From c08c94edc746b98776d846d723435168c0856ed7 Mon Sep 17 00:00:00 2001
From: Aron Wussler <aron(_at_)wussler(_dot_)it>
Date: Wed, 1 Jun 2022 18:02:16 +0200
Subject: [PATCH] Add expiration date for algorithms in v5 keys

---
 crypto-refresh.md | 91 ++++++++++++++++++++++++++---------------------
 1 file changed, 50 insertions(+), 41 deletions(-)

diff --git a/crypto-refresh.md b/crypto-refresh.md
index ac0af1e..7bd3a07 100644
--- a/crypto-refresh.md
+++ b/crypto-refresh.md
@@ -3128,18 +3128,18 @@ See {{notes-on-algorithms}} for more discussion of the algorithms.
 ## Public-Key Algorithms {#pubkey-algos}
 
 {: title="Public-key algorithm registry"}
-ID | Algorithm | Public Key Format | Secret Key Format | Signature Format | PKESK Format
----:|--------------------------|---|---|---|---
- 1 | RSA (Encrypt or Sign) {{HAC}} | MPI(n), MPI(e) \[{{key-rsa}}] | MPI(d), MPI(p), MPI(q), MPI(u) | MPI(m\**d mod n) \[{{sig-rsa}}] | MPI(m\**e mod n) \[{{pkesk-rsa}}]
- 2 | RSA Encrypt-Only {{HAC}} | MPI(n), MPI(e) \[{{key-rsa}}]| MPI(d), MPI(p), MPI(q), MPI(u) | N/A | MPI(m\**e mod n) \[{{pkesk-rsa}}]
- 3 | RSA Sign-Only {{HAC}} | MPI(n), MPI(e) \[{{key-rsa}}] | MPI(d), MPI(p), MPI(q), MPI(u) | MPI(m\**d mod n) \[{{sig-rsa}}] | N/A
- 16 | Elgamal (Encrypt-Only) {{ELGAMAL}} {{HAC}} | MPI(p), MPI(g), MPI(y) \[{{key-elgamal}}] | MPI(x) | N/A | MPI(g\*\*k mod p), MPI (m * y\*\*k mod p) \[{{pkesk-elgamal}}]
- 17 | DSA (Digital Signature Algorithm) {{!FIPS186=DOI.10.6028/NIST.FIPS.186-4}} {{HAC}} | MPI(p), MPI(q), MPI(g), MPI(y) \[{{key-dsa}}] | MPI(x) | MPI(r), MPI(s) \[{{sig-dsa}}] | N/A
- 18 | ECDH public key algorithm | OID, MPI(point in curve-specific point format), KDFParams \[see {{curve-specific-formats}}, {{key-ecdh}}]| MPI(value in curve-specific format) \[{{curve-specific-formats}}]| N/A | MPI(point in curve-specific point format), size octet, encoded key \[{{curve-specific-formats}}, {{pkesk-ecdh}}, {{ecdh}}]
- 19 | ECDSA public key algorithm {{FIPS186}} | OID, MPI(point in SEC1 format) \[{{key-ecdsa}}] | MPI(value) | MPI(r), MPI(s) \[{{sig-dsa}}] | N/A
+ID | Algorithm | Public Key Format | Secret Key Format | Signature Format | PKESK Format | Expiration
+---:|----------|-------------------|-------------------|------------------|--------------|-----------
+ 1 | RSA (Encrypt or Sign) {{HAC}} | MPI(n), MPI(e) \[{{key-rsa}}] | MPI(d), MPI(p), MPI(q), MPI(u) | MPI(m\**d mod n) \[{{sig-rsa}}] | MPI(m\**e mod n) \[{{pkesk-rsa}}] | 01.01.2030
+ 2 | RSA Encrypt-Only {{HAC}} | MPI(n), MPI(e) \[{{key-rsa}}]| MPI(d), MPI(p), MPI(q), MPI(u) | N/A | MPI(m\**e mod n) \[{{pkesk-rsa}}] | Deprecated
+ 3 | RSA Sign-Only {{HAC}} | MPI(n), MPI(e) \[{{key-rsa}}] | MPI(d), MPI(p), MPI(q), MPI(u) | MPI(m\**d mod n) \[{{sig-rsa}}] | N/A | Deprecated
+ 16 | Elgamal (Encrypt-Only) {{ELGAMAL}} {{HAC}} | MPI(p), MPI(g), MPI(y) \[{{key-elgamal}}] | MPI(x) | N/A | MPI(g\*\*k mod p), MPI (m * y\*\*k mod p) \[{{pkesk-elgamal}}] | Deprecated
+ 17 | DSA (Digital Signature Algorithm) {{!FIPS186=DOI.10.6028/NIST.FIPS.186-4}} {{HAC}} | MPI(p), MPI(q), MPI(g), MPI(y) \[{{key-dsa}}] | MPI(x) | MPI(r), MPI(s) \[{{sig-dsa}}] | N/A | Deprecated
+ 18 | ECDH public key algorithm | OID, MPI(point in curve-specific point format), KDFParams \[see {{curve-specific-formats}}, {{key-ecdh}}]| MPI(value in curve-specific format) \[{{curve-specific-formats}}]| N/A | MPI(point in curve-specific point format), size octet, encoded key \[{{curve-specific-formats}}, {{pkesk-ecdh}}, {{ecdh}}] | 01.01.2035
+ 19 | ECDSA public key algorithm {{FIPS186}} | OID, MPI(point in SEC1 format) \[{{key-ecdsa}}] | MPI(value) | MPI(r), MPI(s) \[{{sig-dsa}}] | N/A | 01.01.2035
  20 | Reserved (formerly Elgamal Encrypt or Sign)
  21 | Reserved for Diffie-Hellman (X9.42, as defined for IETF-S/MIME)
- 22 | EdDSA  {{RFC8032}} | OID, MPI(point in prefixed native format) \[see {{ec-point-prefixed-native}}, {{key-eddsa}}] | MPI(value in curve-specific format) \[see {{curve-specific-formats}}] | MPI, MPI \[see {{curve-specific-formats}}, {{sig-eddsa}}] | N/A
+ 22 | EdDSA  {{RFC8032}} | OID, MPI(point in prefixed native format) \[see {{ec-point-prefixed-native}}, {{key-eddsa}}] | MPI(value in curve-specific format) \[see {{curve-specific-formats}}] | MPI, MPI \[see {{curve-specific-formats}}, {{sig-eddsa}}] | N/A | 01.01.2035
  23 | Reserved (AEDH)
  24 | Reserved (AEDSA)
 100 to 110 | Private/Experimental algorithm
@@ -3154,6 +3154,11 @@ DSA (17) keys are deprecated and MUST NOT be generated (see {{dsa-notes}}).
 See {{reserved-notes}} for notes on Elgamal Encrypt or Sign (20), and X9.42 (21).
 Implementations MAY implement any other algorithm.
 
+The Expiration column defines a lifetime for the algorithm. It can be expanded in a future standard and serves to ensure that implementations and keys are kept up to date. Past the expiration date an algorithm is to be considered expired when used with v5 keys.
+An expired algorithm MUST NOT be used in key generation or encryption.
+An implementation SHOULD NOT use an expired algorithm for verification unless the signature's creation date predates the expiration date, and the implementation is confident that the message has been in the secure custody of the user the whole time.
+An implementation MAY allow decryption of messages after the algorithm expiration date to allow reading old messages already received.
+
 Note that an implementation conforming to the previous version of this standard ({{RFC4880}}) have only DSA (17) and Elgamal (16) as its MUST-implement algorithms.
 
 A compatible specification of ECDSA is given in {{RFC6090}} as "KT-I Signatures" and in {{SEC1}}; ECDH is defined in {{ecdh}} of this document.
@@ -3210,30 +3215,32 @@ For the native octet-string forms of ECDH secret scalars and points, see {{RFC77
 ## Symmetric-Key Algorithms {#symmetric-algos}
 
 {: title="Symmetric-key algorithm registry"}
-ID | Algorithm
+ID | Algorithm | Expiration
 ---:|------------------------------------
-  0 | Plaintext or unencrypted data
-  1 | IDEA {{IDEA}}
-  2 | TripleDES (DES-EDE, {{SCHNEIER}}, {{HAC}} - 168 bit key derived from 192)
-  3 | CAST5 (128 bit key, as per {{RFC2144}})
-  4 | Blowfish (128 bit key, 16 rounds) {{BLOWFISH}}
+  0 | Plaintext or unencrypted data | None
+  1 | IDEA {{IDEA}} | Deprecated
+  2 | TripleDES (DES-EDE, {{SCHNEIER}}, {{HAC}} - 168 bit key derived from 192) | Deprecated
+  3 | CAST5 (128 bit key, as per {{RFC2144}}) | Deprecated
+  4 | Blowfish (128 bit key, 16 rounds) {{BLOWFISH}} | Deprecated
   5 | Reserved
   6 | Reserved
-  7 | AES with 128-bit key {{!AES=DOI.10.6028/NIST.FIPS.197}}
-  8 | AES with 192-bit key
-  9 | AES with 256-bit key
- 10 | Twofish with 256-bit key {{TWOFISH}}
- 11 | Camellia with 128-bit key {{RFC3713}}
- 12 | Camellia with 192-bit key
- 13 | Camellia with 256-bit key
+  7 | AES with 128-bit key {{!AES=DOI.10.6028/NIST.FIPS.197}} | 01.01.2035
+  8 | AES with 192-bit key | 01.01.2035
+  9 | AES with 256-bit key | 01.01.2040
+ 10 | Twofish with 256-bit key {{TWOFISH}} | 01.01.2040
+ 11 | Camellia with 128-bit key {{RFC3713}} | 01.01.2035
+ 12 | Camellia with 192-bit key | 01.01.2035
+ 13 | Camellia with 256-bit key | 01.01.2040
 100 to 110 | Private/Experimental algorithm
 253, 254 and 255 | Reserved to avoid collision with Secret Key Encryption (see {{secret-key-encryption}} and {{secret-key-packet-formats}})
 
 Implementations MUST implement AES-128.
 Implementations SHOULD implement AES-256.
-Implementations MUST NOT encrypt data with IDEA, TripleDES, or CAST5.
-Implementations MAY decrypt data that uses IDEA, TripleDES, or CAST5 for the sake of reading older messages or new messages from legacy clients.
-An Implementation that decrypts data using IDEA, TripleDES, or CAST5 SHOULD generate a deprecation warning about the symmetric algorithm, indicating that message confidentiality is suspect.
+
+The Expiration column defines a lifetime for the algorithm, past the date it is considered expired when used with v5 keys.
+Implementations MUST NOT encrypt data with IDEA, TripleDES, CAST5, or an expired algorithm.
+Implementations MAY decrypt data that uses IDEA, TripleDES, CAST5, or an expired algorithm for the sake of reading older messages or new messages from legacy clients.
+An Implementation that decrypts data using IDEA, TripleDES, CAST5, or an expired algorithm SHOULD generate a deprecation warning about the symmetric algorithm, indicating that message confidentiality is suspect.
 Implementations MAY implement any other algorithm.
 
 ## Compression Algorithms {#compression-algos}
@@ -3255,32 +3262,34 @@ Implementations MAY implement any other algorithm.
 ## Hash Algorithms {#hash-algos}
 
 {: title="Hash algorithm registry"}
-ID | Algorithm | Text Name
----:|----------|--------------
-  1 | MD5 {{HAC}} | "MD5"
-  2 | SHA-1 {{!FIPS180=DOI.10.6028/NIST.FIPS.180-4}}, {{sha1cd}} | "SHA1"
-  3 | RIPEMD-160 {{HAC}} | "RIPEMD160"
+ID | Algorithm | Text Name | Expiration
+---:|----------|-----------|-----------
+  1 | MD5 {{HAC}} | "MD5" | Deprecated
+  2 | SHA-1 {{!FIPS180=DOI.10.6028/NIST.FIPS.180-4}}, {{sha1cd}} | "SHA1" | Deprecated
+  3 | RIPEMD-160 {{HAC}} | "RIPEMD160" | Deprecated
   4 | Reserved
   5 | Reserved
   6 | Reserved
   7 | Reserved
-  8 | SHA2-256 {{FIPS180}} | "SHA256"
-  9 | SHA2-384 {{FIPS180}} | "SHA384"
- 10 | SHA2-512 {{FIPS180}} | "SHA512"
- 11 | SHA2-224 {{FIPS180}} | "SHA224"
- 12 | SHA3-256 {{!FIPS202=DOI.10.6028/NIST.FIPS.202}} | "SHA3-256"
+  8 | SHA2-256 {{FIPS180}} | "SHA256" | 01.01.2035
+  9 | SHA2-384 {{FIPS180}} | "SHA384" | 01.01.2035
+ 10 | SHA2-512 {{FIPS180}} | "SHA512" | 01.01.2035
+ 11 | SHA2-224 {{FIPS180}} | "SHA224" | 01.01.2035
+ 12 | SHA3-256 {{!FIPS202=DOI.10.6028/NIST.FIPS.202}} | "SHA3-256" | 01.01.2040
  13 | Reserved
- 14 | SHA3-512 {{FIPS202}} | "SHA3-512"
+ 14 | SHA3-512 {{FIPS202}} | "SHA3-512" | 01.01.2040
 100 to 110 | Private/Experimental algorithm
 
 Implementations MUST implement SHA2-256.
 Implementations SHOULD implement SHA2-384 and SHA2-512.
 Implementations MAY implement other algorithms.
 Implementations SHOULD NOT create messages which require the use of SHA-1 with the exception of computing version 4 key fingerprints and for purposes of the Modification Detection Code (MDC) in version 1 Symmetrically Encrypted Integrity Protected Data packets.
-Implementations MUST NOT generate signatures with MD5, SHA-1, or RIPEMD-160.
-Implementations MUST NOT use MD5, SHA-1, or RIPEMD-160 as a hash function in an ECDH KDF.
-Implementations MUST NOT validate any recent signature that depends on MD5, SHA-1, or RIPEMD-160.
-Implementations SHOULD NOT validate any old signature that depends on MD5, SHA-1, or RIPEMD-160 unless the signature's creation date predates known weakness of the algorithm used, and the implementation is confident that the message has been in the secure custody of the user the whole time.
+
+The Expiration column defines a lifetime for the algorithm, past the date it is considered expired when used with v5 keys.
+Implementations MUST NOT generate signatures with MD5, SHA-1, RIPEMD-160, or an expired algorithm.
+Implementations MUST NOT use MD5, SHA-1, RIPEMD-160, or an expired algorithm as a hash function in an ECDH KDF.
+Implementations MUST NOT validate any recent signature that depends on MD5, SHA-1, RIPEMD-160, or an expired algorithm.
+Implementations SHOULD NOT validate any old signature that depends on MD5, SHA-1, RIPEMD-160, or an expired algorithm unless the signature's creation date predates known weakness of the algorithm used, and the implementation is confident that the message has been in the secure custody of the user the whole time.
 
 ## AEAD Algorithms {#aead-algorithms}
 
-- 
2.34.1