IETF Logo Mail Archive

Re: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 07 June 2022 13:27 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11839C159488 for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 06:27:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.883
X-Spam-Level:
X-Spam-Status: No, score=-3.883 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5fY_lIY888v for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 06:27:07 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0703.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::703]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36AC5C157B4C for <openpgp@ietf.org>; Tue, 7 Jun 2022 06:27:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=byw6i0DsxY7a4zsiJMzUfhldyvqa++J+DJqNOb7MHc3fYUV9T2cWDo4flg4BP6dIRbr9oR+obyj/iWu85Yedq9hNf5EO0zce8YmtDCAaZsdtYHIHI7TSn7gmPEwdU1LiIDBfgTpEVdMpmp5qTr5sqJkzHCJi0Qnta5IhV5UYUK/yV9ME6UkE0JzJrzB3QoWkvAJL/aX5AQVoLIqEH0yIUpoBJyHjZ5ZwNBfAfB9H/t+YVX93oy5BlltWKSrGL9a6iJlE8K02pz5abTD/Sy+GGvz4ETjEFbWHzcgahMZT/sdhJ1UEgchLS9Aw6aNoBykr1H3ozSWWnCX1N7EnV8H+Uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4Wg6O5Eu5c91B9BFwgAUrFgQG4iwKMHJxnKA4NVFu28=; b=UxZ+ScDFC2F2NOjy40S4s8lJAjrf2k1qEyr+B2EqWz0L+JmlqjdN68fiymQvoS0QwhQwxmJZku/SSc77oqHPcBuFOeEBG/Oy6imYmmci14vIn2wHlbtmXcVBWq7vTZTFjQZnZRcWDPAFyvXA0DFs1WzFUMRiK/FD5txy/Dk2y3zIOxMNKZ3X8ZsYN2M4jURi8EedOiWOa0CVhL88kEU8P2bMkm/8SFaD6Kr5ni0OSTNHPMUzTvsHccW/BX1vg/3w3WxO9ceeTtKjs7JPf+Qqfv/RhRPtPhwGo9Cms/yFfF2bn4juHYQXKGwZ1aMmRhSfw17bOazEwxm50OvEpSueEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4Wg6O5Eu5c91B9BFwgAUrFgQG4iwKMHJxnKA4NVFu28=; b=Aua3HVsu/yuYpNsGJWux8UHTjkDQyevepE11DiKAOkghC/bmDGy26z+OzrqsHvOkbhNrQRb0HNy5n6VlQ8t8DFokbMjdKrp5KQy18v1hyHzDN5mnbTEMakPQTEFIzM2r44RNgdBlAo2ibLJ2mJJPSy8hVGFdnzBvlbhmop3a2b43Wh8CRfLvplMSPE1NlOKJ2FOd1EtqzT4oiWBWZjIYTiT66b5sDtRhnvU5ZebTTeHvdqy1VswBSt9bav6M4Dv74DLvHlUgdxT94QnDx9mh0XExFzeDxVyt2ubmxpUugDeqGZfQAm4svzvQx8DEIN5SyzS7Ld7fiPVgsH07Ev/FTw==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by PR3PR02MB6043.eurprd02.prod.outlook.com (2603:10a6:102:2f::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5314.19; Tue, 7 Jun 2022 13:27:01 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::8491:63e9:5e84:2d61]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::8491:63e9:5e84:2d61%6]) with mapi id 15.20.5314.019; Tue, 7 Jun 2022 13:27:01 +0000
Message-ID: <c746deeb-63f2-dd81-670e-d9c75d397e27@cs.tcd.ie>
Date: Tue, 07 Jun 2022 14:26:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: openpgp@ietf.org
References: <165453577116.17285.7902041139949315015@ietfa.amsl.com> <87tu8xkjx4.fsf@wheatstone.g10code.de>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <87tu8xkjx4.fsf@wheatstone.g10code.de>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------i30sKTf0tFlDIO6mQOKqDsrP"
X-ClientProxiedBy: DB6P195CA0012.EURP195.PROD.OUTLOOK.COM (2603:10a6:4:cb::22) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 66acb983-9795-403b-d89e-08da4889674b
X-MS-TrafficTypeDiagnostic: PR3PR02MB6043:EE_
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <PR3PR02MB60436D9881054490634B96C7A8A59@PR3PR02MB6043.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: eh1kFlYZXTRLXNY1ceygw/Ubo3o5IB1knKUyk5bUYOOTnSCFgS+kNt1LNwHrTmENr7yEO8rkS6NpltrT93Za9YJETbT/uLSxWRkolAtf6dT7LklTD6k22IScY1hKC0XHDnmECueXewYI8mk9a/p55Re1UmTR5vkFVOOL2lICa1jPtF1wcmqqu22NAs1M3N793e3N//BMWt6GDtwpWH0C7UD+zee9zVFxUuY67qPaiHgbSbg8gaUknIeaQyU5WxbpJAn2gveE7gQ54OdUpPP8ZN5ZFMWdtbVec+HvrzuKPiKvcTzgofn9+FG9Rm2Pv8ik0JnBFMncQb0TC8EDF+p/50Md49w/PEVncpkijknyNvUpzVGyh9rvUkZkXvEou5pspPag+TAHaZ93QVbhpdBQn9vPZHodulSh072vz92RxKXOtAD5QhIncBHn0WoXaAJa0qLJxeUFHa0Ep0+M+xF7Ibu+Iovm/0wOLQxDzCb+rYC82QzQ9/bTfMFU3Rhm1L3wZYaVucnb7ug7MqcLV+duvfqevlq9TeAUVgYkE4anxGLAw1rT8lUI9RzaUR+VnYpN4PvGqXip3PfeHQsxnqCzK/T6deLK3WX3bOxHiwckj1pfn5daJyltCBmxsDaUTIryhZNoAibiflzxscwRop3swYFPdBWe5Ho5+neBOBp3ImGGsSFdPWoIgwGG8gbw1EQp7p5/jG/2yLYgqC1T5AjDz8s6gFY+kObXAAMNaIoYO8w=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(44832011)(38100700002)(21480400003)(86362001)(6486002)(508600001)(786003)(235185007)(316002)(31696002)(83380400001)(2616005)(6916009)(186003)(53546011)(33964004)(6512007)(6506007)(26005)(45080400002)(2906002)(5660300002)(36756003)(8676002)(8936002)(66476007)(66556008)(66946007)(31686004)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: tr7/5F8TJCcvmzguEUgsJw12UQXS/UgUlRbZIzjioOz/v7WrQsV2YH8apsNrzNvV28e1BIS16kozpxFy5ES7JT8g/8CIhQdg8aaabckiCRPrdxVBGv5MsAY4nF6rfpDXAdP4Wj65sjWMg2Ej4dY/QhoNNyViUpOXKWIujikklxrYG63Neu2SkiWhERG3+WvyOEh0G6Atu9H0b9XLEdM7fmn8PEgYWunJbcsWpb9vgROgC0RheHoiTcoaeDHtKqiyp2qvhui3Laz32sKKdBwFTIp611FNmxwIJc4wRLPzpHutHUVs+7kQIa+0h1xS6UHQOLxXY2jfVzyFYGNIe14SbupfqK38yAtkGGLzYNQCL3Ffp3DwUexUGQavIYAboorskWlRVaKCtlc7kQ0juFj+QKlbGlnHHbBjbS1DbXodreTc9alVHqB+jzq11mK1cIXxze27l6/CZgO9MwWYiCr6Hye9jpBIXiwaTZ2L8crKtYNaUo10Sz9cv/zfqz/pnuYV81JajCtYxV06pno43CycIOFALrzEvakRBXI57xpV4H//nno6dVMvtkc+Va+6XMe3TTV2F+FJd2gGCOuidpjOmWfgqaPhiGCUAWC/hLru5bJtdQd1YffM8PZ+1kqBDcpDvzpyv1YpVGdyiuUNvWOXLs4Yv6Cwx1Du22gf72g1AsVhhtMgcHfX8mXDVuqrxBOG0RdUE9J2kPO15VY6c1x6NfZPtRdPemnQxrl/CEbcADXDNOvazO9NZtjyM6kH92tSnPDLr/JBQPfaTcHJlxwfhS91PJ5AM9aJH6pfgxKNWFNrfE6BOFF/f69De/uxMN/Nho5+Oxy/FHH3BBq4k6auiczzcRRVM7dzGxYCI27ehVS50Ie5XkjtWFmS85k4bLpAuRimpOVQmN/Iw7kH+C0akmV1YoCSDNGT0pmLUt4fFyLp6+a8iqMX2qtpvrZhaPGgSZhP8QleTqGUpOtuAmFkNrJ/F6YNt1GdPLFFnj1KQh9AkHtg1hUiJQvD39cdscYUSXwwv47jd8bUKbb1TE8TJEWSgtfJxCGQzx/K36P7sHid3y3VUBhhb1GZqpj5QsI0cFjhNRmz68Gt747U1Z3ILn10p8YKxlUP1v6KtLdGZU6HaTrZblya0djih3hsBFUx4L3viDvgkdWPn1LP3dRg0xB8vp2rcQZMAlXMb0fvO4wq4sjrNmmYNge79R0LbMNj8/tFxLIt6zPXGcDXNX1rtFoLSvsKdJ6MRr9lKsFXRdcjQMsCwdl6HlZrH/D2bwRJffJw5eKIt86BPNWqWT+gYJhh+omuIg3+kR2fIahvxPI4gZycT6Kceq4a0H9qJi6e7qr/F64DiaY0B0mUgZy/Xc4WLq6NxMJK5jfC5NvFx7ZyE/EjU2Lp2HLp/avj3hR6BUfJTnf5pAVH5QPWv1eeySPHSdI/gQ/RmuZ2AGACEXZjaYH3nkH25Fok4eE0kZ2rkDqp3dcgPDSVrvO9haxKox7tXei/QnUj0O03dnhlPPT2HBxQ8uKDNwWlbpwa5rUOpgEiXVJAqda9XAe+9KBz6tpwX+0cpmF17q/rkMZHz2KA9WqntqdYSFTDMyUe10zScf2q+CMFQIE3NEb0TtpZVbk0T18gx0N2rKv+mV/HC4+jxSey9/MkId6JfJTGEEp5KAHo7hS/07L4K+mkB5+7tSmPAFA++fJxvDmkyzMKMgeTn/q3YVC3vtSvgxdsFjJcskhSYQTvp0GdsfwzDVZ+IQ==
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 66acb983-9795-403b-d89e-08da4889674b
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2022 13:27:01.1464 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: ySb1fC3iAmudXD2HrNb4L3txyCGJkeU/StKoEcrZrJhcBYPcns1l6PXYP66QimVS
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR02MB6043
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/rnAIB1R2Y_95w0PymcJDevwrsko>
Subject: Re: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2022 13:27:12 -0000

Hi Werner,

(Aside: I'll be sending out a mail starting a working group
last call for this draft in a second - we had meant to do
that before today but it was a holiday here yesterday and my
co-chair is in travel mode. Meanwhile this thread is a fine
example of that kind of discussion...)

On 07/06/2022 08:32, Werner Koch wrote:
> Hi!
> 
> I have a few brief remarks on the new I-D and the crypto-refresh series
> at all by the design team (DT).

Thanks!

> 
> I am listed as Editor, a role which I did not not want to take up again
> when we had the first talks about relaunching the WG and starting a DT
> in January 2021.  However, Stephen and Paul said that they want to have
> me in even if Paul agreed to do the actual work.

And that's still the case - I think it's generally good
to maintain recognition for people who've done substantial
work even if that wasn't the most recent bunch of work.

> 
> I have not been involved in the design team since last October due to my
> time constraints.  Back then it seemed that all contentious parts had
> been solved and only a few editorial changes, the introduction of X448,
> and updated IANA considerations were missing.  Later it turned out that
> we also need to fix the private key protection scheme.  However, the DT
> added a lot of more things in the meantime which was pretty surprising
> to me.
> 
> The parts of the new I-D which I strongly disagree with are:
> 
> 1. The new AEAD scheme.
> 
>     It seems that this new scheme was introduced for the benefit of
>     allowing GCM as yet another encryption mode.  GCM is a counter mode
>     and as can be seen by the large changes required, hard to get right.
>     We do have GCM now in CMS now because Microsoft decided to go this
>     way.  However, OpenPGP has taken its own decisions based on technical
>     soundness and not based on larger vendor, government or committee
>     decision.
> 
>     The WG once decided to go with EAX and OCB.  EAX was only added to
>     avoid possible patent problems.  However, in the 4.5 years since the
>     introduction of EAX the patent things has expired was invalidated and
>     before the new mode will will be a MUST algorithm in a future OpenPGP
>     RFC (not in 4880bis), there will definitely be no more problem at all
>     with OCB.  I bet that by then an updated FIPS-140 will even allow
>     OCB.
> 
>     Thus my suggestion: Drop all that new AEAD ideas and use what has
>     been deployed and agreed upon in this very WG a long time ago.
>     Further, turn OCB into MUST and EAX into MAY (for backward
>     compatibility to deployed implementations).

That's a good discussion to have, so I'd hope others will
chime in (the more input the easier it can be to establish
if there's rough consensus).

> 
> 2. The removal of the Brainpool curved, as already explicitly listed in
>     early RFC-4880bis drafts, is not acceptable.  It may even raise
>     suspicions that a TLA was somehow involved to keep NIST curves but
>     not Brainpool.  Note I won't share such an opinion, but with crypto
>     algos we also need to look at such political things.
> 
>     Thus please immediately issue -07 with Brainpool re-added.

As above.

> 
> There are probably other things I will eventually comment.  That will
> take more time due to the hard to handle merge request style development
> by the DT in contrast to the former step by step draft release and
> discuss process.

Yeah, there's a bunch of DT changes but I hope you and others
do provide the input we need from the broader WG.

> Salam-Shalom,
> 
>     Werner
> 
> 
> 
> ps.
> I am not sure whether having one of the chairs being the main
> contributor to the crypto-refresh draft was actuallyu helpful.  Even if
> a large amount of his commits are due to his re-formatting of the source
> code.

As the other co-chair (in my case the one with way less
background in PGP:-), I guess I'd disagree, in this case.
ISTM my co-chair (dkg) was very energetic in the DT work
but wasn't pushing his own agenda that I noticed. I do
agree in general though it can be better to have less
involved chairs, but reality means that's not always either
possible, or the best plan. IMO, in this case, I think
it's been fine.

Cheers,
S.

v2.23.0 | Report a Bug | By Email