Re: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 07 June 2022 13:27 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11839C159488 for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 06:27:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.883
X-Spam-Level:
X-Spam-Status: No, score=-3.883 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5fY_lIY888v for <openpgp@ietfa.amsl.com>; Tue, 7 Jun 2022 06:27:07 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0703.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::703]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36AC5C157B4C for <openpgp@ietf.org>; Tue, 7 Jun 2022 06:27:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=byw6i0DsxY7a4zsiJMzUfhldyvqa++J+DJqNOb7MHc3fYUV9T2cWDo4flg4BP6dIRbr9oR+obyj/iWu85Yedq9hNf5EO0zce8YmtDCAaZsdtYHIHI7TSn7gmPEwdU1LiIDBfgTpEVdMpmp5qTr5sqJkzHCJi0Qnta5IhV5UYUK/yV9ME6UkE0JzJrzB3QoWkvAJL/aX5AQVoLIqEH0yIUpoBJyHjZ5ZwNBfAfB9H/t+YVX93oy5BlltWKSrGL9a6iJlE8K02pz5abTD/Sy+GGvz4ETjEFbWHzcgahMZT/sdhJ1UEgchLS9Aw6aNoBykr1H3ozSWWnCX1N7EnV8H+Uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4Wg6O5Eu5c91B9BFwgAUrFgQG4iwKMHJxnKA4NVFu28=; b=UxZ+ScDFC2F2NOjy40S4s8lJAjrf2k1qEyr+B2EqWz0L+JmlqjdN68fiymQvoS0QwhQwxmJZku/SSc77oqHPcBuFOeEBG/Oy6imYmmci14vIn2wHlbtmXcVBWq7vTZTFjQZnZRcWDPAFyvXA0DFs1WzFUMRiK/FD5txy/Dk2y3zIOxMNKZ3X8ZsYN2M4jURi8EedOiWOa0CVhL88kEU8P2bMkm/8SFaD6Kr5ni0OSTNHPMUzTvsHccW/BX1vg/3w3WxO9ceeTtKjs7JPf+Qqfv/RhRPtPhwGo9Cms/yFfF2bn4juHYQXKGwZ1aMmRhSfw17bOazEwxm50OvEpSueEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4Wg6O5Eu5c91B9BFwgAUrFgQG4iwKMHJxnKA4NVFu28=; b=Aua3HVsu/yuYpNsGJWux8UHTjkDQyevepE11DiKAOkghC/bmDGy26z+OzrqsHvOkbhNrQRb0HNy5n6VlQ8t8DFokbMjdKrp5KQy18v1hyHzDN5mnbTEMakPQTEFIzM2r44RNgdBlAo2ibLJ2mJJPSy8hVGFdnzBvlbhmop3a2b43Wh8CRfLvplMSPE1NlOKJ2FOd1EtqzT4oiWBWZjIYTiT66b5sDtRhnvU5ZebTTeHvdqy1VswBSt9bav6M4Dv74DLvHlUgdxT94QnDx9mh0XExFzeDxVyt2ubmxpUugDeqGZfQAm4svzvQx8DEIN5SyzS7Ld7fiPVgsH07Ev/FTw==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by PR3PR02MB6043.eurprd02.prod.outlook.com (2603:10a6:102:2f::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5314.19; Tue, 7 Jun 2022 13:27:01 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::8491:63e9:5e84:2d61]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::8491:63e9:5e84:2d61%6]) with mapi id 15.20.5314.019; Tue, 7 Jun 2022 13:27:01 +0000
Message-ID: <c746deeb-63f2-dd81-670e-d9c75d397e27@cs.tcd.ie>
Date: Tue, 07 Jun 2022 14:26:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: openpgp@ietf.org
References: <165453577116.17285.7902041139949315015@ietfa.amsl.com> <87tu8xkjx4.fsf@wheatstone.g10code.de>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <87tu8xkjx4.fsf@wheatstone.g10code.de>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------i30sKTf0tFlDIO6mQOKqDsrP"
X-ClientProxiedBy: DB6P195CA0012.EURP195.PROD.OUTLOOK.COM (2603:10a6:4:cb::22) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 66acb983-9795-403b-d89e-08da4889674b
X-MS-TrafficTypeDiagnostic: PR3PR02MB6043:EE_
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <PR3PR02MB60436D9881054490634B96C7A8A59@PR3PR02MB6043.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: eh1kFlYZXTRLXNY1ceygw/Ubo3o5IB1knKUyk5bUYOOTnSCFgS+kNt1LNwHrTmENr7yEO8rkS6NpltrT93Za9YJETbT/uLSxWRkolAtf6dT7LklTD6k22IScY1hKC0XHDnmECueXewYI8mk9a/p55Re1UmTR5vkFVOOL2lICa1jPtF1wcmqqu22NAs1M3N793e3N//BMWt6GDtwpWH0C7UD+zee9zVFxUuY67qPaiHgbSbg8gaUknIeaQyU5WxbpJAn2gveE7gQ54OdUpPP8ZN5ZFMWdtbVec+HvrzuKPiKvcTzgofn9+FG9Rm2Pv8ik0JnBFMncQb0TC8EDF+p/50Md49w/PEVncpkijknyNvUpzVGyh9rvUkZkXvEou5pspPag+TAHaZ93QVbhpdBQn9vPZHodulSh072vz92RxKXOtAD5QhIncBHn0WoXaAJa0qLJxeUFHa0Ep0+M+xF7Ibu+Iovm/0wOLQxDzCb+rYC82QzQ9/bTfMFU3Rhm1L3wZYaVucnb7ug7MqcLV+duvfqevlq9TeAUVgYkE4anxGLAw1rT8lUI9RzaUR+VnYpN4PvGqXip3PfeHQsxnqCzK/T6deLK3WX3bOxHiwckj1pfn5daJyltCBmxsDaUTIryhZNoAibiflzxscwRop3swYFPdBWe5Ho5+neBOBp3ImGGsSFdPWoIgwGG8gbw1EQp7p5/jG/2yLYgqC1T5AjDz8s6gFY+kObXAAMNaIoYO8w=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(44832011)(38100700002)(21480400003)(86362001)(6486002)(508600001)(786003)(235185007)(316002)(31696002)(83380400001)(2616005)(6916009)(186003)(53546011)(33964004)(6512007)(6506007)(26005)(45080400002)(2906002)(5660300002)(36756003)(8676002)(8936002)(66476007)(66556008)(66946007)(31686004)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: tr7/5F8TJCcvmzguEUgsJw12UQXS/UgUlRbZIzjioOz/v7WrQsV2YH8apsNrzNvV28e1BIS16kozpxFy5ES7JT8g/8CIhQdg8aaabckiCRPrdxVBGv5MsAY4nF6rfpDXAdP4Wj65sjWMg2Ej4dY/QhoNNyViUpOXKWIujikklxrYG63Neu2SkiWhERG3+WvyOEh0G6Atu9H0b9XLEdM7fmn8PEgYWunJbcsWpb9vgROgC0RheHoiTcoaeDHtKqiyp2qvhui3Laz32sKKdBwFTIp611FNmxwIJc4wRLPzpHutHUVs+7kQIa+0h1xS6UHQOLxXY2jfVzyFYGNIe14SbupfqK38yAtkGGLzYNQCL3Ffp3DwUexUGQavIYAboorskWlRVaKCtlc7kQ0juFj+QKlbGlnHHbBjbS1DbXodreTc9alVHqB+jzq11mK1cIXxze27l6/CZgO9MwWYiCr6Hye9jpBIXiwaTZ2L8crKtYNaUo10Sz9cv/zfqz/pnuYV81JajCtYxV06pno43CycIOFALrzEvakRBXI57xpV4H//nno6dVMvtkc+Va+6XMe3TTV2F+FJd2gGCOuidpjOmWfgqaPhiGCUAWC/hLru5bJtdQd1YffM8PZ+1kqBDcpDvzpyv1YpVGdyiuUNvWOXLs4Yv6Cwx1Du22gf72g1AsVhhtMgcHfX8mXDVuqrxBOG0RdUE9J2kPO15VY6c1x6NfZPtRdPemnQxrl/CEbcADXDNOvazO9NZtjyM6kH92tSnPDLr/JBQPfaTcHJlxwfhS91PJ5AM9aJH6pfgxKNWFNrfE6BOFF/f69De/uxMN/Nho5+Oxy/FHH3BBq4k6auiczzcRRVM7dzGxYCI27ehVS50Ie5XkjtWFmS85k4bLpAuRimpOVQmN/Iw7kH+C0akmV1YoCSDNGT0pmLUt4fFyLp6+a8iqMX2qtpvrZhaPGgSZhP8QleTqGUpOtuAmFkNrJ/F6YNt1GdPLFFnj1KQh9AkHtg1hUiJQvD39cdscYUSXwwv47jd8bUKbb1TE8TJEWSgtfJxCGQzx/K36P7sHid3y3VUBhhb1GZqpj5QsI0cFjhNRmz68Gt747U1Z3ILn10p8YKxlUP1v6KtLdGZU6HaTrZblya0djih3hsBFUx4L3viDvgkdWPn1LP3dRg0xB8vp2rcQZMAlXMb0fvO4wq4sjrNmmYNge79R0LbMNj8/tFxLIt6zPXGcDXNX1rtFoLSvsKdJ6MRr9lKsFXRdcjQMsCwdl6HlZrH/D2bwRJffJw5eKIt86BPNWqWT+gYJhh+omuIg3+kR2fIahvxPI4gZycT6Kceq4a0H9qJi6e7qr/F64DiaY0B0mUgZy/Xc4WLq6NxMJK5jfC5NvFx7ZyE/EjU2Lp2HLp/avj3hR6BUfJTnf5pAVH5QPWv1eeySPHSdI/gQ/RmuZ2AGACEXZjaYH3nkH25Fok4eE0kZ2rkDqp3dcgPDSVrvO9haxKox7tXei/QnUj0O03dnhlPPT2HBxQ8uKDNwWlbpwa5rUOpgEiXVJAqda9XAe+9KBz6tpwX+0cpmF17q/rkMZHz2KA9WqntqdYSFTDMyUe10zScf2q+CMFQIE3NEb0TtpZVbk0T18gx0N2rKv+mV/HC4+jxSey9/MkId6JfJTGEEp5KAHo7hS/07L4K+mkB5+7tSmPAFA++fJxvDmkyzMKMgeTn/q3YVC3vtSvgxdsFjJcskhSYQTvp0GdsfwzDVZ+IQ==
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 66acb983-9795-403b-d89e-08da4889674b
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jun 2022 13:27:01.1464 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: ySb1fC3iAmudXD2HrNb4L3txyCGJkeU/StKoEcrZrJhcBYPcns1l6PXYP66QimVS
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR02MB6043
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/rnAIB1R2Y_95w0PymcJDevwrsko>
Subject: Re: [openpgp] First remarks on the last I-D (Was: I-D Action: draft-ietf-openpgp-crypto-refresh-06.txt)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2022 13:27:12 -0000
Hi Werner, (Aside: I'll be sending out a mail starting a working group last call for this draft in a second - we had meant to do that before today but it was a holiday here yesterday and my co-chair is in travel mode. Meanwhile this thread is a fine example of that kind of discussion...) On 07/06/2022 08:32, Werner Koch wrote: > Hi! > > I have a few brief remarks on the new I-D and the crypto-refresh series > at all by the design team (DT). Thanks! > > I am listed as Editor, a role which I did not not want to take up again > when we had the first talks about relaunching the WG and starting a DT > in January 2021. However, Stephen and Paul said that they want to have > me in even if Paul agreed to do the actual work. And that's still the case - I think it's generally good to maintain recognition for people who've done substantial work even if that wasn't the most recent bunch of work. > > I have not been involved in the design team since last October due to my > time constraints. Back then it seemed that all contentious parts had > been solved and only a few editorial changes, the introduction of X448, > and updated IANA considerations were missing. Later it turned out that > we also need to fix the private key protection scheme. However, the DT > added a lot of more things in the meantime which was pretty surprising > to me. > > The parts of the new I-D which I strongly disagree with are: > > 1. The new AEAD scheme. > > It seems that this new scheme was introduced for the benefit of > allowing GCM as yet another encryption mode. GCM is a counter mode > and as can be seen by the large changes required, hard to get right. > We do have GCM now in CMS now because Microsoft decided to go this > way. However, OpenPGP has taken its own decisions based on technical > soundness and not based on larger vendor, government or committee > decision. > > The WG once decided to go with EAX and OCB. EAX was only added to > avoid possible patent problems. However, in the 4.5 years since the > introduction of EAX the patent things has expired was invalidated and > before the new mode will will be a MUST algorithm in a future OpenPGP > RFC (not in 4880bis), there will definitely be no more problem at all > with OCB. I bet that by then an updated FIPS-140 will even allow > OCB. > > Thus my suggestion: Drop all that new AEAD ideas and use what has > been deployed and agreed upon in this very WG a long time ago. > Further, turn OCB into MUST and EAX into MAY (for backward > compatibility to deployed implementations). That's a good discussion to have, so I'd hope others will chime in (the more input the easier it can be to establish if there's rough consensus). > > 2. The removal of the Brainpool curved, as already explicitly listed in > early RFC-4880bis drafts, is not acceptable. It may even raise > suspicions that a TLA was somehow involved to keep NIST curves but > not Brainpool. Note I won't share such an opinion, but with crypto > algos we also need to look at such political things. > > Thus please immediately issue -07 with Brainpool re-added. As above. > > There are probably other things I will eventually comment. That will > take more time due to the hard to handle merge request style development > by the DT in contrast to the former step by step draft release and > discuss process. Yeah, there's a bunch of DT changes but I hope you and others do provide the input we need from the broader WG. > Salam-Shalom, > > Werner > > > > ps. > I am not sure whether having one of the chairs being the main > contributor to the crypto-refresh draft was actuallyu helpful. Even if > a large amount of his commits are due to his re-formatting of the source > code. As the other co-chair (in my case the one with way less background in PGP:-), I guess I'd disagree, in this case. ISTM my co-chair (dkg) was very energetic in the DT work but wasn't pushing his own agenda that I noticed. I do agree in general though it can be better to have less involved chairs, but reality means that's not always either possible, or the best plan. IMO, in this case, I think it's been fine. Cheers, S.
- [openpgp] I-D Action: draft-ietf-openpgp-crypto-r… internet-drafts
- Re: [openpgp] I-D Action: draft-ietf-openpgp-cryp… Paul Wouters
- [openpgp] First remarks on the last I-D (Was: I-D… Werner Koch
- Re: [openpgp] First remarks on the last I-D (Was:… Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… Justus Winter
- Re: [openpgp] First remarks on the last I-D (Was:… Stephen Farrell
- Re: [openpgp] First remarks on the last I-D (Was:… Daniel Huigens
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Ronald Tse
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D (Was:… brian m. carlson
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Werner Koch
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Paul Wouters
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D brian m. carlson
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Peter Gutmann
- Re: [openpgp] First remarks on the last I-D Stephen Farrell
- Re: [openpgp] First remarks on the last I-D Paul Schaub
- Re: [openpgp] First remarks on the last I-D Jon Callas
- Re: [openpgp] First remarks on the last I-D Robert J. Hansen
- Re: [openpgp] First remarks on the last I-D Daniel Huigens
- [openpgp] AEAD and Rome (was: First remarks on th… Werner Koch
- Re: [openpgp] AEAD and Rome (was: First remarks o… Daniel Huigens
- [openpgp] Choices for AEAD modes [was: AEAD and R… Daniel Kahn Gillmor
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Justus Winter
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Paul Wouters
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… brian m. carlson
- Re: [openpgp] Choices for AEAD modes Ronald Tse
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Werner Koch
- Re: [openpgp] Choices for AEAD modes [was: AEAD a… Stephen Farrell
- Re: [openpgp] Choices for AEAD modes Werner Koch
- Re: [openpgp] Choices for AEAD modes Stephen Farrell