[openpgp] New encryption formats for messaging
David Leon Gil <coruus@gmail.com> Sat, 14 March 2015 00:41 UTC
Return-Path: <coruus@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2E791A90A4 for <openpgp@ietfa.amsl.com>; Fri, 13 Mar 2015 17:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h_IHmqWW53Dp for <openpgp@ietfa.amsl.com>; Fri, 13 Mar 2015 17:41:41 -0700 (PDT)
Received: from mail-yk0-x234.google.com (mail-yk0-x234.google.com [IPv6:2607:f8b0:4002:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8F161A9062 for <openpgp@ietf.org>; Fri, 13 Mar 2015 17:41:39 -0700 (PDT)
Received: by ykek76 with SMTP id k76so249540yke.0 for <openpgp@ietf.org>; Fri, 13 Mar 2015 17:41:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=XPyj+i4WPwkxetUI5DLOM8IEv+L/Vmb/w3bJNuHV7Pc=; b=tRPELeUXEKdL2Cbu87yufhdkyHw1eFCTWCSk6Y60O1LuJovDJrSDTAoShEy5GgpiTW w5JVdyaBXOcTcsiNFbQvgFXaPpsTHMz6Z3fzF53jw/CNESYbgIKbDP1AYw9Mwx6Rbz0r mjAsV2ZrYtHy/eRWs027dVuNnlyqQ01gqDXxzVJfgoLPEjnr9Hs4Wuq5qzhuhhre8qZ+ l2ahVNlQHKndYiqLgEBbbq2J6Vba+W3qEt8TRPQvvJPXrQ6PQYsTHC4Xpu3TPafrG37h n9TNFm9OOERUkacUp3uWGIzN/OVK8/saKI5DYxCBEPZ/CG4Raoo+fLPX86vw0u3OcVSI X/4g==
X-Received: by 10.236.105.210 with SMTP id k58mr49131941yhg.52.1426293699190; Fri, 13 Mar 2015 17:41:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.170.125.80 with HTTP; Fri, 13 Mar 2015 17:41:18 -0700 (PDT)
From: David Leon Gil <coruus@gmail.com>
Date: Fri, 13 Mar 2015 17:41:18 -0700
Message-ID: <CAA7UWsUz65C0GAQo8Yf7ZOeT9BYy+NLV5pbbPg+Ok0-72ca1eA@mail.gmail.com>
To: "openpgp@ietf.org" <openpgp@ietf.org>, "dgil@yahoo-inc.com" <dgil@yahoo-inc.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/jEKLj7vLFwrezkYMijTBwtW29ec>
Subject: [openpgp] New encryption formats for messaging
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Mar 2015 00:41:42 -0000
Some desiderata, generally: A0. Be as secure as possible by default. Do not offer options to fallback to doing unsafe things. "Experienced" users often think they want them; there are usually better solutions for their use-cases. A1. Only specify a single asymmetric encryption scheme and a single asymmetric signature scheme. This is critical: This is the second most dangerous and buggy code in any crypto scheme. A2. Clearly separate handling of various message and key metadata from the underlying encryption scheme. This is critical: Parsing code is the most dangerous and buggy code in any crypto scheme. A3. Do not specify things which are infeasible to thoroughly test. This implies avoiding combinatorial complexity, which the OpenPGPv4 spec doesn't. A4. All messages, including signed but unencrypted messages, should be indistinguishable from random to an adversary who does not know the public key of the signer. (This is, essentially, a Tor-style security requirement.) Some desiderata for symmetric primitive choices: B1. Only modern hash functions that provide a significant security margin against cryptanalysis. Let's not repeat the MD-5/SHA-1 disaster. (We only need two hash functions at most.) B2. Only block and stream ciphers that offer a significant margin of safety against cryptanalysis. (Or that, when composed, offer a significant margin of safety against cryptanalysis.) B3.. A single AEAD mode that is maximally misuse-resistant, in the sense of https://eprint.iacr.org/2014/793. (But probably not AEZ, or any other CAESAR competitor for that matter. I would prefer a scheme that uses generic composition of well-studied primitives.) Thus, what any proposal should specify, at the crypto level: C1. A single curve providing security above the 192-bit-equivalent level. (This is because the *tightest* security reductions for any concrete instantiation of EC primitives result in a security level of ~ 120-bits for a 384-bit curve.) C2. A single message format intended for use with signed and encrypted messages of length >> 128 bytes and << 2^24 bytes. (That is, something appropriate for email. I would consider encryption of large files and very short messages out of scope at this time.) I am agnostic as to whether encrypted-then-signed or signed-then-encrypted is preferable. I am curious if anyone else has strong views on this? C3. A single message format intended for detached signatures. This should target, specifically, the common use-case of OpenPGP signatures for code-signing. C4. Specify a mechanism for encapsulating a signature over the body of an HTML email in a way that is compatible with HTML email as commonly used. This signature should be indifferentiable from random for anyone who does not know the public key of the sender. (This last should be easy. A concrete proposal: If a "data-openpgp-sig" attribute is present on a tag, it contains a base64urlsafe-encoded signature over the contents of that tag, with no special normalization rules applied. This can be made more precise by reference to the HTML5 spec.) And what a proposal should specify, for various key and message metadata: D1. A standard format for encapsulating arbitrary key and message metadata. D2. Mappings from OpenPGPv3 metadata to that format, as appropriate. -- Final comment: I am, quite frankly, agnostic as to whether an IETF WG or another forum is the most appropriate place to specify something. The IETF lately has not seemed to be so much about canonizing "de facto" standards (which it was good at) as design-by-committee (which it isn't). And recent revelations have shown that design-by-committee is -- besides being irritating for implementors -- a boon to intelligence agencies. So: I would encourage anyone interested in seeing something standardized to make a complete proposal a la Hugo Krawycz's OP-TLS proposal for TLS1.3. But implement the proposal first. Working code &c. Taking a scattershot approach will lead to a shoddy, messy, unsafe result. Yahoo will not support a specification that, by sloppiness or untestability, makes our users unsafe. David Leon Gil Senior Paranoid Yahoo!
- Re: [openpgp] New encryption formats for messaging Christoph Anton Mitterer
- Re: [openpgp] New encryption formats for messaging ianG
- Re: [openpgp] New encryption formats for messaging Christoph Anton Mitterer
- Re: [openpgp] New encryption formats for messaging ianG
- Re: [openpgp] New encryption formats for messaging Christoph Anton Mitterer
- [openpgp] Manifesto - who is the new OpenPGP for? ianG
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Falcon Darkstar Momot
- Re: [openpgp] Manifesto - who is the new OpenPGP … Werner Koch
- Re: [openpgp] Manifesto - who is the new OpenPGP … Stephen Paul Weber
- Re: [openpgp] Manifesto - who is the new OpenPGP … Stephen Paul Weber
- Re: [openpgp] Manifesto - who is the new OpenPGP … Wyllys Ingersoll
- Re: [openpgp] Manifesto - who is the new OpenPGP … Clint Adams
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … ianG
- Re: [openpgp] Manifesto - who is the new OpenPGP … ianG
- Re: [openpgp] Manifesto - who is the new OpenPGP … Tim Bray
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- Re: [openpgp] Manifesto - who is the new OpenPGP … John Kreznar
- Re: [openpgp] Manifesto - who is the new OpenPGP … Werner Koch
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Brian Sniffen
- Re: [openpgp] Manifesto - who is the new OpenPGP … Bill Frantz
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- [openpgp] OpenPGP private certification [was: Re:… Daniel Kahn Gillmor
- Re: [openpgp] OpenPGP private certification [was:… Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification [was:… Daniel Kahn Gillmor
- Re: [openpgp] OpenPGP private certification [was:… Phillip Hallam-Baker
- [openpgp] public logging of e-mail certificates [… Daniel Kahn Gillmor
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] public logging of e-mail certificat… Daniel Kahn Gillmor
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification [was:… Derek Atkins
- Re: [openpgp] public logging of e-mail certificat… Brian Sniffen
- Re: [openpgp] OpenPGP private certification [was:… Phillip Hallam-Baker
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … ianG
- Re: [openpgp] OpenPGP private certification Werner Koch
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Werner Koch
- Re: [openpgp] OpenPGP private certification Derek Atkins
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Werner Koch
- Re: [openpgp] OpenPGP private certification ianG
- Re: [openpgp] OpenPGP private certification [was:… ianG
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] public logging of e-mail certificat… ianG
- [openpgp] New encryption formats for messaging David Leon Gil
- Re: [openpgp] OpenPGP private certification Ben McGinnes