ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] v5 in the crypto-refresh draft

2021-06-06 10:12:54
from [Daniel Kahn Gillmor] [Permanent Link] 
On Sat 2021-06-05 16:29:07 -0400, Michael Richardson wrote:

Assume in the future that we have keys larger than 64K octets.  We are doing
that, not because there has been a quantum event, but because we are 
preparing for it.
We may still not even be sure which PQ scheme is the right one.


I think these are the right assumptions.


(There are multiple keys present, and possibly multiple signatures over both
end-user-data, and over keys)


Each "key signature" (certification) is its own OpenPGP packet, right?
and the context we're talking about here is a hash context that is used
to calculate a key signature.

While there is some zoomed-out view that might well have multiple
signatures, and there might be other data signatures that happen over
collections of information that do include keys, those contexts aren't
relevant for this specific calculation.

If the concern is how to "skip over" an artifact from an algorithm that
you don't understand, i don't think this increased size field is
relevant, because any implementation can just "skip over" the signature
by skipping to the end of the signature packet (whose length is already
known; this field doesn't appear on the wire), or not calculating the
digest itself at all.


A v5-capable tool, which does not speak these new formats can still process
the packets.  It could also verify that these large keys are signed by our
legacy algorithms.


yes, i agree with this, though it is not "skipping over" -- it's
"preparing for certifications of larger keys".  We still don't know
whether this is *sufficient* for dealing with whatever eventual PQ
algorithm arises, but i agree with you that it seems to be *necessary*
to handle them.

It might be worth including change (2) as a precautionary gamble, since
it doesn't appear to have any downside other than a slightly tweaked
codepath during certification creation and verification.

What do other folks in the WG think?

            --dkg

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] v5 in the crypto-refresh draft, Peter Gutmann
Next by Date:  Re: [openpgp] [RFC4880bis PATCH] WIP: bind wire format representations to specific pubkey algorithms, Daniel Kahn Gillmor
Previous by Thread:  Re: [openpgp] v5 in the crypto-refresh draft, Michael Richardson
Next by Thread:  Re: [openpgp] v5 in the crypto-refresh draft, Michael Richardson
Indexes:  [Date] [Thread] [Top] [All Lists]