Re: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)
Paul Wouters <paul@nohats.ca> Tue, 07 June 2022 12:10 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50987C14CF0C for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 05:10:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GSbkQqWcMsWP for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 05:10:10 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1477C157B49 for <openpgp@ietf.org>; Tue, 7 Jun 2022 05:10:09 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4LHTgy6sblzCw5; Tue, 7 Jun 2022 14:10:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1654603806; bh=UwJkbbShiObmjFHoZp1Zo5I497GQgqQnscrDHnq0UG8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Ry5nW4xZ0UIJHTJIErAyzpHO2D/mZ197UqO/yn2tyCHWNwQZeDP8RgHIs7ebqepbP b6AaJghdEjotQZzfiohUDTu8Vzyf0dUmnqvVweooYtGrX+IHTIf1UhJTKbWiesjyJe RQTCX3dUGyXXNMZJGjFbPCQ8JOD1OuTR+iCsIqhM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id QjA2SzYmVdma; Tue, 7 Jun 2022 14:10:05 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 7 Jun 2022 14:10:05 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id E0DED3880E4; Tue, 7 Jun 2022 08:10:04 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id DB7363880E3; Tue, 7 Jun 2022 08:10:04 -0400 (EDT)
Date: Tue, 07 Jun 2022 08:10:04 -0400
From: Paul Wouters <paul@nohats.ca>
To: Werner Koch <wk@gnupg.org>
cc: openpgp@ietf.org
In-Reply-To: <87tu8xkjx4.fsf@wheatstone.g10code.de>
Message-ID: <1378eec-4255-930-736-ffd27f292d48@nohats.ca>
References: <165453577116.17285.7902041139949315015@ietfa.amsl.com> <87tu8xkjx4.fsf@wheatstone.g10code.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/pjXamgdIo-7gQzkVu2UBJ2JV1ao>
Subject: Re: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2022 12:10:14 -0000
On Tue, 7 Jun 2022, Werner Koch wrote: > The parts of the new I-D which I strongly disagree with are: > > 1. The new AEAD scheme. > > It seems that this new scheme was introduced for the benefit of > allowing GCM as yet another encryption mode. GCM is a counter mode > and as can be seen by the large changes required, hard to get right. > We do have GCM now in CMS now because Microsoft decided to go this > way. Partially, this is because GCM is allowed by FIPS. > However, OpenPGP has taken its own decisions based on technical > soundness and not based on larger vendor, government or committee > decision. This sentence is somewhat contradicting. OpenPGP is the work of the IETF, so it is in a way a "committee decision". The OpenPGP Design Team was meant to speed up to work and have a draft to discuss. That is exactly what we are starting to do now. > The WG once decided to go with EAX and OCB. EAX was only added to > avoid possible patent problems. However, in the 4.5 years since the > introduction of EAX the patent things has expired was invalidated and > before the new mode will will be a MUST algorithm in a future OpenPGP > RFC (not in 4880bis), there will definitely be no more problem at all > with OCB. I bet that by then an updated FIPS-140 will even allow > OCB. If we have more indication than only your bet, that might be a persuavive argument. But right now, GCM is the only FIPS compatible method. So I think removing that would be problematic. > Thus my suggestion: Drop all that new AEAD ideas and use what has > been deployed and agreed upon in this very WG a long time ago. > Further, turn OCB into MUST and EAX into MAY (for backward > compatibility to deployed implementations). That would certainly be a good option if we got confirmation about the OCB status. > 2. The removal of the Brainpool curved, as already explicitly listed in > early RFC-4880bis drafts, is not acceptable. It may even raise > suspicions that a TLA was somehow involved to keep NIST curves but > not Brainpool. Note I won't share such an opinion, but with crypto > algos we also need to look at such political things. I personally also think that having some non-US centric options would be good. But we do have 25519 and x448 now for that. It seems within the IETF, Brainpool is not seeing a great adoption. But again, personally I am fine with adding these at the MAY level. I am interested in hearing from others on this issue. In particular, I would be interested in people who have actually deployed using Brainpool as that might weigh in on keeping this at the MAY level for backwards compatibility. > There are probably other things I will eventually comment. That will > take more time due to the hard to handle merge request style development > by the DT in contrast to the former step by step draft release and > discuss process. There is time. This draft was not meant to go out quickly into IETF Last Call. It was meant as input to the openpgp working group for further discussion. Thanks for reading and commenting so far, and hope to hear more feedback from you and others. Paul
- [openpgp] I-D Action: draft-ietf-openpgp-crypto-r… internet-drafts
- Re: [openpgp] I-D Action: draft-ietf-openpgp-cryp… Paul Wouters
- [openpgp] First remarks on the last I-D (Was: I-D… Werner Koch
- Re: [openpgp] First remarks on the last I-D (Was:… Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… Justus Winter
- Re: [openpgp] First remarks on the last I-D (Was:… Stephen Farrell
- Re: [openpgp] First remarks on the last I-D (Was:… Daniel Huigens
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Ronald Tse
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… brian m. carlson
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D brian m. carlson
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Paul Schaub
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Daniel Huigens
- [openpgp] AEAD and Rome (was: First remarks on th… Werner Koch
- Re: [openpgp] AEAD and Rome (was: First remarks o… Daniel Huigens
- [openpgp] Choices for AEAD modes [was: AEAD and R… Daniel Kahn Gillmor
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Justus Winter
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Paul Wouters
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… brian m. carlson
- Re: [openpgp] Choices for AEAD modes Ronald Tse
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes Stephen Farrell