[openpgp] Incorporated RFC 6637: SHA2-384 recommendation

"Neal H. Walfield" <neal@walfield.org> Fri, 26 February 2021 11:46 UTC

Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8C323A13BD for <openpgp@ietfa.amsl.com>; Fri, 26 Feb 2021 03:46:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n1k6tMNBv0Rk for <openpgp@ietfa.amsl.com>; Fri, 26 Feb 2021 03:46:49 -0800 (PST)
Received: from mail.dasr.de (mail.dasr.de [217.69.77.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10FF13A13B5 for <openpgp@ietf.org>; Fri, 26 Feb 2021 03:46:48 -0800 (PST)
Received: from p5de92c26.dip0.t-ipconnect.de ([93.233.44.38] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from <neal@walfield.org>) id 1lFba2-0003Ww-Cn; Fri, 26 Feb 2021 11:46:46 +0000
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1lFba1-000695-P6; Fri, 26 Feb 2021 12:46:46 +0100
Date: Fri, 26 Feb 2021 12:46:45 +0100
Message-ID: <87k0qvaw62.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: Paul Wouters <paul@nohats.ca>
Cc: openpgp@ietf.org
In-Reply-To: <7d8bdda1-4e5c-6c10-f3cd-1d191fad595c@nohats.ca>
References: <7d8bdda1-4e5c-6c10-f3cd-1d191fad595c@nohats.ca>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 EasyPG/1.0.0 Emacs/26 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/xj6-k7vAxJU1vvLAKp1wHPcJPxE>
Subject: [openpgp] Incorporated RFC 6637: SHA2-384 recommendation
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2021 11:46:51 -0000

On Tue, 23 Feb 2021 03:19:03 +0100,
Paul Wouters wrote:
> - Incorporated RFC 6637 (ECDSA and ECDH, using NIST curves)

In the OpenPGP ECC Profile section, SHA2-384 is listed as a SHOULD
algorithm:

  ## OpenPGP ECC Profile

  A compliant application MUST implement SHA2-256 and SHOULD implement
  SHA2-384 and SHA2-512.

But, in the 'Hash Algorithms' section, it is a MAY algorithm.

  ## Hash Algorithms

  Implementations MUST implement SHA-1.
  Implementations MAY implement other algorithms.
  MD5 is deprecated.

In the 'Security Considerations' section there are two relevant
points:

  # Security Considerations

  - Requirement levels indicated elsewhere in this document lead to
    the following combinations of algorithms in the OpenPGP profile:
    MUST implement NIST curve P-256 / SHA2-256 / AES-128, SHOULD
    implement NIST curve P-521 / SHA2-512 / AES-256, MAY implement
    NIST curve P-384 / SHA2-384 / AES-256, among other allowed
    combinations.

  - SHA2-224 and SHA2-384 require the same work as SHA2-256 and
    SHA2-512, respectively.  In general, there are few reasons to use
    them outside of DSS compatibility.

So, ECC that uses SHA2-384 is a MAY and SHA2-384 is discouraged.

In the past, we've talked about algorithm agility on this mailing
list:

  http://mailarchive.ietf.org/arch/msg/openpgp/2C5jQNKcnUZZUzh84s0Di-GYKV0

And the last version of 4880bis only included SHA3-256 and SHA3-512.

  https://gitlab.com/openpgp-wg/rfc4880bis/-/blob/main/draft-ietf-openpgp-rfc4880bis-09.txt#L3801


My suggestion is to change the following text:

  A compliant application MUST implement SHA2-256 and SHOULD implement
  SHA2-384 and SHA2-512.

to

  A compliant application MUST implement SHA2-256 and SHOULD implement
  SHA2-512.  It MAY implement SHA2-384.

Neal