Re: [openpgp] Disadvantages of Salted Signatures

Stephan Verbücheln <verbuecheln@posteo.de> Mon, 11 December 2023 07:37 UTC

Return-Path: <verbuecheln@posteo.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D70B1C14F609 for <openpgp@ietfa.amsl.com>; Sun, 10 Dec 2023 23:37:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ix_4gy5HwXLg for <openpgp@ietfa.amsl.com>; Sun, 10 Dec 2023 23:37:31 -0800 (PST)
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E1B1C14F5FD for <openpgp@ietf.org>; Sun, 10 Dec 2023 23:37:24 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id C5129240027 for <openpgp@ietf.org>; Mon, 11 Dec 2023 08:37:22 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1702280242; bh=oG0Nsv/HZmLtoRgRY1SVmrGgbas7wr+YefaxyEkGxDo=; h=Message-ID:Subject:From:To:Date:Autocrypt:MIME-Version:From; b=BrnkTMvHCuz0JL1+SD0yju1Lcac5Hkgh9dEK9i45MHL/3ZR2htK/3AzGiXenTXfj7 cvXL/7ZQFj5haqBwv/4DU5uItpmawUJkEzSz3WjaxlKIi/byM7eH1wwdu1qnNp9Wbe 8KwK1y2E4iXYXXzMMYDntZZfYAmlwAwePbqfZlpoQ601f/p38E5V/Oj32dVWQId9Vh OM5VbAREi6uwpcCg0h+KQdMXWFqX7x+CgK8NFkGaNhtfYm9Iz2x2l2BRi10BU0SYLm 9yyODzw8lz8V77DjVY9TvSiRZf6KXIG5IKvvIBeDtsgX8cu4VdUYYvx3KQEpAR0PUa nMsOiUDNB1ftg==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4SpYVV3FX0z6ty7 for <openpgp@ietf.org>; Mon, 11 Dec 2023 08:37:22 +0100 (CET)
Message-ID: <a38abd9349683c1c0762daa8b203bc8578fc4853.camel@posteo.de>
From: Stephan Verbücheln <verbuecheln@posteo.de>
To: openpgp@ietf.org
Date: Mon, 11 Dec 2023 07:37:21 +0000
In-Reply-To: <df7f0b41-f998-4f0e-b07e-67231031e54b@cs.tcd.ie>
References: <077dd27cef0c7d3968967fc4c3a880081b8bd9dd.camel@posteo.de> <8b5f251f-ae52-4937-9500-ddedb9fbef73@cs.tcd.ie> <709995498037ba59fb1a14d75ffa819702566d83.camel@posteo.de> <df7f0b41-f998-4f0e-b07e-67231031e54b@cs.tcd.ie>
Autocrypt: addr=verbuecheln@posteo.de; prefer-encrypt=mutual; keydata=mQSuBFNw40sRDACLo5/yCjJk1NFXLw8SwNBeYBGlJlbVPqzd4zutMKcTYaZWCu50XL2pzJxYLcZraDfPOlJJNqkZcQRh0FeBjawFOrRIhOVRLn3owt4zHAer9lK9r+QDx2ZatjTVPaMaqgEHA6SdAEhjC4MYGiUCuELupIDaMw5G1y+Wqq64aO/zH+9yEeYXcMKg80Ao3gQ8U4Z+EGFLAP8sxaZthHaP//jrb5oVO3KgWlpifSV673ZccVoOAkyZut/HtAP/WgyMb0/9CmPra9Eqg5w6Sqt5HTKA8T+dDiZWQaYFDUzaJfxOPvVnHIrAFfcPGWc266eu3dJdeP0g483E5sA6IFAoRkUrD8cQqjcWO0MW/c7gAwLTlxploxkWY3jMTgHzZSlqweyamfjK6bubjQet8RT31C5s6JQx9fUhPx3H4SX87aNPnPClrCktzZVHT6NY+W/IaVcPia3AJ0u9bUU1ZPume4Gs4EeUFnJJoLv2SMvQ7ZNl7LOHyTaCOgFIzsEhirE3sCsBAOqnOKfhTsEKjd3bkEkY8tlNrCsg+EdGlSDy2ufoeXgJC/42b6U0BvxZoIY8RCxT3oUAJX2I4yRHQtWETrL3ulZhcKyDVtq9VmWSE+t6+1kR1f4ii+VhQB3/IyE+BE2rFVyN0FArd2OrTryhva4a3zgjNpItHRrWhthOHYeOFpc0qMdEKhRg/vXUHK7JoG6t08HeWwkHHf75geG7IVbZbFoDRf5YiDYVmX8IkYutsd+Z5gIAwqHY+kutHqEVFIZtq13KBXwJj3QLBlu+bzU/22/w46xoVwae6ZWb9dKJwX5y7Lm2i6/fApimPyriNDMYpUQySrowLFbuf5bZeJ9D701Be+TOkpiO8Oxv1IM8qhMlWcYBLxUMQsE75QdvzhQSnfY7UrqBim7+K08n5SRqzHde2X4kX2yC/H9sOOvX/yxQZ8dpGckiiXiKUJogGtxvpdgoji4C0OQmm 6pXrYCpoNoCVFyF+bgUc0Z5MAKf/0sOLwRiXhPrcXnwXU8PFJsO4/SEp1S49TRD6TgsRCPGdIyQmuqaUcZUeKGHJj0lCoPb8bAL/R2lDknel0r+DkMxzOOi1BXROQzVRu+lEn0Zz7ud0XSzw/BfKnU1bSqKWHPBlSgQeZy5+n2AK4sOQ18jwS+SYff7zOcTBlMrq8esFQ4AzeXoKbY3IX/wLTrwtmvKTx3IwSk2mUFNpRjVyVWM/MtoY54ez0mW/bEcB9C/uTFpWptw2acbLGeUDrea/PaRROc+jD+wVMFb9WM60+ml5jTCkKKNyrNAVuRd+RmevdETzb3mO6meV81DsasshImyQ2/V/oqE7mR/p53623Fu9EKlHpZBOT7dIKIHh5+OfNrzFsB/1ojZj8o0wDm5rSEMLMEttULXgaQ4+Te/lkf5jGpHzDVEg2/Ns9diO56jNXZme+M3K2L7tU3ruGmbsOQ6fOMle9fleHYIwg63E8A8lDy5lUHkHPvE0xd9KScYaqxIK8ucOAI1ZUS6O1hijvLe3+nQ0rUfemYCsJbWnAIkJySZYuS3UIK0waLmMr2ln3Vjomm6dYo8w/TYIjN/xylsHlCQALRCU3RlcGhhbiBWZXJiw7xjaGVsbiAoYWxsIG9sZGVyIGtleXMgaW52YWxpZCkgPGVybGVubWF5ckBnbWFpbC5jb20+iJcEExEIAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEg+BK5vqmGHtcyEaWtGDYvcCyXFwFAlwnZb8FCQqaRuUACgkQtGDYvcCyXFzL/wD/YPkxo1HPEB3yVqcFwCo//FcSuKh7EpWFxihxXxQHZwABAOOHRw33NI+zpt4a1cjKMWxKepRYcTTqC3i/ihnZQOuBtCtTdGVwaGFuIFZlcmLDvGNoZWxuIDx2ZXJidWVjaGVsbkBwb3N0ZW8uZGU+iJYEExEIAD4WIQSD4Erm+qYYe1zIRp a0YNi9wLJcXAUCXCdl2gIbAwUJCppG5QULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC0YNi9wLJcXCygAQCvWJK5ww/dQzk/eYUk16v7rW00G53kCGb98HC9ZWkXlgD/XUeZI2RS6Eo6nzHHtyq1Vql+V+AyEvEc1m1ngBf8kuiYMwRcJlS9FgkrBgEEAdpHDwEBB0ADY7u0kT6mt7LRtFOjoYWwS0nTS2KMThCsbUkXRl4LVLQrU3RlcGhhbiBWZXJiw7xjaGVsbiA8dmVyYnVlY2hlbG5AcG9zdGVvLmRlPoiWBBMWCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEQda40qQiXfGu4epjYDVCWQo8fGIFAmOLjdcFCQtNefMACgkQYDVCWQo8fGK1yAD/Qwms4r06dlt2noeCntKVNFsTDdnOVBak61kSitRy0zoA/jhKTdDeP/HKGv7NRqlNxH63EBLMz1VtmCpw6U4UA0oKuDgEXCZUvRIKKwYBBAGXVQEFAQEHQKGEO7ONepvizi2tIsPc+XPv/h/GEEsxVnVGer79KXZlAwEIB4h4BBgWCAAgAhsMFiEEQda40qQiXfGu4epjYDVCWQo8fGIFAmNzPrQACgkQYDVCWQo8fGLOSgD/bd8ipnktwUx0b0Bb+lNJGAJRHyeyKL+QmJnQFR93fxoA/i3ZGXgRqkjY52XR9HJx3rThULC6jZVY05PRSBmMxp0MuDMEZAJcPRYJKwYBBAHaRw8BAQdAYiAvnQ2LmZYu7F7qE8jfBmOALpUILBepv2AxmoEKlxmIeAQYFggAIBYhBEHWuNKkIl3xruHqY2A1QlkKPHxiBQJkAlw9AhsgAAoJEGA1QlkKPHxiZZEA+gNBMl9iHJ4QUPwLooRbOkAucuHzmfBDmfJLjFuPA9frAQCSCJh/c3ULd031d/LdiQzB4Ume2oWP97888BcuFw/qBJgzBFwvhWMWCSsGAQQ B2kcPAQEHQL0WI08NkkZ8Lk9qb7jSVwUM1NABninszu56afj7hxsZiHgEIBYIACAWIQRLdziymw/lLwGsC09BZx7ov3FWXwUCXEX/vQIdAwAKCRBBZx7ov3FWXwsaAQCxQBBz7oOku9rbyhjS0XoW6pLL0xibo9SmNB63+fazugEArI0ISLnoZsVaElzBlJFqt9UGKj78AtSxQVT8reZP3QG0LXZlcmJ1ZWNoZWxuQHBvc3Rlby5kZSA8dmVyYnVlY2hlbG5AcG9zdGVvLmRlPoiWBBMWCAA+FiEES3c4spsP5S8BrAtPQWce6L9xVl8FAlwvhWMCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQQWce6L9xVl8BXgEA2MxilPR12CWUigPxDte1iGjzvVmqj97POPR/koBtxksBAIxDpx3Zv1W/LKJ/8MDiOegfyOUj9xzQbm/jYnLHOLYJuDgEXC+FYxIKKwYBBAGXVQEFAQEHQEYCCmyOgmrtCACvJcCGgvNvB5Q77paq55Y7r4DS+89vAwEIB4h+BBgWCAAmFiEES3c4spsP5S8BrAtPQWce6L9xVl8FAlwvhWMCGwwFCQlmAYAACgkQQWce6L9xVl/EOAD9FVYMMAiBAVnQ2+PQo2FzfDXBVPiCjT3+2xfRJ2kTyuQA/12aWJEJUCDKYepH2M67++J18uT9MxbDalGn0YM/ei4B
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-8WKm5kz70+cZUXwaGHu8"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/o1iZtW5CBQqwRHI9k4brBN1m3Fw>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2023 07:37:35 -0000

Hi Stephen

On Sun, 2023-12-10 at 13:58 +0000, Stephen Farrell wrote:
> All that said, in that discussion, we should bear in mind that
> the liklihood that we change or re-open crypto-refresh is small,
> and that should be the case, unless we find some show-stopper
> issue. FWIW, I don't think this is one such.

At least 13.2 is so erroneous that it has potential to damage the
reputation of the standard. The references do not support either of the
claims. One could also ask: Does such a deep dive into cryptography
even belong there?

The signature format itself looks fine, but it adds (yet) unjustified
bloat and complexity, and the disadvantages have not been discussed. So
should it be really mandatory?

This change appears to be proposed by one party with one particular use
case: Implementing PGP in JavaScript in the browser. This would explain
the focus on fault attacks.
This is also apparent for other changes of the refresh such as GCM
(because better supported by browsers) and Argon2 (because storing
millions of keys in the cloud with weak login passwords rather than
strong encryption passphrases or smartcards). All at the cost of
complexity and interoperability. However, these do not affect users who
choose against them because they are not mandatory.
One could even argue that this cloud use case beats the point of PGP
and end-to-end encryption, which is to work with your private
information in a trusted environment. The JavaScript engine of a web
browser is not exactly that, especially for long-term keys.

Regards
Stephan