diff --git a/misc/id/rfc4880bis/middle.mkd b/misc/id/rfc4880bis/middle.mkd
index 80c0a61..97c506a 100644
--- a/misc/id/rfc4880bis/middle.mkd
+++ b/misc/id/rfc4880bis/middle.mkd
@@ -256,6 +256,7 @@ reserved values:
1 Salted S2K
2 Reserved value
3 Iterated and Salted S2K
+ 4 Argon2i
100 to 110 Private/Experimental S2K
These are described in the following Sections.
@@ -340,11 +341,50 @@ even though that is greater than the octet count. After the hashing is
done, the data is unloaded from the hash context(s) as with the other
S2K algorithms.
+#### {3.7.1.4} Argon2i
+
+This employs the password derivation scheme Argon2, which is memory-hard
+and resilient against side-channel and trade-off attacks.
+
+ Octet 0: 0x04
+ Octets 1-33: 32-octet salt
+ Octet 34: one-octet parallelism value
+ Octets 35-39: 4-octet memory size value
+ Octets 40-44: 4-octet iteration count
+
+The salt value corresponds to the nonce parameter of Argon2. The
+parallelism value determines how many computational chains (threads) can
+be run. A parallelism degree of 1 is RECOMMENDED. The memory size value
+is the number of kilobytes of memory to be used when deriving the
+password. This value MUST at least be 8 * parallelism degree. The
+iteration account specifies the number of passes over memory. To protect
+against trade-off attacks, 3 iterations are RECOMMENDED.
+
+Other secondary inputs to Argon2 are not used: secret key K and
+associated data X MUST be passed with 0-octet length to Argon2.
+The tag length parameter to Argon2 that describes the length of the
+derived symmetric key MUST be equal to the key size of the symmetric
+cipher to be used. The version parameter v MUST be set to 0x10, the
+type parameter y to 1, thus specifying that the Argon2i variant is to be
+used.
+
+##### {3.7.1.4.1} NON-NORMATIVE NOTES
+Implementations can improve memory bandwidth usage by choosing larger
+parallelism degrees than 1. The number of memory blocks to be used in
+Argon2 is internally rounded down to the nearest multiple of
+4 * parallelism degree. The iteration count can be used to tune running
+time independently of the memory size.
+
### {3.7.2} String-to-Key Usage
-Implementations SHOULD use salted or iterated-and-salted S2K
-specifiers, as simple S2K specifiers are more vulnerable to dictionary
-attacks.
+Implementations MUST generate S2K specifiers that include salts
+(either type 2, 3 or 4), as simple S2K specifiers are more vulnerable to
+dictionary attacks. Use of Argon2i is RECOMMENDED as it offers
+protection against massive-parallel and side-channel attacks. When
+reading S2K specifiers that do not include salts, implementations SHOULD
+issue a warning about potentially insecure methods being used. When
+reading S2K specifiers other than Argon2i, implementations SHOULD issue
+a warning about outdated methods being used.
#### {3.7.2.1} Secret-Key Encryption
@@ -1646,9 +1686,9 @@ following Symmetrically Encrypted Data packet, followed by the session
key octets themselves.
Note: because an all-zero IV is used for this decryption, the S2K
-specifier MUST use a salt value, either a Salted S2K or an
-Iterated-Salted S2K. The salt value will ensure that the decryption
-key is not repeated even if the passphrase is reused.
+specifier MUST use a salt value, either S2K types 1, 3 or 4.
+The salt value will ensure that the decryption key is not repeated even
+if the passphrase is reused.
## {5.4} One-Pass Signature Packets (Tag 4)
@@ -4120,8 +4160,7 @@ SHOULD be rejected.
MDC MUST be used when a symmetric encryption key is protected by
ECDH. None of the ECC methods described in this document are
allowed with deprecated V3 keys. A compliant application MUST only
- use iterated and salted S2K to protect private keys, as defined in
- Section 3.7.1.3{FIXME}, "Iterated and Salted S2K".
+ use S2K schemes that make use of salts to protect private keys.
Side channel attacks are a concern when a compliant application's
use of the OpenPGP format can be modeled by a decryption or signing
diff --git a/misc/id/rfc4880bis/template.xml b/misc/id/rfc4880bis/template.xml
index 82cfd27..a2a86a0 100644
--- a/misc/id/rfc4880bis/template.xml
+++ b/misc/id/rfc4880bis/template.xml
@@ -94,6 +94,16 @@
+
+
+ Argon2: the memory-hard function for password hashing and other applications
+
+
+
+
+
+