267. > - In the paragraph following the list in Section 5.3.2 (v5 SKESK), the > first sentence is very long and it is not clear what it is describing. > I suggest "A key-encryption key is derived using HKDF (see [RFC5869]) > with SHA256 has the hash algorithm. The Initial Keying Material (IKM) > for HKDF is the resulting key derived from S2K. No salt is used. The > info parameter for HKDF is comprised of the Packet Tag in new format > encoding (bits 7 and 6 set, bits 5-0 carry the packet tag), the packet > version, and the cipher-algo and AEAD-mode used to encrypt the key > material. [New paragraph]" A diagram would help here. See also the > similar description in 5.5.3. I've made clarifying changes to these sections that roughly match these suggestions in the commit "Adjust descriptions of HKDF use", but i have not tried to supply a diagram. If anyone wants to take a crack at a diagram, i'd be happy to review. > - Section 11.1.4, paragraph 2 has multiple interpretations for the > "MUST" requirement. Either the primary MUST always be an algorithm > capable of making signatures in order to create self-signatures, or if > one wishes to create self-signatures, then the primary key MUST be > capable of making signatures. Resolving this would mean picking an understanding of this text. I think primary keys should only ever be sign-only, but this seems like it might be contentious, so i've split it out into a distinct MR: https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/269 > - Section 3.3 introduces Key IDs and says that they cannot be assumed > to be unique, but it would be helpful to at least mention fingerprints > as the better option for a unique value. I suggest renaming 3.3 as > "Key IDs and Fingerprints" and then replace the last sentence with "A > fingerprint is cryptographically unique per key, but may be calculated > differently according to the version of the key. See Section 5.5.4 > for more details on Key IDs and fingerprints." I think there's some dispute about whether it's safe to say "cryptographically unique" when we know that (for example) there are SHA-1 collisions, so i've gone with a different wording here. Please take a look at the commit f14509a8575efd9fa5ac48febe58b54deda9269c ("update Key ID note to refer to Fingerprints as well") > - In Section 3.7.1.4 (Argon2): s/kibibytes/kilobytes Are you sure? https://www.rfc-editor.org/rfc/rfc9106.html#section-3.1-2.5 says kibibytes. Changing it to kilobytes here would cause a mismatch. I did not make this change. > - Section 4.2 does not make it clear that Bit 6 of the Packet Tag is > used to identify Legacy packet formats. It says Bit 6 is "Always one > (except for Legacy packet format)", but it would be helpful in the > following paragraph to start with "A Packet Tag with a zero in Bit 6 > indicates a Legacy packet format." Or add this sentence to the > beginning of 4.2.2. ugh, this terminology is a mess. The section says that the first octet is the "packet tag", but then it also says that some subset of the bits in the first octet are *also* the "packet tag". I've tried to clean this up, including a variation on your suggestion in git commit ea88d35f7956b30cdb9f7d10e36c3116976a416c ("Clarify terminology between "packet tag" and "first octet" of packet") > - The last paragraph of Section 4.2.1.4 (Partial Body Lengths) lists > data packet types, and maybe should be revised to include "encrypted > and integrity protected" data packets, unless it is not intended for > that packet type as per the final sentence. I'm really not a fan of the partial body length packets -- i think they cause implementation confusion and i don't know how many implementations can handle them (see https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/29). I have not tried to clean this text up, because i'm kind of concerned about encouraging anyone to generate more packets of this type. > - In Section 5.5.3, the items listed as "[Optional]" seem like they > are actually conditional. The list in Section 7 is more clear for > describing conditional items. I think i agree with you -- "conditional" means you don't get to choose, but circumstances will dictate whether it appears or not; "optional" sounds more like "you get to decide whether you want to include it." -- but just replacing "[Optional]" with "[Conditional]" seems confusing to me too, because the variant form of "conditional" (i.e. what happens when the predicate is not met) might be "instead of A, use B", whereas the variant form of "optional" is pretty clearly "instead of A, use nothing". So I'm not sure how to fix this concretely. Section 7 (the cleartext signing framework) is a much shorter list, and it doesn't use any explicit label like "[Optional]". we could remove the label in the earlier section, but i think that makes the text even less comprehensible. Suggestions for concrete improvement welcome! > - Section 5.5.5.6, bullet 3 says it is a "variable-length field", but > the sub-items are each one octet. This field is "variable length" because it is a versioned field. That is, in the current (and only known) version (1), it is fixed-length. but a future version could have a different length. I believe the idea of an explicit KDF is probably on its way out, and certainly we don't know how to increment this version in a reliable, interoperable way. So i've left this alone for now, but i do think that killing off this field, or at least committing explicitly to not incrementing it, would be a good thing (similar to how we've abandoned the idea of incrementing the MDC approach). I've opened an issue to track this concern, but i'm not convinced it'll get into the crypto-refresh if there's anything contentious here: https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/161 > - In Section 5.2.3.12 (Preferred AEAD Ciphersuites), indicate this subpacket must be in the cryptographically-protected field of a signature packet to avoid this subpacket being removed to encourage use of default algorithms. > > - Section 5.2.3.17 (Revocable): If a signature is marked as non-revocable in an unhashed subpacket, what is the expected behavour if that signature is revoked? Perhaps this subpacket should be recommended to be in the cryptographically-protected field. > > - Section 5.2.3.32 (Issuer Fingerprint): This subpacket should also be recommended to be cryptographically-protected. I'm not sure what to do with these recommendations, or how much guidance the draft needs to give about whether subpackets should be hashed or not. I mean, in general, the rule is probably "rely on the hashed subpacket before you rely on the unhashed one" and "if you need cryptographic assurance, don't look at unhashed subpackets", but i'm sure there are exceptions to each of these rules. I think this is probably best addressed separately, as noted in https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/96 Regards, --dkg
- [openpgp] Review of draft-ietf-openpgp-crypto-ref… Hammell, Jonathan F
- Re: [openpgp] Review of draft-ietf-openpgp-crypto… Daniel Kahn Gillmor
- Re: [openpgp] Review of draft-ietf-openpgp-crypto… Jonathan Hammell
- Re: [openpgp] Review of draft-ietf-openpgp-crypto… Daniel Huigens
- Re: [openpgp] Review of draft-ietf-openpgp-crypto… Jonathan Hammell
- Re: [openpgp] Review of draft-ietf-openpgp-crypto… Daniel Kahn Gillmor