Re: [openpgp] Intent to deprecate: Insecure primitives

Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com> Mon, 16 March 2015 08:59 UTC

Return-Path: <kristian.fiskerstrand@sumptuouscapital.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26E8B1A82E2 for <openpgp@ietfa.amsl.com>; Mon, 16 Mar 2015 01:59:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.335
X-Spam-Level:
X-Spam-Status: No, score=-1.335 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_12=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FKyDVhSUBJFU for <openpgp@ietfa.amsl.com>; Mon, 16 Mar 2015 01:59:15 -0700 (PDT)
Received: from mail-lb0-f179.google.com (mail-lb0-f179.google.com [209.85.217.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 465731A8032 for <openpgp@ietf.org>; Mon, 16 Mar 2015 01:59:15 -0700 (PDT)
Received: by lbcgn8 with SMTP id gn8so15832255lbc.2 for <openpgp@ietf.org>; Mon, 16 Mar 2015 01:59:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=wmB0AuWWgnXkarAEzUBatXDpeOOOAXC+E+FkuGjktX4=; b=EhXMQ5TTFWvZ6uEueMX68Le50T7AxtdtikZ2oG+d4jTFUkjo37FiIvE/TPoZJp+uxf YfMZpizQkQ8/0n5JMqg/Sb/Rwy5RPJD72XsJVjDUD7K3oPYBoerexUcNgl3Ydw2vaZhD Vp/LSw4tccN2fIVaBE9ZUXkgnarQy3Z9VGOx6dBCoWB+Cy/0u33YFqaXZz7xHjnQqfDO l4B/jXE0Ez5SMl4W76xBJMkd5lyFjWTL7zNvSz9G/QHlPJH+a1FxbWLS9ElEQSsxByRg /3qwM5B0eTtYvblGCMeNf/fPbsOlh0CVSkVdau/tb6N1vkAJ6zSuNFa5a/N/gHuVgTHg 66dw==
X-Gm-Message-State: ALoCoQkw2jHKdWQS+eeHyrXi6dYd/EfB2lJKiEjiNCs2ubVQrfOTA47fdyrsTw3puNMFcOQz/miZ
X-Received: by 10.152.9.98 with SMTP id y2mr53867174laa.94.1426496353661; Mon, 16 Mar 2015 01:59:13 -0700 (PDT)
Received: from [192.168.4.145] ([195.1.8.34]) by mx.google.com with ESMTPSA id n12sm2062424lbg.31.2015.03.16.01.59.12 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Mar 2015 01:59:12 -0700 (PDT)
Message-ID: <55069B5E.6000404@sumptuouscapital.com>
Date: Mon, 16 Mar 2015 09:59:10 +0100
From: Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
References: <CAA7UWsWBoXpZ2q=Lv151R593v3u=SPNif39ySX_-8=fqMniiVg@mail.gmail.com> <87sid5si30.fsf@alice.fifthhorseman.net>
In-Reply-To: <87sid5si30.fsf@alice.fifthhorseman.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/ssaLZmHSPYLNfkWUcFPVbG-72Ds>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
Subject: Re: [openpgp] Intent to deprecate: Insecure primitives
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 08:59:17 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 03/16/2015 05:05 AM, Daniel Kahn Gillmor wrote:
> Hi David--
> 

>> 
>> - Symmetric cipher algorithms: IDEA, TDES, CAST5, Blowfish,
>> Twofish - Asymmetric algorithms, generally: RSA-ES, DSA.
> 
> Are you referring to Public Key Algorithms specifically here?  in 
> particular, this table:
> 
> https://tools.ietf.org/html/rfc4880#section-9.1
> 
> If so, RSA-ES (pubkey algorithm 1) is very widely used, even for
> keys that are only marked for one usage (signatures or encryption).
> In fact, i don't think there are many RSA keys labeled RSA-E (algo
> 2) and RSA-S (algo 3) at all.  Why treat RSA-ES separately for
> deprecation?
> 
> On a relatively up-to-date keyring with a couple-thousand OpenPGP 
> certificates, i did this check (the first column is the count, the 
> second column is the algorithm ID):

Just to add a bit more data to this, on a keyserver (a hockeypuck
instance not supporting ECC) the corresponding figures (primary +
subkey) for 3882360 primary keys and 3612096 subkeys shows.

- -----------+---------
        16 | 2658039
         1 | 2185612
         3 |     627
        17 | 2649388
         0 |     196
         2 |     594

(this is not adjusting for revoked / expired keys etc)

On an older copy (around January 2014, this time dumped from SKS
supporting ECC) with 3532268 primary keys and 3288749 subkeys, but it
shows a bit of the trend

+------+----------+
| algo | COUNT(1) |
+------+----------+
|    0 |      352 |
|    1 |  1552104 |
|    2 |      341 |
|    3 |      371 |
|   16 |  2636715 |
|   17 |  2629639 |
|   18 |       37 |
|   19 |       44 |
|   20 |     1380 |
|  101 |        2 |
|  103 |       32 |
+------+----------+
11 rows in set (3.76 sec).

If interesting I can always do a refreshed dump from SKS also adding
support for Ed25519 (experimental), if tracking the development of
number of keys here is of interest.


>> - Asymmetric algorithms, unless > 3070 bit key length: RSA-S,
>> RSA-E, ELG-E.
> 
> How did you choose this cutoff?  I'm happy to see a high bar
> personally, but this is likely to invalidate many 2048-bit keys
> that people have been generating with (e.g.) the GnuPG defaults
> today.  Do you think that GnuPG should change its defaults to the
> higher cutoff?

And if believing so, what rationale is behind this?

- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Nosce te ipsum!
Know thyself!
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJVBptOAAoJEP7VAChXwav6VN0H/iGwKBSh1w47jaOf9pP9uEKL
dV1Z4uHSjTTAMZAqWHiX6coRNtBtBzh00RqhFDVhsVm516Dsu0rcWwAQrg17r34w
AMgxS/f6DY+TKQFM9jdrZVov2XKkLlOuqSDNlGLumy9X2k9I7HOg0FNt4yHuVLGJ
glGPsGYRl9qXdq9e9aVPhzsYFNEkxukhrujgrAWRWm/8WJ1Wj7kO4EZ2cGK2RWzJ
g4d+2kxqeuCS0U+i+Pn3S1RqntiEf1KGGLQPhSxAOgK6YYIUJm6k2PMOC+j75qph
br4PPRysxAWC+c7+LdCzJH7cdjbRkGQ4ertbt9zRZ6Pksk+iTop7cHjWJ1f0094=
=N/um
-----END PGP SIGNATURE-----