WG: Open Specification for Pretty Good Privacy (openpgp)
Meeting: IETF 93, Yokohama
Location: Pacifico Yokohama Rooms 411/412
Date: 3 November 2015
Time: 17:10-18:40 JST
Chairs: Daniel Kahn Gillmor
Christopher LILJENSTOLPE
Minutes: Rich Salz
- Agenda Bashing, Blue Sheets, etc (10 min)
No changes.
- Call for an editor for 4880bis
Werner Koch volunteer (GPG lead developer)
Plan is to use git, markdown
Poll: email vs gitlab, evenly split; will take to the list.
Timing? Not yet considered; -00 and -01 that incorporate errata and ECC within
a week or two. Maybe a year? Sense of the room? No consensus.
Need to complete before CEASAR completes, will update if necessary.
- SEIPD -> SED attack : followup?
Magazinius pointed out you can convert symmetrically-encrypted
integrity-protected data (SEIPD) to symmetrically-encrypted data (SED) without
decrypting. How to deprecate SED? We can say MUST NOT generate, but what about
decrypting old stored SED data? Bryan: do we know of any ciphers that were
only ever used with SEIPD? Will follow-up on the mailing list.
- General issue of deprecration for stored data? Possibilities (? Marks
possibly-controversial)
MD5; SHA1?; RIPE-MD
IDEA; 3DES?; CAST5?; Blowfish? Twofish?
DSA? Size limits on RSA? NIST ECC? ElGamal?
What does deprecation mean? Perhaps just encryption? Also decrypt if the
content is known/believed to be not old
Is signature verification different?
There are several usability issues around this; we need to be careful.
Consensus is not to create new content with deprecated algorithms.
Perhaps address general issue of "what to do with old stuff"? And maybe answer
is "lose it"
Stephen Farrell: Suggest reframe question as "everything deprecated unless
shown that need to generate ones using old mechanism"
Discussion of how appropriate to put UI items in a protocol/data-format spec.
Strong consensus to start with everything removed, and then add the ones we
want.
- Fingerprint conclusion
One format, or multiple
Choice of digest?
Truncation allowed?
What is digested (creation, expiration times)?
Distinguish v5 from v4?
UI/UX guidance for implementers?
Hum on formats; sorry I glitched on the text and the hum results. *Please
update this*
Please come to list with concrete suggestions; no opinions on roomt. Having a
concrete strawman proposal would be useful to get conclusions.
- Symmetric crypto (Bryan Ford), draft-ford-openpgp-format See slides in the
proceedings.
Consensus to use a new packet type for AEAD-protected
FYI: Rogaway agrees to waive OCB patent for PGP (perhaps might not be
sufficient)
Lots of information exposed by plaintext metadata
Magic number -- this is an openpgp file, so its suspicious
Cipher -- is it worth trying to crack (e.g., is it rc4 :)
Passphrase: worth trying a password cracker
Recipient key-id's: where to point the rubber hose?
# of recipients: aha, it's *that* group of dissidents?
Should we aim to protect it all (at cost of "trial" encryptions)?
Consider some padding mechanisms.
- S2K (key derivation)
- from https://password-hashing.net/ use Argon2i (constant time)
Proposal by dkg: ask for early allocation; Stephen says wait for Simon's
draft to appear to shake out any possible IPR issues.
- Registry policies
To be mentioned on list
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp