IETF Logo Mail Archive

Re: [openpgp] AEAD and Rome (was: First remarks on the last I-D)

Daniel Huigens <d.huigens@protonmail.com> Mon, 13 June 2022 18:20 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BA83C15AAEE for <openpgp@ietfa.amsl.com>; Mon, 13 Jun 2022 11:20:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0d_UpZg_yuD for <openpgp@ietfa.amsl.com>; Mon, 13 Jun 2022 11:20:07 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29722C14F74C for <openpgp@ietf.org>; Mon, 13 Jun 2022 11:20:07 -0700 (PDT)
Date: Mon, 13 Jun 2022 18:19:58 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1655144405; x=1655403605; bh=aQivP+qEB1hQzOYelmUMQsi6wlvqmIGgh4WE/L+XPqY=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=hexEhzOyFspS8oLmyO6wgyeDyW9GUJdEGgbMw2Hh2kQYI2b3C0lTvTfQh8j60FuLL UpCdzeotkqb4J6u4dWwzY/66+RgVDVZNzyxNlyhUsa6KYi14SMbjD0sRZnbZWtAybx L0vR2ae8jPYZSPq7tdJ4Q+zQnKuLNqVGTmx8mFCd/yssxNMdPQBmutq1Z5Q1WzZaMZ 8TxCgvdzxsVNfyFib4cBNaycYggiEkicpAMMZEdMSdQFwfffcIgoxF7PRbS/bGTBs2 HwyxBD5HqFfDUtQ0MMYqW/PT0F6BlDvserypGNN4HSM6E/E7me7gwrJE4KDiv0/0we a9p6lGsg2BYiw==
To: Werner Koch <wk@gnupg.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: "Robert J. Hansen" <rjh@sixdemonbag.org>, openpgp@ietf.org, Jon Callas <joncallas=40icloud.com@dmarc.ietf.org>
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <mAnMlR7HNIXC0Mzquewg8bVEHE9cqSkScWwn7zNyD0GBWXzr6CFS858ENPS6fPzVV7TyIbkOhgiG75aVKSuw2EBeCc_SDYpaG5IIzmDGemQ=@protonmail.com>
In-Reply-To: <87y1y0bj9r.fsf_-_@wheatstone.g10code.de>
References: <BB9D0AB9-CC8C-420E-8082-E9F64B09BF46@ribose.com> <7547a547-bb71-2bdd-f85e-91d46476bc6@nohats.ca> <54B2F360-C996-4A5D-BE3D-6EA405406C68@icloud.com> <YqPEw8OIlf0PG40T@camp.crustytoothpaste.net> <25c3a7b5-07ef-1521-1a14-43ef0c7b4043@cs.tcd.ie> <SY4PR01MB6251D365368552630ECCD720EEA99@SY4PR01MB6251.ausprd01.prod.outlook.com> <4dd0ad8b-9de7-15e6-a9ef-e0401acd69f8@sixdemonbag.org> <p_7pskU0MxbpIjGwmAUTMmFsJxjA8QRQCGDbCfrYQTSXocrlDUFDdNuHXChjBwy3RAc2eA_mRIyGFDWD6u5peNNL_F9I3yUYXAa5Khy5XqE=@protonmail.com> <87y1y0bj9r.fsf_-_@wheatstone.g10code.de>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/o6GAvsq5aYw4kvBIBsol4VX0D3w>
Subject: Re: [openpgp] AEAD and Rome (was: First remarks on the last I-D)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2022 18:20:11 -0000

Yeah. In general I agree with this goal. We haven't implemented
Camellia, and to be honest, I'd love to get rid of the NIST and
Brainpool curves, and keep only the CFRG curves.
(As I said before I personally don't care much about FIPS compliance
in general, though I know some people do.)

I also wouldn't be opposed to removing EAX, I agree it's no longer
really necessary.

Relative to those, adding GCM adds less code and maintenance burden
for us, as it's already included in the underlying crypto libraries.
However, I can definitely sympathize if it adds a burden for others.
I certainly wouldn't make GCM mandatory to implement. That way, only
those who want to implement it can, and if it's not included in the
algorithm preferences, nobody will send GCM encrypted messages to that
key; and the implementation can use MTI algorithms instead.

This is in contrast to public-key algorithms, where if anybody publishes
a key using a given algorithm, there's no option to fall back to a MTI
algorithm. Thus I think we should be more restrictive about adding
public-key algorithms (and curves) than symmetric-key algorithms.

However, if the general goal is to have as few algorithms as possible,
I also wouldn't be entirely opposed to having only OCB. But then I would
simplify the entire AEAD system and just hardcode OCB, and if we ever
think that might be(come) no longer sufficiently secure, we can just
define a new packet version. That would be a large overhaul, though, so
I'm not sure if that's worth it at this point. And presumably the
people that care about FIPS compliance would object to that.

Best,
Daniel

v2.23.0 | Report a Bug | By Email