IETF Logo Mail Archive

[openpgp] Re: WGLC for draft-ietf-openpgp-pqc [was: Re: I-D Action: draft-ietf-openpgp-pqc-08.txt]

Heiko Schäfer <heiko.schaefer@posteo.de> Fri, 02 May 2025 14:23 UTC

Return-Path: <heiko.schaefer@posteo.de>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 940682415C19 for <openpgp@mail2.ietf.org>; Fri, 2 May 2025 07:23:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHoaQx6iKSK1 for <openpgp@mail2.ietf.org>; Fri, 2 May 2025 07:23:24 -0700 (PDT)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C63FA2415C02 for <openpgp@ietf.org>; Fri, 2 May 2025 07:23:23 -0700 (PDT)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id EF12E240101 for <openpgp@ietf.org>; Fri, 2 May 2025 16:23:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1746195800; bh=2wEFa63VoBFmx+KfJ+kPRXIFWAFamxa/b/pXSkk8RLA=; h=Message-ID:Date:MIME-Version:Subject:To:From:Content-Type: Content-Transfer-Encoding:From; b=o0be8AjsdjTjI+GbBSChpndLvlsx+mt9w+QInFOK3vWE7L5J+NtBH5Tf74aqLd4cB 0JKYuWm2eehZ3/EHseijeuJuYLQBA6/pphRUfyvkGCV2NhyFcwdA/5hx3OPZrqgDPd HDdabaSoTc6vB9TvGA2LQku2XN27dN5at9blJKG7xEn0fOiN+pLSFHJk2aGs2tBfBI yXk184uvxrNq0StwpoMcHDNvwydJO966zdokYUQxPfHiGGyUNvCE++Tdqo6sryk4ji tR1EyZGwL+uFVcs8DpSu/5lqLC0HhRG9qbaXhBGU6xIdQbHtwTIKXoKoUs+oNBbwRc ly0pF1bGPvdtQ==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4ZptSS4c9Jz6ty7 for <openpgp@ietf.org>; Fri, 2 May 2025 16:23:20 +0200 (CEST)
Received: from services.foundation.hs (services.foundation.hs [192.168.21.4]) by mail.foundation.hs (Postfix) with ESMTP id 40367705C5 for <openpgp@ietf.org>; Fri, 2 May 2025 16:23:20 +0200 (CEST)
Message-ID: <a2fa1a9b-7094-4487-a014-c3e623fec8ad@posteo.de>
Date: Fri, 02 May 2025 14:23:19 +0000
MIME-Version: 1.0
To: openpgp@ietf.org
References: <174470653269.1286532.14892820163225351018@dt-datatracker-64c5c9b5f9-hz6qg> <LSicuu3DyGQdz5FlANti-HGJ6GuAucc5BKufbsCa603EsSZ0q1XMXYvt_OubLd0UQkg0gh2F--9y9WpoqWfQu5XU-KEcJ15GG66cSFk9ByU=@wussler.it> <87wmblcr8i.fsf@fifthhorseman.net>
Content-Language: en-US
From: Heiko Schäfer <heiko.schaefer@posteo.de>
In-Reply-To: <87wmblcr8i.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: TDYFYQ4WFOQPMOV3I6KVOQ73UXXQHWLZ
X-Message-ID-Hash: TDYFYQ4WFOQPMOV3I6KVOQ73UXXQHWLZ
X-MailFrom: heiko.schaefer@posteo.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: WGLC for draft-ietf-openpgp-pqc [was: Re: I-D Action: draft-ietf-openpgp-pqc-08.txt]
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/h9Q8dZ-JIZVteHKiGVyJqZov1Gg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hello dkg, list,

On 4/15/25 6:41 PM, Daniel Kahn Gillmor wrote:
> If you are implementing this draft, please report back here!

Apologies as well from me for the late reply.

rPGP implements draft-ietf-openpgp-pqc-08. The implementation can be 
observed in the interoperability test suite: An experimental version of 
rsop with pqc support is currently listed as "rpgpie 0.6.0+pqc".

I found the draft pleasantly clear, concise and well-structured 
(however, I'll note that I'm not a cryptographer, and can't judge the 
draft's finer points from that angle).


The paragraph that outlines the structure of OpenPGP certificates didn't 
seem ideal to me. I try to offer a clarification in #182, but fear I 
didn't succeed in improving the text overall. If others feel that 
improving this paragraph is a worthwhile goal, I'd be happy to 
collaborate and iterate until we find a change that is both easy to read 
and clarifies the structure of certificates.

As Daniel Huigens pointed out yesterday, I also think that section 8.3 
should mention the possibility of adding a PQC encryption subkey to a v4 
key.


Finally, regarding encryption subkey selection, of course rpgpie's 
current approach (encrypting to all valid subkeys) is not achieving PQ 
security when valid pre-PQC encryption subkeys are present.

It would be nice if we could agree on good guidance for encryption 
subkey selection in this draft. However, I worry that attempting to 
clarify this point might delay publication for an excessive amount of time.
Thus, my current (weak) preference would be to keep encryption subkey 
selection out of draft-ietf-openpgp-pqc and handle it separately.

I'll note that while this is not ideal for all scenarios, migrating to 
post quantum encryption is possible without further clarifying subkey 
selection, as follows:

1. Adding a PQC subkey
2. Observing that this subkey is being (either exclusively or 
additionally) encrypted to by all relevant peers, and then
3. Decomissioning any pre-PQC encryption subkeys (by expiration or 
revocation).


To be clear, if consensus for concrete guidance (e.g. Daniel Huigen's 
suggestion from ~21 hours ago) emerges, I'd be happy to see it 
integrated into draft-ietf-openpgp-pqc. But I'd much prefer to see this 
document completed without such guidance than to see it stuck for an 
indefinite period.

Thanks,
:) Heiko

v2.31.3 | Report a Bug | By Email | System Status