Final comments on draft-ietf-openpgp-2440bis
Sam Hartman <hartmans-ietf@mit.edu> Fri, 29 September 2006 02:12 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GT7s0-0006KL-Tr for openpgp-archive@lists.ietf.org; Thu, 28 Sep 2006 22:12:56 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GT7rz-0004So-IP for openpgp-archive@lists.ietf.org; Thu, 28 Sep 2006 22:12:56 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8T0f4MW058355; Thu, 28 Sep 2006 17:41:04 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8T0f4US058354; Thu, 28 Sep 2006 17:41:04 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from carter-zimmerman.mit.edu (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8T0f314058346 for <ietf-openpgp@imc.org>; Thu, 28 Sep 2006 17:41:04 -0700 (MST) (envelope-from hartmans@mit.edu)
Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 4E7D9E0128; Thu, 28 Sep 2006 20:40:48 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: ietf-openpgp@imc.org
Subject: Final comments on draft-ietf-openpgp-2440bis
Date: Thu, 28 Sep 2006 20:40:48 -0400
Message-ID: <tslhcyrfqsv.fsf@cz.mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 1.2 (+)
X-Scan-Signature: 39bd8f8cbb76cae18b7e23f7cf6b2b9f
Hi. Previously I had passed along two comments on the openpgp spec to the chair: * Concerns about the MDC * A desire for an IANA section. I'm evaluating the response to my concerns about the MDC. It's definitely true that I did not think through the use of the MDC in detail, although even after doing so, I'm still uncomfortable. I'm trying to talk to other security experts and get a second opinion; expect to hear back from me on this issue within a few days. I'm working the IANA issue with the chair. I have two minor comments about the security considerations section; these comments will round out my review of the spec. 1) random oracle is used instead of oracle every time the word oracle is used. An oracle is a construct with special computational ability (access to a key, access to extra storage, ability to perform long-running operations in one time step) that is useful in analysis of computability, complexity or security constructions. A random oracle is an oracle that has a random function in it and exposes this function. 2) RFC 1750 is obseleted. Please update to 4086. thanks much, --Sam Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8T0f4MW058355; Thu, 28 Sep 2006 17:41:04 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8T0f4US058354; Thu, 28 Sep 2006 17:41:04 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from carter-zimmerman.mit.edu (carter-zimmerman.suchdamage.org [69.25.196.178]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8T0f314058346 for <ietf-openpgp@imc.org>; Thu, 28 Sep 2006 17:41:04 -0700 (MST) (envelope-from hartmans@mit.edu) Received: by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 4E7D9E0128; Thu, 28 Sep 2006 20:40:48 -0400 (EDT) From: Sam Hartman <hartmans-ietf@mit.edu> To: ietf-openpgp@imc.org Subject: Final comments on draft-ietf-openpgp-2440bis Date: Thu, 28 Sep 2006 20:40:48 -0400 Message-ID: <tslhcyrfqsv.fsf@cz.mit.edu> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hi. Previously I had passed along two comments on the openpgp spec to the chair: * Concerns about the MDC * A desire for an IANA section. I'm evaluating the response to my concerns about the MDC. It's definitely true that I did not think through the use of the MDC in detail, although even after doing so, I'm still uncomfortable. I'm trying to talk to other security experts and get a second opinion; expect to hear back from me on this issue within a few days. I'm working the IANA issue with the chair. I have two minor comments about the security considerations section; these comments will round out my review of the spec. 1) random oracle is used instead of oracle every time the word oracle is used. An oracle is a construct with special computational ability (access to a key, access to extra storage, ability to perform long-running operations in one time step) that is useful in analysis of computability, complexity or security constructions. A random oracle is an oracle that has a random function in it and exposes this function. 2) RFC 1750 is obseleted. Please update to 4086. thanks much, --Sam Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8MCf8nK042123; Fri, 22 Sep 2006 05:41:08 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8MCf8g2042122; Fri, 22 Sep 2006 05:41:08 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8MCf5du042113 for <ietf-openpgp@imc.org>; Fri, 22 Sep 2006 05:41:06 -0700 (MST) (envelope-from markokr@gmail.com) Received: by nf-out-0910.google.com with SMTP id o60so1055945nfa for <ietf-openpgp@imc.org>; Fri, 22 Sep 2006 05:41:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=T3RcVcsfilDDPyjLtB2AvszwYGHYUiLeVmQJJgAVopQjlr5n1pS4IMz8XYDYWZuHpkEg4h/Z7uEeMc98acbP+9/mfnjF7mbcplFINsdZFtf2ZX+aFBlFyFNVcDbMAdGaAafCIGp0ZGBw0VmrJ7zO7rDr9YHanKQ8Snsg3sOs9so= Received: by 10.49.8.1 with SMTP id l1mr1918809nfi; Fri, 22 Sep 2006 05:41:04 -0700 (PDT) Received: by 10.49.65.12 with HTTP; Fri, 22 Sep 2006 05:41:04 -0700 (PDT) Message-ID: <e51f66da0609220541p47ed73ecke4d5599114f1eff2@mail.gmail.com> Date: Fri, 22 Sep 2006 15:41:04 +0300 From: "Marko Kreen" <markokr@gmail.com> To: "Werner Koch" <wk@gnupg.org> Subject: Re: [Sam Hartman] Openpgp comments Cc: "Anton Stiglic" <astiglic@okiok.com>, "Daniel A. Nagy" <nagydani@epointsystem.org>, OpenPGP <ietf-openpgp@imc.org> In-Reply-To: <874pv24sey.fsf@wheatstone.g10code.de> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060920115146.9E8981683A9@mail.okiok.com> <874pv24sey.fsf@wheatstone.g10code.de> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 9/20/06, Werner Koch <wk@gnupg.org> wrote: > On Wed, 20 Sep 2006 13:40, Anton Stiglic said: > > NIST is planning to phase out SHA-1 by 2010, they are going with SHA-224, > > SHA-256, SHA-384 and SHA-512. > > http://csrc.nist.gov/hash_standards_comments.pdf > > > > In Canada, CSE will phase out SHA-1 for protected C information by 2008. > > A note to describe why we use SHA-1 with the MDC would really be > appropriate. We are not using it for authentication but to detect > manipulation of data. This is commonly known as a checksum. Thus, > the acronym MDC and not MAC. To me detection and authentication have > different semantics. > > It has been said a few times: The MDC is not what we need to care > about when thinking of SHA-1 vulnerabilities. There are other usages > of SHA-1 we need to rethink. And that reasoning should be in 2440bis. I think it's too early to get excited about politics. The issue is much simpler - non-experts are in no position to 'evaluate' OpenPGP's use of SHA-1, they depend on the opinion on experts whether an algorithm is generally secure. So if 2440bis wants to appear secure by today's standards (for general public), it needs to either use generally known safe algorithms or explicitly document that the weaknesses in older algorithms it uses are taken account of. -- marko Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KDwBEk097309; Wed, 20 Sep 2006 06:58:11 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8KDwBEo097308; Wed, 20 Sep 2006 06:58:11 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from branwen.iks-jena.de (branwen.iks-jena.de [217.17.192.90]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KDwAS5097301 for <ietf-openpgp@imc.org>; Wed, 20 Sep 2006 06:58:11 -0700 (MST) (envelope-from news@branwen.iks-jena.de) Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.13.8/8.13.1) with ESMTP id k8KDw6dB025136 for <ietf-openpgp@imc.org>; Wed, 20 Sep 2006 15:58:08 +0200 X-MSA-Host: branwen.iks-jena.de Received: (from news@localhost) by branwen.iks-jena.de (8.13.8/8.13.1/Submit) id k8KDw6aL025135 for ietf-openpgp@imc.org; Wed, 20 Sep 2006 15:58:06 +0200 To: ietf-openpgp@imc.org Path: not-for-mail From: Lutz Donnerhacke <lutz@iks-jena.de> Newsgroups: iks.lists.ietf-open-pgp Subject: Re: [Sam Hartman] Openpgp comments Date: Wed, 20 Sep 2006 13:58:06 +0000 (UTC) Organization: IKS GmbH Jena Lines: 9 Message-ID: <slrneh2i7e.g40.lutz@belenus.iks-jena.de> References: <874pv24sey.fsf@wheatstone.g10code.de> NNTP-Posting-Host: belenus.iks-jena.de X-Trace: branwen.iks-jena.de 1158760686 25059 2001:4bd8:0:666:248:54ff:fe12:ad5f (20 Sep 2006 13:58:06 GMT) X-Complaints-To: usenet@iks-jena.de NNTP-Posting-Date: Wed, 20 Sep 2006 13:58:06 +0000 (UTC) User-Agent: slrn/0.9.8.0 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> * Werner Koch wrote: > I have not heard about any plans to switch to SHA-2. At least Germany > is still using RIPME-MD160 out of fear that SHA-1 has been developed > in the U.S. I don't think that this algorithm is any better than > SHA-1 but some people decided in the past to use an European algorithm > (another layer 9 issue). With respect to the (not so) recent attacks of hash functions, RIPEMD is a better choice then just another SHA variant. Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KCrTuF091703; Wed, 20 Sep 2006 05:53:29 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8KCrTPW091702; Wed, 20 Sep 2006 05:53:29 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KCrRj9091696 for <ietf-openpgp@imc.org>; Wed, 20 Sep 2006 05:53:28 -0700 (MST) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1GQ1i4-0006Pp-Cm for <ietf-openpgp@imc.org>; Wed, 20 Sep 2006 15:01:52 +0200 Received: from wk by localhost with local (Exim 4.62 #1 (Debian)) id 1GQ1TB-0005kg-Qp; Wed, 20 Sep 2006 14:46:29 +0200 From: Werner Koch <wk@gnupg.org> To: "Anton Stiglic" <astiglic@okiok.com> Cc: "'Daniel A. Nagy'" <nagydani@epointsystem.org>, "'OpenPGP'" <ietf-openpgp@imc.org> Subject: Re: [Sam Hartman] Openpgp comments References: <20060920115146.9E8981683A9@mail.okiok.com> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Wed, 20 Sep 2006 14:46:29 +0200 In-Reply-To: <20060920115146.9E8981683A9@mail.okiok.com> (Anton Stiglic's message of "Wed, 20 Sep 2006 07:40:35 -0400") Message-ID: <874pv24sey.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.110006 (No Gnus v0.6) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, 20 Sep 2006 13:40, Anton Stiglic said: > NIST is planning to phase out SHA-1 by 2010, they are going with SHA-224, > SHA-256, SHA-384 and SHA-512. > http://csrc.nist.gov/hash_standards_comments.pdf > > In Canada, CSE will phase out SHA-1 for protected C information by 2008. A note to describe why we use SHA-1 with the MDC would really be appropriate. We are not using it for authentication but to detect manipulation of data. This is commonly known as a checksum. Thus, the acronym MDC and not MAC. To me detection and authentication have different semantics. It has been said a few times: The MDC is not what we need to care about when thinking of SHA-1 vulnerabilities. There are other usages of SHA-1 we need to rethink. Over the last 8 years since rfc2440 we have talked several times about things we want to address in the future. There is actually a long list. We can't keep important OpenPGP features - which address actual vulnerabilities - any longer in an I-D state just for the sake of getting rid of SHA-1 now. We need time to address all these items properly and not do some ad-hoc solutions. In the meantime 2440bis needs to get out. Whether with or without an MDCv2 political option, I don't care. > I don't know what is going on in Europe and the rest of the world, but I > would be surprised if they were going with SHA-1 in the long term. > You cannot ignore these decisions if you want openpgp to be successful. I have not heard about any plans to switch to SHA-2. At least Germany is still using RIPME-MD160 out of fear that SHA-1 has been developed in the U.S. I don't think that this algorithm is any better than SHA-1 but some people decided in the past to use an European algorithm (another layer 9 issue). Salam-Shalom, Werner Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KBefRu084556; Wed, 20 Sep 2006 04:40:41 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8KBef1t084555; Wed, 20 Sep 2006 04:40:41 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.okiok.com (host70.okiok.com [207.61.238.70] (may be forged)) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8KBedD0084547 for <ietf-openpgp@imc.org>; Wed, 20 Sep 2006 04:40:40 -0700 (MST) (envelope-from astiglic@okiok.com) Received: from P1038Mobile (modemcable188.189-82-70.mc.videotron.ca [70.82.189.188]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.okiok.com (Postfix) with ESMTP id 9E8981683A9; Wed, 20 Sep 2006 07:51:46 -0400 (EDT) From: "Anton Stiglic" <astiglic@okiok.com> To: "'Daniel A. Nagy'" <nagydani@epointsystem.org>, "'OpenPGP'" <ietf-openpgp@imc.org> Subject: RE: [Sam Hartman] Openpgp comments Date: Wed, 20 Sep 2006 07:40:35 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <20060919231313.GA10365@epointsystem.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcbcRbod4xVLm9xWSV+FRl3pUEIhwQAY2TaQ Message-Id: <20060920115146.9E8981683A9@mail.okiok.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> NIST is planning to phase out SHA-1 by 2010, they are going with SHA-224, SHA-256, SHA-384 and SHA-512. http://csrc.nist.gov/hash_standards_comments.pdf In Canada, CSE will phase out SHA-1 for protected C information by 2008. I don't know what is going on in Europe and the rest of the world, but I would be surprised if they were going with SHA-1 in the long term. You cannot ignore these decisions if you want openpgp to be successful. --Anton -----Original Message----- From: owner-ietf-openpgp@mail.imc.org [mailto:owner-ietf-openpgp@mail.imc.org] On Behalf Of Daniel A. Nagy Sent: September 19, 2006 6:13 PM To: OpenPGP Subject: Re: [Sam Hartman] Openpgp comments On Tue, Sep 19, 2006 at 06:55:32PM -0400, David Shaw wrote: > I'm not against a SHA-256 or 512 based MDC. This would make encryption/decryption measurably slower, for no benefit whatsoever. SHA1 provides a comfortable security margin even taking all recent developments into consideration. -- Daniel Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JNDxBd015221; Tue, 19 Sep 2006 16:13:59 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JNDxqq015220; Tue, 19 Sep 2006 16:13:59 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JNDtQC015199 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 16:13:57 -0700 (MST) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id A6AD13B2F; Wed, 20 Sep 2006 01:13:13 +0200 (CEST) Date: Wed, 20 Sep 2006 01:13:13 +0200 To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: [Sam Hartman] Openpgp comments Message-ID: <20060919231313.GA10365@epointsystem.org> References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com> <871wq89e1h.fsf@wheatstone.g10code.de> <20060919144037.GD30748@jabberwocky.com> <45103D0C.3000707@systemics.com> <20060919225532.GC32656@jabberwocky.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua" Content-Disposition: inline In-Reply-To: <20060919225532.GC32656@jabberwocky.com> User-Agent: Mutt/1.5.9i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 19, 2006 at 06:55:32PM -0400, David Shaw wrote: > I'm not against a SHA-256 or 512 based MDC. This would make encryption/decryption measurably slower, for no benefit whatsoever. SHA1 provides a comfortable security margin even taking all recent developments into consideration. --=20 Daniel --SUOF0GtieIMvvwua Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iQDVAwUBRRB5ia6pEulQFnIMAQIEygX+LihxwTWwaA3gfMUT6uR1wa056X4/8jYZ gqrG1LtdZzqtKuLXjsLu+b92pHFFpiGRBINnYRW9WlsdJaAoT5qHBk1NM/oVO+5n qFcXf4kK3VbewqdAhP05dPMAyidFo2xv9/+Fl6WJmtmfX4bOOTGtvTjG3836yriS 7XcoQ0o4ChL9KHK1r6Qzl2CaPUcLIYZqr+tKNKX8CEwWBsezCdAMbWwxZdcJgUdF zo2zD3B5RYdirlY6+ybvRx21TslXKN4F =tRsH -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua-- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JMthcx013797; Tue, 19 Sep 2006 15:55:43 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JMthfV013796; Tue, 19 Sep 2006 15:55:43 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JMtf66013789 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 15:55:42 -0700 (MST) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k8JMtdx28849 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 18:55:40 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.13.7/8.13.7) with ESMTP id k8JMtbl4024435 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 18:55:37 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k8JMtXlP000581 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 18:55:33 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k8JMtWSL000580 for ietf-openpgp@imc.org; Tue, 19 Sep 2006 18:55:32 -0400 Date: Tue, 19 Sep 2006 18:55:32 -0400 From: David Shaw <dshaw@jabberwocky.com> To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: [Sam Hartman] Openpgp comments Message-ID: <20060919225532.GC32656@jabberwocky.com> Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org> References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com> <871wq89e1h.fsf@wheatstone.g10code.de> <20060919144037.GD30748@jabberwocky.com> <45103D0C.3000707@systemics.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45103D0C.3000707@systemics.com> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.12 (2006-08-05) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 19, 2006 at 08:55:08PM +0200, Ian G wrote: > To my mind, then, it comes down to an optimisation > problem in determining how to get the doc out the > door. Security, common sense, and all that are > out the window. I know you're not serious, but if anyone wants to discard "security, common sense, and all that", then they should really just be silent. I'm not against a SHA-256 or 512 based MDC. I'm just noting that this issue seems to be a misunderstanding between this WG and the ADs, and it might be nice to know what is going on and ensure we understand what the objection is before we change the design. Sam Hartman offered to speak on the phone. I'd be happy to make that call, though Jon Callas or Hal Finney would probably be a better choice. All I ask for is a 10 minute phone call. We've already spent many times that in this discussion. David Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JMkMIj013208; Tue, 19 Sep 2006 15:46:22 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JMkMKr013207; Tue, 19 Sep 2006 15:46:22 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JMkKJG013199 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 15:46:21 -0700 (MST) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 6F1BB3B2F; Wed, 20 Sep 2006 00:45:38 +0200 (CEST) Date: Wed, 20 Sep 2006 00:45:38 +0200 To: ietf-openpgp@imc.org Subject: Re: [Sam Hartman] Openpgp comments Message-ID: <20060919224538.GA8290@epointsystem.org> References: <sjmd59txlnv.fsf@cliodev.pgp.com> <20060919023332.GA30748@jabberwocky.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline In-Reply-To: <20060919023332.GA30748@jabberwocky.com> User-Agent: Mutt/1.5.9i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 18, 2006 at 10:33:32PM -0400, David Shaw wrote: >=20 > On Mon, Sep 18, 2006 at 11:02:44AM -0400, Derek Atkins wrote: >=20 > > The second issue is the encryption with integrity packet. Today this > > is hard-wired to use SHA-1. That's not OK. We need an upgrade path > > for that and I think we need to support SHA-256 now. >=20 > Does the MDC actually need collision resistance? I was under the > impression that (like the secret key "S2K 254" use of SHA-1) this was > essentially a checksum and the recent attacks against SHA-1 did not > apply. I have just discussed this issue with my students at our cryptography seminar. The general consensus is that MDCs do not need collision resistance. Thus, SHA1 is secure with a huge security margin. The recent weakening of SHA1 means that finding a pre-image takes approx 2^138 attempts, which is still comfortably beyond reach for today's and tomorrow's technology. Introducing longer hashes would make it slower, while not improving security. If you insist, I can provide the complete reasoning why collision-resistance is not required for MDC. If anything, I would consider RIPEMD128, as it is faster than SHA1 and offers about the same level of security while being a bit shorter. But then again, there's no reason to mess with the standard as it is. --=20 Daniel --liOOAslEiF7prFVr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iQDVAwUBRRBzEq6pEulQFnIMAQIV9QX/ajBKkNHLZjR8qB4YeLt814lzY2WdFduz khK9fL3UvQpO6Ns1YmRx/0gfregqHXxfASGm7N/og78rBFw5YZG36wIf5sMa9kPP o1ECZO0o0h7Kj/4dF9qxIjDFFpvclfL/ZSVDPdQ1yxTA8yNX2ogIctrHVSh6L2Gm zg95jJl/pxeQ6Y6Skwv7uYweaAvZqzwWRvDZi3jEityGSKETJPUDg+/P7Jwqqa70 q4Fw7RtAZyuybXBuAHVPxwzOgVY4maP7 =3mtR -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JLk23Q009358; Tue, 19 Sep 2006 14:46:02 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JLk2dc009357; Tue, 19 Sep 2006 14:46:02 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JLk00C009349 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 14:46:02 -0700 (MST) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (keys.merrymeet.com [63.73.97.166]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTP id D32C72A5EA0 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 14:45:59 -0700 (PDT) Received: from [63.251.255.205] ([63.251.255.205]) by keys.merrymeet.com (PGP Universal service); Tue, 19 Sep 2006 14:45:59 -0700 X-PGP-Universal: processed; by keys.merrymeet.com on Tue, 19 Sep 2006 14:45:59 -0700 Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <45103D0C.3000707@systemics.com> References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com> <871wq89e1h.fsf@wheatstone.g10code.de> <20060919144037.GD30748@jabberwocky.com> <45103D0C.3000707@systemics.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <F79D84DB-C2EB-4F53-B90B-EE52755F5FEE@callas.org> Content-Transfer-Encoding: 7bit From: Jon Callas <jon@callas.org> Subject: Re: [Sam Hartman] Openpgp comments Date: Tue, 19 Sep 2006 14:45:57 -0700 To: OpenPGP <ietf-openpgp@imc.org> X-Mailer: Apple Mail (2.752.2) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I agree with Ian. Remember those t-shirts they used to sell with the nine-layer ISO model? Layer 8 is the Financial Layer and Layer 9 is the Political Layer. There's an arrow pointing to Layer 9 with the message, "You are here." I think it's worthwhile to have a phone call or perhaps even better a Jabber meeting. I'm in other working groups that do semi-regular Jabber conferences. A major reason for a Jabber conference is that it is my perception that it is the consensus of this working group that we disagree with the ADs. I think they need to talk to the working group as a whole. Jabber would be great for that. On the other hand, we're at the political layer, and I'm happy to put in a SHA-256 MDC, if that will get us done. Furthermore, it may turn out that in five years we'll be happy we did. Heck, it could always turn out that SHA-1 isn't one-way enough. OpenPGP has always been forward-thinking, and we are known for being more on top of these issues than anyone else. Consequently, if we put in a new MDC and say that you MAY do it, the implementers don't have to do it until they are in the mood. Even if we say SHOULD accept and MAY generate, it's a small burden. I think that coming up with a true replacement for the MDC is work we ought to do. It's on my list of things to do post-2440bis. I think this gets in the way of that, but if that's what it takes us to finish, it's what it takes us to finish. Jon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JIt52A095244; Tue, 19 Sep 2006 11:55:05 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JIt5Mj095243; Tue, 19 Sep 2006 11:55:05 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JIt3t4095217 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 11:55:04 -0700 (MST) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 368532F0D2 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 19:54:57 +0100 (BST) Message-ID: <45103D0C.3000707@systemics.com> Date: Tue, 19 Sep 2006 20:55:08 +0200 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Thunderbird 1.5 (X11/20060317) MIME-Version: 1.0 To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: [Sam Hartman] Openpgp comments References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com> <871wq89e1h.fsf@wheatstone.g10code.de> <20060919144037.GD30748@jabberwocky.com> In-Reply-To: <20060919144037.GD30748@jabberwocky.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> David Shaw wrote: > On Tue, Sep 19, 2006 at 03:33:30PM +0200, Werner Koch wrote: > >> The more interesting question is what we are going to do about the >> SHA-1 requirement for a fingerprint and things like designated >> revokers - this is a more troublesome use of SHA-1. Oh, sorry, I was >> just thinking loudly. > > This is exactly my point. If we reopen the SHA-1 issue for the MDC, > what stops someone from wanting a change in fingerprints or the secret > key protection format, or the "hash of last resort" or any of the > other hardcoded uses of SHA-1 in the standard? Yes. But at the end of the day, regardless of whether we leave the doc as it is, or fix the MDC, or fix the above things, I'd suggest that the difference is the same: minimal. That is, a far better result is getting the doc finished and out the door ... partly because this appears to be a "herding" change of no great security impact, and partly so we can start on an updated / rewired / rewritten / reviewed doc. To my mind, then, it comes down to an optimisation problem in determining how to get the doc out the door. Security, common sense, and all that are out the window. > The request to remove SHA-1 from the MDC seems to be just a > misunderstanding. It's worth an email to try and resolve the > misunderstanding before we get into design, much less code, changes. If you are confident of that, perhaps have a shot at drafting that email? As "plan B." This might leave Jon free to concentrate on the "plan A" approach of adding MDC-v2,3. (Just a thought ... I'm not clear enough on the minutia to be confident enough to draft the email, myself.) > A simple email to resolve a misunderstanding seems like the easiest > "fix" here. If that doesn't work, or it turns out not to be a > misunderstanding, then we can go on and do the design changes, no harm > done. Perhaps the phone conference as suggested? I can see how that might get a result more quickly, as it allows misunderstandings to be cleared up more easily than an email cycle. Just throwing ideas around, here. Feel free to ignore. iang Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JEekN8070242; Tue, 19 Sep 2006 07:40:46 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JEekEg070241; Tue, 19 Sep 2006 07:40:46 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JEejqv070235 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 07:40:46 -0700 (MST) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k8JEeix25947 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 10:40:44 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.13.7/8.13.7) with ESMTP id k8JEeeiX022587 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 10:40:41 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k8JEecJn032422 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 10:40:38 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k8JEecw4032421 for ietf-openpgp@imc.org; Tue, 19 Sep 2006 10:40:38 -0400 Date: Tue, 19 Sep 2006 10:40:37 -0400 From: David Shaw <dshaw@jabberwocky.com> To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: [Sam Hartman] Openpgp comments Message-ID: <20060919144037.GD30748@jabberwocky.com> Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org> References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com> <871wq89e1h.fsf@wheatstone.g10code.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <871wq89e1h.fsf@wheatstone.g10code.de> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.12 (2006-08-05) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 19, 2006 at 03:33:30PM +0200, Werner Koch wrote: > The more interesting question is what we are going to do about the > SHA-1 requirement for a fingerprint and things like designated > revokers - this is a more troublesome use of SHA-1. Oh, sorry, I was > just thinking loudly. This is exactly my point. If we reopen the SHA-1 issue for the MDC, what stops someone from wanting a change in fingerprints or the secret key protection format, or the "hash of last resort" or any of the other hardcoded uses of SHA-1 in the standard? The request to remove SHA-1 from the MDC seems to be just a misunderstanding. It's worth an email to try and resolve the misunderstanding before we get into design, much less code, changes. A simple email to resolve a misunderstanding seems like the easiest "fix" here. If that doesn't work, or it turns out not to be a misunderstanding, then we can go on and do the design changes, no harm done. David Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JDcV22065563; Tue, 19 Sep 2006 06:38:31 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JDcVW3065561; Tue, 19 Sep 2006 06:38:31 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JDcRnP065546 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 06:38:29 -0700 (MST) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1GPfw3-0003uM-Ps for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 15:46:51 +0200 Received: from wk by localhost with local (Exim 4.62 #1 (Debian)) id 1GPfj9-0002lA-5Q for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 15:33:31 +0200 From: Werner Koch <wk@gnupg.org> To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: [Sam Hartman] Openpgp comments References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> <20060919121914.GC30748@jabberwocky.com> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Tue, 19 Sep 2006 15:33:30 +0200 In-Reply-To: <20060919121914.GC30748@jabberwocky.com> (David Shaw's message of "Tue, 19 Sep 2006 08:19:14 -0400") Message-ID: <871wq89e1h.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.110006 (No Gnus v0.6) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, 19 Sep 2006 14:19, David Shaw said: > It will take a very long time (at least a year, if not longer) before > a MDC2 and MDC3 are widely supported, and until then we run the risk Given all the communication problems we had in the past with other cryptographers on the use of the MDC, it might indeed be easier to just add an MDCv2 as a MAY or SHOULD. Even if we would flag an MDCv2 as a SHOULD feature, we as implementors may still decide not to use it for a good reason (e.g. performance). However the IESG rules are satisfied ;-) The more interesting question is what we are going to do about the SHA-1 requirement for a fingerprint and things like designated revokers - this is a more troublesome use of SHA-1. Oh, sorry, I was just thinking loudly. Salam-Shalom, Werner Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JCJRh7057005; Tue, 19 Sep 2006 05:19:27 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8JCJRlB057004; Tue, 19 Sep 2006 05:19:27 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8JCJM5I056997 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 05:19:26 -0700 (MST) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k8JCJLx25353 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 08:19:21 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.13.7/8.13.7) with ESMTP id k8JCJGmm022046 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 08:19:16 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k8JCJFYB032081 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 08:19:15 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k8JCJE1k032080 for ietf-openpgp@imc.org; Tue, 19 Sep 2006 08:19:14 -0400 Date: Tue, 19 Sep 2006 08:19:14 -0400 From: David Shaw <dshaw@jabberwocky.com> To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: [Sam Hartman] Openpgp comments Message-ID: <20060919121914.GC30748@jabberwocky.com> Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org> References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.12 (2006-08-05) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Mon, Sep 18, 2006 at 05:39:14PM -0700, Jon Callas wrote: > So -- my question for the WG: Is this alright with you? I want to get > 2440bis done. I think that answers the perception that SHA-1 isn't > good enough, without causing us to do a lot of work. If y'all think > this is good, I'll do it in the next few days. What troubles me is that this is attempting to fix a perceived problem that isn't really a problem. Fixing perceived problems is sometimes harder than fixing real ones. For example, if the mere use of SHA-1 is the problem, there are also a number of other places where SHA-1 is hardcoded (which aren't a problem either) that aren't "resolved" by this. It will take a very long time (at least a year, if not longer) before a MDC2 and MDC3 are widely supported, and until then we run the risk of interoperability problems. It probably won't be as bad as some of the interoperability problems in the past as the preferences and feature flags are more widely implemented now, but it's still a change with the usual risks of change. I suggest we at least push back a little bit, and send your excellent explanation of the issue to the appropriate people at the IESG. After that, if they still want a hash upgrade, I will not object. David Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8mSNJ035098; Tue, 19 Sep 2006 01:48:28 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8J8mSgC035097; Tue, 19 Sep 2006 01:48:28 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8mQda035089 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 01:48:27 -0700 (MST) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1GPbPP-0001BC-2V for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 10:56:51 +0200 Received: from wk by localhost with local (Exim 4.62 #1 (Debian)) id 1GPbDS-0000Sq-Kb; Tue, 19 Sep 2006 10:44:30 +0200 From: Werner Koch <wk@gnupg.org> To: Jon Callas <jon@callas.org> Cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: [Sam Hartman] Openpgp comments References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Tue, 19 Sep 2006 10:44:30 +0200 In-Reply-To: <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> (Jon Callas's message of "Mon, 18 Sep 2006 17:39:14 -0700") Message-ID: <8764fkb5zl.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.110006 (No Gnus v0.6) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, 19 Sep 2006 02:39, Jon Callas said: > So -- my question for the WG: Is this alright with you? I want to get > 2440bis done. I think that answers the perception that SHA-1 isn't > good enough, without causing us to do a lot of work. If y'all think I concur with your reasoning to stay with SHA-1 and to allow (MAY) for a v2 MDC packet using SHA-256. If you have some text to explain for what we use the MDC it would be good to see it in the security notes. Shalom-Salam, Werner Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8kbu3034956; Tue, 19 Sep 2006 01:46:37 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8J8kbkV034955; Tue, 19 Sep 2006 01:46:37 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8kaPp034947 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 01:46:37 -0700 (MST) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 877255D1DA; Tue, 19 Sep 2006 09:46:30 +0100 (BST) Message-ID: <450FAE6D.5040401@systemics.com> Date: Tue, 19 Sep 2006 10:46:37 +0200 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Thunderbird 1.5 (X11/20060317) MIME-Version: 1.0 To: Jon Callas <jon@callas.org> Cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: [Sam Hartman] Openpgp comments References: <sjmd59txlnv.fsf@cliodev.pgp.com> <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> In-Reply-To: <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas wrote: > I *have* gone and read RFC 4120, the Kerb 5 RFC, to see what they have > in their IANA considerations. I can come up with something analogous for > us. (In the absence of any contention, I'd vote YES without trying to figure this one out.) (Fine analysis snipped.) > Thus, there really is no need to use anything other than SHA-1 in the > MDC system. The weaknesses in SHA-1 are in qualities that the MDC does > not use. I believe that taking these comments and putting them in a > paragraph in the Security Considerations section is warranted because > people keep misunderstanding the MDC. (Concur with putting in the note; indeed it might be useful for historical purposes -- "why did they bother with that??" -- to put in a note to effect that the v2/v3 was added at request.) > Having said that, I don't want to argue. I have a proposal for an > upgrade of the MDC, and frankly, it is going to be less work for me to > put this into 2440bis that it would be to defend not putting it in. In > the interests of just getting this done, here's my proposal for the WG. ( Minor quibble. What is left is the implementation and testing time. That's non-trivial, every new feature is only a few hours to code and days and days of kerfuffle getting everyone else on the same page and dealing with the diverging versions. If we were minded to do security rather than finish the damned document, then a stiffly worded complaint to the IESG about complexity and featurism would be in order. ) > I propose that we create an MDC V2 packet. Formally, this is the "Sym. > Encrypted Integrity Protected Data Packet (Tag 18)" which is in section > 5.13. The V2 packet differs from the V1 packet only in that it uses > SHA-256 instead of SHA-1. Obviously, there has to be a corresponding > change to the "Modification Detection Code Packet (Tag 19)" packet so > that it uses the natural length of the hash in the tag 18 packet. > > I also propose a V3 packet that uses SHA-512. We might as well do it now. MDC V2 would be SHOULD, and MDC V3 would be MAY? No, backtrack that. You decide, I'll vote yes whichever :) > The advantage of this solution is that it provides minimal upset to the > current way of doing things. At the protocol level, it's just like the > current system, just with another hash. For implementers, the same > advantage holds. There's no new architectural changes, just an algorithm > change. It also does not require secondary protocol changes (like having > a features bit to announce that you implement it). A features bit is an > advantage, but not necessary. Oh, what the heck. I'll write in the > features bit, too, for completeness. > > The only downside that I see of this approach is that it is a very > slight abuse of the version number of the packet. If we only added in > SHA-256, it would be a straightforward upgrade, but putting in V2 and V3 > is a wee bit hokey. You mean here, *conceptually* this is an abuse as versions should improve in time and older ones should be deprecated? And here you are proposing to put in two versions at the same time? I see no difficulty here -- it's what the flexibility of versions is built for, dealing with unforeseen circumstances. They aren't always regular. > However, one of the items that is on our list of things to do for post > 2440bis is to examine a complete upgrade of symmetric encryption and use > some form of HMAC or authenticated encryption. Just adding in MDCs with > SHA-256 and 512 will give us an answer to the SHA-1 issue without > causing major disruption to the protocol. Yes. > So -- my question for the WG: Is this alright with you? I want to get > 2440bis done. I think that answers the perception that SHA-1 isn't good > enough, without causing us to do a lot of work. If y'all think this is > good, I'll do it in the next few days. I agree, do it. If there is a neat and easy solution, then put it in. iang Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8JPBk032662; Tue, 19 Sep 2006 01:19:25 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8J8JPvp032661; Tue, 19 Sep 2006 01:19:25 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J8JOho032626 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 01:19:24 -0700 (MST) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 042E75D1D3 for <ietf-openpgp@imc.org>; Tue, 19 Sep 2006 09:19:17 +0100 (BST) Message-ID: <450FA80D.4020506@systemics.com> Date: Tue, 19 Sep 2006 10:19:25 +0200 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Thunderbird 1.5 (X11/20060317) MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: [Sam Hartman] Openpgp comments References: <sjmd59txlnv.fsf@cliodev.pgp.com> <20060919023332.GA30748@jabberwocky.com> In-Reply-To: <20060919023332.GA30748@jabberwocky.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> David Shaw wrote: > On Mon, Sep 18, 2006 at 11:02:44AM -0400, Derek Atkins wrote: > >> The second issue is the encryption with integrity packet. Today this >> is hard-wired to use SHA-1. That's not OK. We need an upgrade path >> for that and I think we need to support SHA-256 now. > > Does the MDC actually need collision resistance? I was under the > impression that (like the secret key "S2K 254" use of SHA-1) this was > essentially a checksum and the recent attacks against SHA-1 did not > apply. Yes, that was my question too. iang Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J2Xh8F099352; Mon, 18 Sep 2006 19:33:43 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8J2Xhh7099351; Mon, 18 Sep 2006 19:33:43 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J2Xg80099345 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 19:33:43 -0700 (MST) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net (walrus.hsd1.ma.comcast.net [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id k8J2Xex22199 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 22:33:40 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.13.7/8.13.7) with ESMTP id k8J2XcPp019885 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 22:33:39 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id k8J2XXD5030956 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 22:33:33 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id k8J2XWFk030955 for ietf-openpgp@imc.org; Mon, 18 Sep 2006 22:33:32 -0400 Date: Mon, 18 Sep 2006 22:33:32 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: [Sam Hartman] Openpgp comments Message-ID: <20060919023332.GA30748@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <sjmd59txlnv.fsf@cliodev.pgp.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <sjmd59txlnv.fsf@cliodev.pgp.com> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.12 (2006-08-05) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Mon, Sep 18, 2006 at 11:02:44AM -0400, Derek Atkins wrote: > The second issue is the encryption with integrity packet. Today this > is hard-wired to use SHA-1. That's not OK. We need an upgrade path > for that and I think we need to support SHA-256 now. Does the MDC actually need collision resistance? I was under the impression that (like the secret key "S2K 254" use of SHA-1) this was essentially a checksum and the recent attacks against SHA-1 did not apply. David Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J0dJLx089111; Mon, 18 Sep 2006 17:39:19 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8J0dJ4V089110; Mon, 18 Sep 2006 17:39:19 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8J0dInp089104 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 17:39:19 -0700 (MST) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (keys.merrymeet.com [63.73.97.166]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTP id 1279D2A33CE for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 17:39:18 -0700 (PDT) Received: from [63.251.255.205] ([63.251.255.205]) by keys.merrymeet.com (PGP Universal service); Mon, 18 Sep 2006 17:39:17 -0700 X-PGP-Universal: processed; by keys.merrymeet.com on Mon, 18 Sep 2006 17:39:17 -0700 Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <sjmd59txlnv.fsf@cliodev.pgp.com> References: <sjmd59txlnv.fsf@cliodev.pgp.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <1CF1EBF5-1C5A-4ACE-A489-10ED8D9BD31C@callas.org> Content-Transfer-Encoding: 7bit From: Jon Callas <jon@callas.org> Subject: Re: [Sam Hartman] Openpgp comments Date: Mon, 18 Sep 2006 17:39:14 -0700 To: OpenPGP <ietf-openpgp@imc.org> X-Mailer: Apple Mail (2.752.2) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 18 Sep 2006, at 8:02 AM, Derek Atkins wrote: > Forwarded with permission. > > It looks like we still have some work to do on rfc2440bis. > Do we need a meeting in San Diego? If so, I need to > request it today. > I don't think you need to request a meeting; if you do, we'll just get up with a slide that goes over what we say on the list. > > The first is the lack of IANA registries. I understand this is left > over from 2440. Back then, the IESG was much more willing to approve > documents without IANA registries. Even in recent times the IESG has > done this--for example, RFC 4120 doesn't have IANA registries created. > It's actually my negative experience with RFC 4120 as well as changes > in IESG membership that cause me to be quite certain that PGP needs > IANA registries for all its parameters. This is doubly true if we're > closing down the working group. You can use standards action as the > registration policy if you are concerned about interactions with the > rest of the spec. Take a look at RFC 2434. The one caution I'd > suggest is that if you use the IESG approval registration policy, > please give the IESG clear guidelines on what we should look for. > "Evaluate using the same criteria as standards actions" is a fine > criteria as is something like "avoid security and interoperability > problems." I am happy with either using standards action, or IESG handling it with the same criteria as standards actions. What I perceive to be the consensus of this working group is that we want that, anyway. What would the IESG prefer? I have read RFC 2434, and there isn't boilerplate in it. I can replace the existing text with a sentence or three that matches this. I *have* gone and read RFC 4120, the Kerb 5 RFC, to see what they have in their IANA considerations. I can come up with something analogous for us. > > > The second issue is the encryption with integrity packet. Today this > is hard-wired to use SHA-1. That's not OK. We need an upgrade path > for that and I think we need to support SHA-256 now. > Well. I don't see the problem, but let's discuss that in a moment, because I also have a solution. > > I realize both of these issues are large. > > I'd be happy to get together with you and the authors on a conference > call if that would be useful. Neither are really large. They'll take me about an hour each, and the IANA one is harder, only because I have to guess as to what to say. Going on to the MDC issue, I want to make a couple comments, and then propose a change. The MDC system has as its only requirement on the hash function that it be one-way. It is similar to an "authenticated cipher" but not even that, really. If you want an authenticated message, there is a perfectly good mechanism in OpenPGP for authenticating a message --- you sign it. However, there are many times when people do not want to sign messages, for a large number of reasons. (They don't want the signature to be taken as a commitment to content; they want the message to be "deniable;" etc.) Without some sort of integrity protection, CFB or CBC mode can be modified undetectably. The goal of the MDC is to be a fancy checksum; checksums like CRC do not have good characteristics when mixed with cryptography. The MDC does *not* rely on collision-resistance. The smart way someone attacks a deniable cryptosystem is to just create a forgery out of whole cloth. Thus, there really is no need to use anything other than SHA-1 in the MDC system. The weaknesses in SHA-1 are in qualities that the MDC does not use. I believe that taking these comments and putting them in a paragraph in the Security Considerations section is warranted because people keep misunderstanding the MDC. Having said that, I don't want to argue. I have a proposal for an upgrade of the MDC, and frankly, it is going to be less work for me to put this into 2440bis that it would be to defend not putting it in. In the interests of just getting this done, here's my proposal for the WG. I propose that we create an MDC V2 packet. Formally, this is the "Sym. Encrypted Integrity Protected Data Packet (Tag 18)" which is in section 5.13. The V2 packet differs from the V1 packet only in that it uses SHA-256 instead of SHA-1. Obviously, there has to be a corresponding change to the "Modification Detection Code Packet (Tag 19)" packet so that it uses the natural length of the hash in the tag 18 packet. I also propose a V3 packet that uses SHA-512. We might as well do it now. The advantage of this solution is that it provides minimal upset to the current way of doing things. At the protocol level, it's just like the current system, just with another hash. For implementers, the same advantage holds. There's no new architectural changes, just an algorithm change. It also does not require secondary protocol changes (like having a features bit to announce that you implement it). A features bit is an advantage, but not necessary. Oh, what the heck. I'll write in the features bit, too, for completeness. The only downside that I see of this approach is that it is a very slight abuse of the version number of the packet. If we only added in SHA-256, it would be a straightforward upgrade, but putting in V2 and V3 is a wee bit hokey. However, one of the items that is on our list of things to do for post 2440bis is to examine a complete upgrade of symmetric encryption and use some form of HMAC or authenticated encryption. Just adding in MDCs with SHA-256 and 512 will give us an answer to the SHA-1 issue without causing major disruption to the protocol. So -- my question for the WG: Is this alright with you? I want to get 2440bis done. I think that answers the perception that SHA-1 isn't good enough, without causing us to do a lot of work. If y'all think this is good, I'll do it in the next few days. Jon Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IJh1l8069270; Mon, 18 Sep 2006 12:43:01 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8IJh1nt069269; Mon, 18 Sep 2006 12:43:01 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IJgwl2069260 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 12:43:00 -0700 (MST) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id 1C12B14F6BC; Mon, 18 Sep 2006 12:43:08 -0700 (PDT) To: derek@ihtfp.com, ietf-openpgp@imc.org Subject: Re: [Sam Hartman] Openpgp comments Message-Id: <20060918194308.1C12B14F6BC@finney.org> Date: Mon, 18 Sep 2006 12:43:08 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Derek forwards from Sam Hartman of IETF: > However Russ and I have two large issues that we need fixed before I can bring the document to the IESG. > > The first is the lack of IANA registries.... It sounds like we can use some boilerplate language here without much difficulty. > The second issue is the encryption with integrity packet. Today this > is hard-wired to use SHA-1. That's not OK. We need an upgrade path > for that and I think we need to support SHA-256 now. This is a major setback. It took years to get this change in place, the whole issue of compatibility and installed base of software that doesn't recognize the new packet formats. I wonder if we could add a new set of MDC packets as the "upgrade path" while retaining the old ones. Then we can gradually switch over to using the new ones over the next few years. In that case we could change the draft expeditiously without commiting to an immediate changeover in fielded implementations. If we do pursue this, given the subsequent cryptographic progress since we designed the MDC mechanism, we should probably look at the now-standard mechanism of doing a keyed MAC over the ciphertext, rather than using an encrypted hash of the plaintext. The MAC could be HMAC with a hash algorithm specifier for future upgrade. The paper that first analyzed this construction is: http://www-cse.ucsd.edu/~mihir/papers/oem.html . It uses CBC mode, however the proof probably goes through for CFB mode as well - the modes have similar security properties. Hal Finney Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IF2mMa043007; Mon, 18 Sep 2006 08:02:48 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8IF2mXm043006; Mon, 18 Sep 2006 08:02:48 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.ihtfp.org (MAIL.IHTFP.ORG [204.107.200.6]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IF2k62043000 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 08:02:47 -0700 (MST) (envelope-from warlord@MIT.EDU) Received: from cliodev.pgp.com (CLIODEV.IHTFP.ORG [204.107.200.20]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail.ihtfp.org (Postfix) with ESMTP id D3F11BD8548 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 11:02:46 -0400 (EDT) Received: (from warlord@localhost) by cliodev.pgp.com (8.13.7/8.13.1/Submit) id k8IF2ifi003340; Mon, 18 Sep 2006 11:02:44 -0400 From: Derek Atkins <derek@ihtfp.com> To: ietf-openpgp@imc.org Subject: [Sam Hartman] Openpgp comments Date: Mon, 18 Sep 2006 11:02:44 -0400 Message-ID: <sjmd59txlnv.fsf@cliodev.pgp.com> User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --=-=-= Forwarded with permission. It looks like we still have some work to do on rfc2440bis. Do we need a meeting in San Diego? If so, I need to request it today. -derek --=-=-= Content-Type: message/rfc822 Content-Disposition: inline From: Sam Hartman <hartmans-ietf@MIT.EDU> To: Derek Atkins <derek@ihtfp.com> Cc: housley@vigilsec.com Subject: Openpgp comments Date: Mon, 18 Sep 2006 10:33:27 -0400 Lines: 39 MIME-Version: 1.0 Hi. I'm sorry it has taken so long but I needed to spin up to speed on openpgp standards, read the old 2440, read the new doc, understand some of the political history and then talk to Russ. I'm Basically done with the new doc. I want to work through the description of PGP CFB mode, but that's all I have left. However Russ and I have two large issues that we need fixed before I can bring the document to the IESG. The first is the lack of IANA registries. I understand this is left over from 2440. Back then, the IESG was much more willing to approve documents without IANA registries. Even in recent times the IESG has done this--for example, RFC 4120 doesn't have IANA registries created. It's actually my negative experience with RFC 4120 as well as changes in IESG membership that cause me to be quite certain that PGP needs IANA registries for all its parameters. This is doubly true if we're closing down the working group. You can use standards action as the registration policy if you are concerned about interactions with the rest of the spec. Take a look at RFC 2434. The one caution I'd suggest is that if you use the IESG approval registration policy, please give the IESG clear guidelines on what we should look for. "Evaluate using the same criteria as standards actions" is a fine criteria as is something like "avoid security and interoperability problems." The second issue is the encryption with integrity packet. Today this is hard-wired to use SHA-1. That's not OK. We need an upgrade path for that and I think we need to support SHA-256 now. I realize both of these issues are large. I'd be happy to get together with you and the authors on a conference call if that would be useful. --=-=-= -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant --=-=-=--
- Final comments on draft-ietf-openpgp-2440bis Sam Hartman