Re: [openpgp] OpenPGP encryption block modes
Bruce Walzer <bwalzer@59.ca> Mon, 08 August 2022 15:52 UTC
Return-Path: <bwalzer@59.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D06C4C157B4D for <openpgp@ietfa.amsl.com>; Mon, 8 Aug 2022 08:52:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FumW__cOqqqf for <openpgp@ietfa.amsl.com>; Mon, 8 Aug 2022 08:52:45 -0700 (PDT)
Received: from mail.59.ca (mail.59.ca [205.200.229.83]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACFDAC15791D for <openpgp@ietf.org>; Mon, 8 Aug 2022 08:52:44 -0700 (PDT)
Received: from [104.246.140.18] (helo=watt.59.ca) by mail.59.ca with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <bwalzer@59.ca>) id 1oL53F-0007gY-QD; Mon, 08 Aug 2022 10:52:21 -0500
Date: Mon, 08 Aug 2022 10:52:19 -0500
From: Bruce Walzer <bwalzer@59.ca>
To: Aron Wussler <aron@wussler.it>
Cc: Daniel Huigens <d.huigens@protonmail.com>, justus@sequoia-pgp.org, openpgp@ietf.org
Message-ID: <YvExM2+s+cdHJgGI@watt.59.ca>
References: <YuAErZRsF/KbOw1s@watt.59.ca> <87bktajjvq.fsf@thinkbox> <YuKpxp0/Dy1DfC19@watt.59.ca> <875yjhjg2c.fsf@thinkbox> <87r124m64c.fsf@wheatstone.g10code.de> <YulX9jI1+wOCwLJq@ohm.59.ca> <Q6EUpbQm0e5f1OiU-77Old9p9FXyLCaFZ8pMm7PTt8VTLQJaXRQzWIDSwc3db6yI-56imyOaTNdt9TC8Zrm1jN_kPKxFYH4OqEu6o-Wfquo=@protonmail.com> <YuvlHdLz0Sfle7Ot@ohm.59.ca> <87a68ji1bv.fsf@wheatstone.g10code.de> <kV1o2wor4b750-i-DJcjlGhlrx5-NAgguHX6etvEE2GZCIifuBMhKCK8qknPWBEWvDSy0OntIlPCZOA4YLEQwa1vKyyZoBYshLtVv1qJ0Vs=@wussler.it>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <kV1o2wor4b750-i-DJcjlGhlrx5-NAgguHX6etvEE2GZCIifuBMhKCK8qknPWBEWvDSy0OntIlPCZOA4YLEQwa1vKyyZoBYshLtVv1qJ0Vs=@wussler.it>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/gHFKAyCVj_kiEoDD_R6kXugkMdc>
Subject: Re: [openpgp] OpenPGP encryption block modes
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2022 15:52:47 -0000
On Fri, Aug 05, 2022 at 08:00:07AM +0000, Aron Wussler wrote: > Hi all, > > I think in this thread is missing an important piece of information. > > > Speaking of messaging, wouldn't you strongly prefer the most compatible mode? > > These preferences are signalled by the keyholder. When I generate a key I can specify if I'd like GCM messages in the Preferred AEAD Ciphersuites. There seem to be two significantly different cases here... 1. The mode is required. In this case a user can signal that they want that mode in their key (in practice the implementation will make this decision). This preference becomes part of their long term PGP identity. Should they receive material in that mode they can keep it indefinitely with the assurance that they will retain access to it. Ideally an implementation would support any mode actually used by the user for their lifetime plus a bit. This is more or less the current situation for OpenPGP preferences. This doesn't always work in practice because a user can use the same key with multiple implementations. Those implementations might not all be as up to date. I have already ran across an instance where a proposed AEAD mode leaked out of an implementation and caused a unsolvable interoperability issue for a user not completely knowledgeable about these sorts of issues. They generated the key on the newest implementation. 2. The mode is optional (the GCM case). Is having a mode that is optional but resides in the preferences something that has ever been seen in normal OpenPGP usage? In this case a user can signal that they want that mode in their key ... but they really shouldn't. That is because a conforming implementation can drop their mode at any time. Then all their messaging archives and encrypted files are suddenly inaccessible for no reason a typical user would understand. They are unlikely to be able to come up with a script to reencrypt everything to a different mode. They can't just upgrade to a newer version. Contrast this to, say, a medium like TLS where, in principle, you could renegotiate a different mode for every connection. The OpenPGP preference system is not a negotiation system. In practice it mostly prevents downgrade attacks. Things work as well as they do because most implementations support the same modes. > > A recipient not trusting GCM can simply omit it from their key. I see no problem with any implementation omitting GCM by default (not to alienate non-crypto-geeks) and including only if it makes sense for the implementation itself (e.g. OpenPGP.js), or if there are some legal requirement to do so. I can't imagine a (compliant) implementation sending GCM messages to a certificate that does not specify support for them. > > Furthermore, a GCM-skeptical sender could also ignore this preference and just send messages using OCB, that must be supported (even though admittedly this requires more technical knowledge). > > Finally, since we're not in the asymmetric part of the certificate - that if you fail to parse game's over - I don't understand the point of discussion. As said at IETF114, if this does not end into the draft, anyone can come up with a spec adding an additional block mode, therefore not adding it now will not prevent people from using it eventually. Anyone can do whatever they want, but that would be the case for any standards effort. The reason we have standards is so they won't. Bruce
- [openpgp] The Argon2 proposal seems incomplete (D… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Justus Winter
- Re: [openpgp] The Argon2 proposal seems incomplet… Werner Koch
- Re: [openpgp] The Argon2 proposal seems incomplet… Paul Wouters
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… brian m. carlson
- Re: [openpgp] The Argon2 proposal seems incomplet… Stephen Farrell
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- [openpgp] OpenPGP encryption block modes (Was: Th… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes (Was… Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes (Was… Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes (Was… Benjamin Kaduk
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Daniel Huigens
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes Aron Wussler
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Aron Wussler
- Re: [openpgp] OpenPGP encryption block modes (Was… Phillip Hallam-Baker
- Re: [openpgp] OpenPGP encryption block modes (Was… Marcus Brinkmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes brian m. carlson
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes brian m. carlson
- Re: [openpgp] OpenPGP encryption block modes Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes Peter Gutmann
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes Daniel Huigens
- Re: [openpgp] OpenPGP encryption block modes Werner Koch
- Re: [openpgp] OpenPGP encryption block modes (Was… Stephen Farrell
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] OpenPGP encryption block modes (Was… Marcus Brinkmann
- Re: [openpgp] OpenPGP encryption block modes (Was… Bruce Walzer
- Re: [openpgp] The Argon2 proposal seems incomplet… Ángel
- Re: [openpgp] The Argon2 proposal seems incomplet… Daniel Kahn Gillmor