From owner-ietf-openpgp@mail.imc.org Tue Oct 2 12:31:30 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA19413 for ; Tue, 2 Oct 2001 12:31:29 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f92Ftm115515 for ietf-openpgp-bks; Tue, 2 Oct 2001 08:55:48 -0700 (PDT) Received: from mx03.uni-tuebingen.de (mx03.uni-tuebingen.de [134.2.3.13]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f92FtkD15505 for ; Tue, 2 Oct 2001 08:55:46 -0700 (PDT) Received: from linux45.zdv.uni-tuebingen.de (linux45.zdv.uni-tuebingen.de [134.2.18.45]) by mx03.uni-tuebingen.de (8.9.3/8.9.3) with ESMTP id RAA20098 for ; Tue, 2 Oct 2001 17:55:46 +0200 Date: Tue, 2 Oct 2001 17:55:46 +0200 (CEST) From: Jan Petranek X-Sender: To: Subject: (slight) Error in rfc2440 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello out there, I just read the rfc2440 (on OpenPGP), dated from November 1998 and it seems, there is an error in it. In section 2.1. "Confidentiality via Encryption", it says: "With public-key encryption, the object is encrypted using a symmetric encryption algorithm." I believe, it should read "With symmetric-key encryption, the object is encrypted using a symmetric ^^^^^^^^^^^^^ encryption algorithm." I believe, the author intended to talk about the symmetric encryption here, because in the next sentences, he discusses the role of symmetric encryption used in OpenPGP. Furthermore, if the key of a symmetric encryption would be public, as the original text suggests, it would render the encryption completely worthless. As I'm already messing with the rfc, I just as well may add this suggestion: In the section describing the paket lenghts, the lenghts in the text are written in decimal, where they are written in octal in the examples (of course). It might improve readability, if in the text both notations would be used, like "100 (0x64) pakets will follow" With my best whishes, Jan Petranek From owner-ietf-openpgp@mail.imc.org Tue Oct 2 18:10:14 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA01372 for ; Tue, 2 Oct 2001 18:10:14 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f92Ls7600448 for ietf-openpgp-bks; Tue, 2 Oct 2001 14:54:07 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f92Ls6D00444 for ; Tue, 2 Oct 2001 14:54:06 -0700 (PDT) Received: from [63.73.97.181] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3); Tue, 2 Oct 2001 14:53:57 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: In-Reply-To: References: Date: Tue, 2 Oct 2001 14:45:37 -0700 To: Jan Petranek , From: Jon Callas Subject: Re: (slight) Error in rfc2440 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Thanks. I've massaged that paragraph. The new one reads: OpenPGP combines symmetric-key encryption and public key encryption to provide confidentiality. When made confidential, first the object is encrypted using a symmetric encryption algorithm. Each symmetric key is used only once. A new "session key" is generated as a random number for each message. Since it is used only once, the session key is bound to the message and transmitted with it. To protect the key, it is encrypted with the receiver's public key. The sequence is as follows: From owner-ietf-openpgp@mail.imc.org Wed Oct 3 14:45:14 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA25694 for ; Wed, 3 Oct 2001 14:45:14 -0400 (EDT) Received: by above.proper.com (8.11.6/8.11.3) id f93IP4s18878 for ietf-openpgp-bks; Wed, 3 Oct 2001 11:25:04 -0700 (PDT) Received: from nairelaymail.nai.com (relay2.nai.com [161.69.213.4]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f93IP0D18874 for ; Wed, 3 Oct 2001 11:25:00 -0700 (PDT) Received: from txwsout1.nai.com ([161.69.96.120]) by nairelaymail.nai.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id TYFZCK13; Wed, 3 Oct 2001 13:23:07 -0500 Received: FROM tx-ex-bridge1.nai.com BY txwsout1.nai.com ; Wed Oct 03 13:25:20 2001 -0500 Received: by DAL-96-124.nai.com with Internet Mail Service (5.5.2653.19) id ; Wed, 3 Oct 2001 13:24:46 -0500 Message-ID: <55E02B6F8FA8D311985300902740BB2004C5748C@SNC-5-88.nai.com> From: "Jivsov, Andrey" To: "'moeller@cdc.informatik.tu-darmstadt.de'" , hal@finney.org Cc: Dominikus.Scherkl@biodata.com, ietf-openpgp@imc.org Subject: RE: Comments on ECC draft Date: Wed, 3 Oct 2001 13:24:36 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: > -----Original Message----- > From: bmoeller@hrzpub.tu-darmstadt.de > [mailto:bmoeller@hrzpub.tu-darmstadt.de] > Sent: Monday, September 10, 2001 12:50 PM > To: hal@finney.org > Cc: Dominikus.Scherkl@biodata.com; ietf-openpgp@imc.org; > andrey_jivsov@NAI.com; hal_finney@NAI.com > Subject: Re: Comments on ECC draft ... > > Our concern with the special primes 1-2 is that this area seems > > to be covered by patents. ... > What patents? These should be patents applied for by the NSA (the > optimizations for pseudo-Mersenne primes are due to Jerry Solinas). > I'm not sure how they'd handle licensing -- the patents for Jerry's > algorithms for Koblitz curves have already been issued earlier this > year, and presumably licensing would be similar to that, whatever this > means. (Hopefully no restrictions, as for DSA, which is also > patented.) > > (Note that the FIPS recommended curves over prime fields all are based > on pseudo-Mersenne primes. Of course applications that want to use > optimized modular arithmetic for these primes can do so, whether or > not special field descriptors are used.) US patents 5,159,632, 5,463,690 and 5,271,061 "Method and apparatus for public key exchange in a cryptographic system" cover 2^m-C prime field with NeXT as an assignee. While there are some patents with J. Solinas as an inventor and NSA as an assignee covering Koblitz curves, there are no similar patents for the 2^m-C. The 1999 paper "Generalized Mersenne Numbers" by J. Solinas has abovementioned patent 5,159,632 in a reference section. This paper describes primes in the form 2^m+B_n+...+B_0 instead, where B_n+...+B_0=C is not small (applicable to NIST curves). Therefore, group types 1 and 2 from the draft can only be used to describe patented fields. In contrast with Mersenne prime fields, binary fields were around for a long time, patent-free for software implementation, sufficiently fast for software and superior for hardware implementations, allow Koblitz curve optimizations and are the only current choice for IKE ECC DH groups. From owner-ietf-openpgp@mail.imc.org Mon Oct 15 14:30:09 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA08885 for ; Mon, 15 Oct 2001 14:30:08 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9FICx413168 for ietf-openpgp-bks; Mon, 15 Oct 2001 11:12:59 -0700 (PDT) Received: from hotmail.com (oe42.law3.hotmail.com [209.185.240.210]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9FICwD13164 for ; Mon, 15 Oct 2001 11:12:58 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Oct 2001 11:01:22 -0700 X-Originating-IP: [63.211.85.132] From: "vedaal" To: Subject: separation of signed and encrypted messages into free-standing signed messages -- revisited Date: Mon, 15 Oct 2001 14:00:50 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 15 Oct 2001 18:01:22.0940 (UTC) FILETIME=[666AF3C0:01C155A3] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 is there any way to separate a message that was signed and encrypted to a dh key, into a free-standing verifiable signed message? am aware that rfc 2440 requires this, but has it actually been 'tested' with dh keys to see if it is so? {do 'not' mean to criticize dh keys, on the contrary, would find it a security 'benefit' of a dh key if it could 'not' be done, even if it required reconsideration of this aspect of the rfc-2440 } so far, have been able to separate messages signed and encrypted to an rsa key, both for rsa and dh/dss signatures tia, vedaal -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ Comment: { Acts of Kindness better the World, and protect the Soul } Comment: KeyID: 0x6A05A0B785306D25 Comment: Fingerprint: 96A6 5F71 1C43 8423 D9AE 02FD A711 97BA iQEVAwUBO8skUWoFoLeFMG0lAQN+4ggAkaXA96GA/LVzj7TbBdB/13jX0MN6z/IO uiEC+StWc/gf20bk0t/QuYSEVDEGeMwoe8W5kiEGGzEQnEWUjVdUunGMW5R9gz22 y9j7q0qAnkAaGFCEZX/wGeUJtbIaZ/16P+ZLdvKkKi0QjK/AuH58tNVEC/KiHQGu nRNVrRYt5kn0Em+ccRc+NswXQFdfRG+VDA4+YFapjXl+DzQnB1869zdn2jF6Q5Re 6+997gldQ9Ml5OZou6HqbtVnawuzCmxTM+QFn3Ca6mm/F/lymplRbyRhNyqpkVom vGAnFU6U2aXfVh20GLbG+U0a2dyS8d0F89k+2c5zk8BvRtUdltHokg== =Gxhy -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Mon Oct 15 15:07:06 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09801 for ; Mon, 15 Oct 2001 15:07:05 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9FIuUg13940 for ietf-openpgp-bks; Mon, 15 Oct 2001 11:56:30 -0700 (PDT) Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9FIuSD13936 for ; Mon, 15 Oct 2001 11:56:28 -0700 (PDT) Received: from cdc-ws1 (cdc-ws1 [130.83.23.82]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id C089D2C8C for ; Mon, 15 Oct 2001 20:56:29 +0200 (MET DST) Date: Mon, 15 Oct 2001 16:02:32 +0200 From: Bodo Moeller To: "Jivsov, Andrey" Cc: hal@finney.org, Dominikus.Scherkl@biodata.com, ietf-openpgp@imc.org Subject: Re: Comments on ECC draft Message-ID: <20011015160232.C7738b@cdc.informatik.tu-darmstadt.de> References: <55E02B6F8FA8D311985300902740BB2004C5748C@SNC-5-88.nai.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2i In-Reply-To: <55E02B6F8FA8D311985300902740BB2004C5748C@SNC-5-88.nai.com>; from Andrey_Jivsov@NAI.com on Wed, Oct 03, 2001 at 01:24:36PM -0500 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit On Wed, Oct 03, 2001 at 01:24:36PM -0500, Jivsov, Andrey wrote: >> From: bmoeller@hrzpub.tu-darmstadt.de >>> Our concern with the special primes 1-2 is that this area seems >>> to be covered by patents. >> What patents? These should be patents applied for by the NSA (the >> optimizations for pseudo-Mersenne primes are due to Jerry Solinas). >> I'm not sure how they'd handle licensing -- the patents for Jerry's >> algorithms for Koblitz curves have already been issued earlier this >> year, and presumably licensing would be similar to that, whatever this >> means. (Hopefully no restrictions, as for DSA, which is also >> patented.) >> >> (Note that the FIPS recommended curves over prime fields all are based >> on pseudo-Mersenne primes. Of course applications that want to use >> optimized modular arithmetic for these primes can do so, whether or >> not special field descriptors are used.) > US patents 5,159,632, 5,463,690 and 5,271,061 "Method and apparatus for > public key exchange in a cryptographic system" cover 2^m-C prime field with > NeXT as an assignee. [...] Thanks for the pointers. > The 1999 paper "Generalized Mersenne Numbers" by J. Solinas has > abovementioned patent 5,159,632 in a reference section. Solinas cites Knuth for efficient arithmetic modulo Mersenne numbers (m = 2^k - 1) and writes (in the introduction to his 1999 Technical Report "Generalized Mersenne Numbers") "It is [...] of interest to generalize the above technique to families of numbers containing primes. One such family is due to Richard Crandall [2], namely, the integers 2^k - c for c positive and small enough to fit into one word. In this paper, we generalize in a different direction. Although there is some overlap, many of the generalized Mersenne numbers presented here are not Crandall numbers." ([2] is Crandall's patent 5,159,632.) So while there are patent issues with efficient arithmetic for Crandall's pseudo Mersenne prime fields, it seems there is no known patent affecting Solinas' generalized Mersenne prime fields. > This paper describes > primes in the form 2^m+B_n+...+B_0 instead, where B_n+...+B_0=C is not small > (applicable to NIST curves). Therefore, group types 1 and 2 from the draft > can only be used to describe patented fields. ... where the types applicable to prime fields are defined as follows (in draft-scherkl-openpgp-ecc-00.txt): 0: Named curve (followed by curve_name) 1: Pseudo mersenne prime field F(p) (followed by r and c. p = 2^r - c, "below some twopower") 2: Pseudo mersenne prime field F(p) (followed by r and c. p = 2^r + c, "above some twopower") 3: Prime field F(p) (followed by p) Type 3 obviously covers any finite prime field, but does not indicate what optimizations may apply. Types 1 and 2 also cover any finite prime field because the definition does not impose limits on c; in the case of the Crandall patents you cited above, c would be very small (usually a single processor word), whereas in the case of NIST curves and similar curves, it would be quite long, but shorter than p. So not *all* curves using on type 1 or 2 fields would be covered by the Crandall patents. But maybe a field type more suitable for generalized Mersenne numbers should be defined. -- Bodo Möller PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 From owner-ietf-openpgp@mail.imc.org Mon Oct 15 23:47:03 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA20424 for ; Mon, 15 Oct 2001 23:47:03 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9G3R6w22455 for ietf-openpgp-bks; Mon, 15 Oct 2001 20:27:06 -0700 (PDT) Received: from zetnet.co.uk (root@irwell.zetnet.co.uk [194.247.47.48]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9G3R4D22449 for ; Mon, 15 Oct 2001 20:27:04 -0700 (PDT) Received: from zetnet.co.uk (man-s252.dialup.zetnet.co.uk [194.247.45.123]) by zetnet.co.uk (8.11.3/8.11.3/Debian 8.11.2-1) with ESMTP id f9G3QuN04574 for ; Tue, 16 Oct 2001 04:26:56 +0100 Message-ID: <3BCA4A25.40F4DB4B@zetnet.co.uk> Date: Mon, 15 Oct 2001 03:29:57 +0100 From: David Hopwood X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en-GB,en,fr-FR,fr,de-DE,de,ru MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: Comments on ECC draft References: <55E02B6F8FA8D311985300902740BB2004C5748C@SNC-5-88.nai.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- "Jivsov, Andrey" wrote: > bmoeller@hrzpub.tu-darmstadt.de wrote: > > (Note that the FIPS recommended curves over prime fields all are based > > on pseudo-Mersenne primes. Of course applications that want to use > > optimized modular arithmetic for these primes can do so, whether or > > not special field descriptors are used.) > > US patents 5,159,632, 5,463,690 and 5,271,061 "Method and apparatus for > public key exchange in a cryptographic system" cover 2^m-C prime field with > NeXT as an assignee. While there are some patents with J. Solinas as an > inventor and NSA as an assignee covering Koblitz curves, there are no > similar patents for the 2^m-C. says that there is prior art for all the interesting claims of this patent, in a CRYPTO '89 article published more than one year before the patent was filed. 5,271,061 and 5,463,690 are continuations of 5,159,632. - -- David Hopwood Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/ RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01 Nothing in this message is intended to be legally binding. If I revoke a public key but refuse to specify why, it is because the private key has been seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBO8pKAjkCAxeYt5gVAQEU8Qf+NaxC++Bi+tPPwGMx0HcKUCNMFp6rlN7H Cr8YTAzbON7u18r8lEcV3g4bBrD2B5C5H1xteLtKUv1/nGCiYtEPbqw1wixdizxf Bsm+uvpMgjp+gdTBStj+8ak5h2q1HnO+Mu7fPo0lD0qgSxXsY5maIDEEQnxGgkWg MZeXdTORBhya6y+566Uf5WOg7D1DD94QYR6ryQRLemdpV2qfV3o7CIgtp/Q4PyhU f0KTgGMF+7ytpBjdlLNJmad9kHZ4ne40seg3pauN1I+/WWS0ayShK4TE1pHz1PN0 vJjT8+GD+1D4KcBm3U0FfvnOvyenQLA46vOWzQiwM1Thdt7s9xpRIA== =r+OX -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Oct 16 00:15:25 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA20592 for ; Tue, 16 Oct 2001 00:15:24 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9G406Y22859 for ietf-openpgp-bks; Mon, 15 Oct 2001 21:00:06 -0700 (PDT) Received: from zetnet.co.uk (root@irwell.zetnet.co.uk [194.247.47.48]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9G405D22855 for ; Mon, 15 Oct 2001 21:00:05 -0700 (PDT) Received: from zetnet.co.uk (man-s252.dialup.zetnet.co.uk [194.247.45.123]) by zetnet.co.uk (8.11.3/8.11.3/Debian 8.11.2-1) with ESMTP id f9G404N08029; Tue, 16 Oct 2001 05:00:05 +0100 Message-ID: <3BCA51EB.D3D5F054@zetnet.co.uk> Date: Mon, 15 Oct 2001 04:03:07 +0100 From: David Hopwood X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en-GB,en,fr-FR,fr,de-DE,de,ru MIME-Version: 1.0 To: vedaal , ietf-openpgp@imc.org Subject: Re: separation of signed and encrypted messages into free-standing signed messages -- revisited References: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- vedaal wrote: > is there any way to separate a message that was signed and encrypted > to a dh key, into a free-standing verifiable signed message? If-and-only-if the private encryption key is known, yes. This is no different to 'sign and RSA-encrypt'. - -- David Hopwood Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/ RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01 Nothing in this message is intended to be legally binding. If I revoke a public key but refuse to specify why, it is because the private key has been seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBO8pR3jkCAxeYt5gVAQFXRwgAzXRc21D9ZNqzHHtfi58c48Q6Wpv87QNV nmm6su1lnIXdwZo0uncbPAx0Mjf7i3ZAYmVYDLQfNSvnWXXt9oSm+RXBjDGaArK6 DQ2zfLvEAHbHpMy0QooMbKXy/hHfvqicZAW5TxWJE1vQLgfG0eICc40oBpUyrdXk 9GavouQILTN3sEHpqjTm2YmkWtmHHKM4eCNV5m2DWuOkVsfFpgL/NcwlqdNyllhx jS5//zOhhg8VEuIVCmzeO34b6YFA44doE3w9vc5eDy34i6sgjzfSimWLFz9Y5wXY 6HXC8Ae5OOwWaagdkM73eoA23FS1xr2vHNvLACL3DiuCydw834Yuew== =/3dB -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Oct 16 10:28:46 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA24800 for ; Tue, 16 Oct 2001 10:28:46 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GE2Zc21775 for ietf-openpgp-bks; Tue, 16 Oct 2001 07:02:35 -0700 (PDT) Received: from hotmail.com (oe58.law3.hotmail.com [209.185.240.58]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GE2YD21769 for ; Tue, 16 Oct 2001 07:02:34 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 16 Oct 2001 07:02:30 -0700 X-Originating-IP: [63.211.85.132] From: "vedaal" To: Subject: re: separation of signed and encrypted messages Date: Tue, 16 Oct 2001 10:01:57 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 16 Oct 2001 14:02:30.0698 (UTC) FILETIME=[322620A0:01C1564B] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit David Hopwood wrote: >vedaal wrote: > is there any way to separate a message that was signed and encrypted > to a dh key, into a free-standing verifiable signed message? >If-and-only-if the private encryption key is known, yes. This is no >different to 'sign and RSA-encrypt' yes, but is there any way to do it, short of rewriting gpg, pgp to include a -d command similar to the -d command of 2.6.3? on a related note: the separation that can be done now, is from 2.6.x using the command: pgp -da (filename).pgp which (after giving the correct passphrase), produces filename.asc which is a free-standing armored signed file, verifiable, and displaying the text of the original message, but, is clearly different from an intentional armored signature file, which usually begins with 'ow' as the first two characters of the pgp block, so, would it be possible to somehow link such a separated signed file, and show that it had to be from a specific signed and encrypted file? {possibly through an mdc tag on the armor} if it 'could' be done, then, one would 'not' have to surrender a session key or secret key, to decrypt a signed and encrypted e-mail, one could simply {from a remote area, without anyone needed to 'witness' the decryption process} separate it into the armored signed file, and release that to the 'authorities', and show that it had to have come from the specific signed and encrypted e-mail in question. vedaal From owner-ietf-openpgp@mail.imc.org Tue Oct 16 11:53:37 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA05627 for ; Tue, 16 Oct 2001 11:53:37 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GFTSK27019 for ietf-openpgp-bks; Tue, 16 Oct 2001 08:29:28 -0700 (PDT) Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GFTPD27015 for ; Tue, 16 Oct 2001 08:29:26 -0700 (PDT) Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id LAA12954 for ; Tue, 16 Oct 2001 11:20:45 -0400 (EDT) Received: from mwyoung (dhcp-195-23.transarc.ibm.com [9.38.195.223]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id LAA16445 for ; Tue, 16 Oct 2001 11:29:10 -0400 (EDT) Message-ID: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> From: "Michael Young" To: References: Subject: Re: separation of signed and encrypted messages Date: Tue, 16 Oct 2001 11:29:06 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- >but is there any way to do it, short of rewriting gpg, pgp to include a -d > > command similar to the -d command of 2.6.3? It doesn't appear that GnuPG has such a switch now. But it would be easy to build. > one could simply {from a remote area, without anyone needed to 'witness' > the decryption process} > separate it into the armored signed file, and release that to the > 'authorities', and show that it had to have come from > the specific signed and encrypted e-mail in question. No. The message(+signature) contents are symmetrically encrypted. There is no way to prove that the plaintext generates that specific ciphertext without giving up the session key. Demonstrating a decrypted signature or MDC shouldn't convince anyone that the full plaintext matches that ciphertext. If you're willing to show the plaintext, why do you care about protecting the session key? Are you reusing it? This might be an issue for a PGPdisk, for example, where one symmetric key protects the entire contents... you can't reveal+prove selected parts. It shouldn't be for ordinary OpenPGP uses. Are you afraid that your randomness source has been compromised, such that other session keys could be deduced? If so, you have a serious problem. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO8xSM2NDnIII+QUHAQGY1wf+MxsUxkKXd0O1KTmuAD8CX2ud0CVEiaUN MroPdg2pjhEcIS8FOx2c4bDeq0nS89ZrvjcujdaJbro7ydcsWwFVn7xrJrC3XWm7 m7dw5xHnl7Is8Gcnw5fm+CvbJK4dBDvL7jCbmIiRYv1wsTAgdRBZlLgzhq9n3XCo 2LzOlVvsg0WTQkk2i0c3SEIg0ucFP0soGZ7QzVueMccHwxpZrxfIMF2oN02BjjD1 xu8PrNs912MFZX4EJEM2U2Z4Pa3agQc/OuI7/P46GLnd74L+BUx9i6xPfzVXbeMI 53dmvolobItRSQ0BnS/TnXc4EtS9zQo53mOFQ1KUWk26nooUznNzCA== =fxp3 -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Oct 16 12:08:02 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA07623 for ; Tue, 16 Oct 2001 12:08:01 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GFrqP00511 for ietf-openpgp-bks; Tue, 16 Oct 2001 08:53:52 -0700 (PDT) Received: from rcn.ihtfp.org (me@ORANGE-TOUR.IHTFP.ORG [204.107.200.33]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GFroD00504 for ; Tue, 16 Oct 2001 08:53:50 -0700 (PDT) Received: (from warlord@localhost) by rcn.ihtfp.org (8.9.3) id LAA01992; Tue, 16 Oct 2001 11:40:18 -0400 To: "Michael Young" Cc: Subject: Re: separation of signed and encrypted messages References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> From: Derek Atkins Date: 16 Oct 2001 11:40:18 -0400 In-Reply-To: "Michael Young"'s message of "Tue, 16 Oct 2001 11:29:06 -0400" Message-ID: Lines: 30 X-Mailer: Gnus v5.5/Emacs 20.3 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Actually, revealing the encrypted-session-key for an OpenPGP message should give you sufficient information to link the plaintext to the encrypted message without actually giving away your private key or passphrase. Considering that PGP implementations should be choosing random session keys, this implies that session keys should not be re-used. -derek "Michael Young" writes: > No. The message(+signature) contents are symmetrically encrypted. > There is no way to prove that the plaintext generates that specific > ciphertext without giving up the session key. Demonstrating > a decrypted signature or MDC shouldn't convince anyone that the > full plaintext matches that ciphertext. > > If you're willing to show the plaintext, why do you care about > protecting the session key? Are you reusing it? This might be an > issue for a PGPdisk, for example, where one symmetric key protects the > entire contents... you can't reveal+prove selected parts. It > shouldn't be for ordinary OpenPGP uses. Are you afraid that > your randomness source has been compromised, such that other > session keys could be deduced? If so, you have a serious problem. -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available From owner-ietf-openpgp@mail.imc.org Tue Oct 16 13:22:53 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA11490 for ; Tue, 16 Oct 2001 13:22:53 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GH92S05238 for ietf-openpgp-bks; Tue, 16 Oct 2001 10:09:02 -0700 (PDT) Received: from hotmail.com (oe55.law3.hotmail.com [209.185.240.55]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GH90D05234 for ; Tue, 16 Oct 2001 10:09:00 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 16 Oct 2001 10:08:57 -0700 X-Originating-IP: [63.211.85.132] From: "vedaal" To: , "Michael Young" References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> Subject: Re: separation of signed and encrypted messages Date: Tue, 16 Oct 2001 13:08:23 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 16 Oct 2001 17:08:57.0913 (UTC) FILETIME=[3E3FAA90:01C15665] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 - ----- Original Message ----- From: "Michael Young" To: Sent: Tuesday, October 16, 2001 11:29 AM Subject: Re: separation of signed and encrypted messages > If you're willing to show the plaintext, why do you care about > protecting the session key? Are you reusing it? This might be an > issue for a PGPdisk, for example, where one symmetric key protects the > entire contents... you can't reveal+prove selected parts. for an rsa key, if one has the session key, ciphertext and plaintext, and, at some point, *if* md5 is 'fully' broken, would it not be possible to retrieve the secret key and passphrase? vedaal -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ Comment: { Acts of Kindness better the World, and protect the Soul } Comment: KeyID: 0x6A05A0B785306D25 Comment: Fingerprint: 96A6 5F71 1C43 8423 D9AE 02FD A711 97BA iQEVAwUBO8xphmoFoLeFMG0lAQOeXgf+L0PAnxSnZ6NXzM9wfJN+4IquwhjMsJXQ Y3Odn6TDcPTJY9CA8IHYNCoh59b0pAwwR4R9phmRaIbH45HmmKLTZBXei8UtI3Ok J162JyJTcas8SMKkMNJTz5q1GJ3V+Ij8TevJAAWjYH1CL1zoZ/xIYfLauLP4HocB rFhrQm/QvYYse+qbCEm+erkY5SlarmkG4w/GjRWQPkjASNzNX6xZBsywKuqTUcYi +pI2el+JUSvVD9VHTHlMb7xE0Awfmp3c5v7OCKTrz6uaON7BN52MXRJlXZK8VAvT 5ee6wwyn5FoatHAjnf/Z/GAvcJQdLj8rYTF719BF4wLoi1wX0frNKA== =FR1H -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Oct 16 13:45:43 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA12355 for ; Tue, 16 Oct 2001 13:45:43 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GHVSI05763 for ietf-openpgp-bks; Tue, 16 Oct 2001 10:31:28 -0700 (PDT) Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GHVQD05758 for ; Tue, 16 Oct 2001 10:31:26 -0700 (PDT) Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id NAA10566 for ; Tue, 16 Oct 2001 13:22:57 -0400 (EDT) Received: from mwyoung (dhcp-195-23.transarc.ibm.com [9.38.195.223]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id NAA17165 for ; Tue, 16 Oct 2001 13:31:22 -0400 (EDT) Message-ID: <009a01c15668$5d5abde0$dfc32609@transarc.ibm.com> From: "Michael Young" To: References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> Subject: Re: separation of signed and encrypted messages Date: Tue, 16 Oct 2001 13:31:17 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- vedaal wrote: > for an rsa key, > if one has the session key, ciphertext and plaintext, > and, at some point, > *if* > md5 is 'fully' broken, > would it not be possible to retrieve the secret key and passphrase? I think you may have two different uses of symmetric keys mixed up. A symmetric key protects the private part of your public/private keypair; it is the one generated from your passphrase (using a hash, such as MD5). Another "session key" protects the contents of a message; for messages encrypted to a public key, it is random, and involves no hashing or passphrase. An "attacker" can already generate any number of session keys and ciphertexts to go with your plaintext and signature (once you're willing to reveal that). They can encrypt those session keys with your public key. Giving out the one session key for a particular ciphertext does no harm, unless that session key is (improperly) related to others. If you were considering encrypting directly to a passphrase, and the hash were *badly* broken (such that you could generate pre-images of a constrained pattern from an end hash), then indeed, this could be a concern. From the session key and salt, you might be able to back-compute the passphrase. If it were used elsewhere, then you could be in trouble. Still a little far-fetched. Moreover, you said "RSA", so I don't think this is what you meant. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO8xuxGNDnIII+QUHAQELKggAptcs6Eirbbm4HGTsBeIDdypPDbOsKrZq 42u7g69nnE7ulfPQOfGhya3xDSf/dj79e5Mxu3s3JG/xPjFTiKScwHiuw1eGdnaK KD64Ex/gdsXxzTmSWjQwarG3fEv9eve2j9Wsr6rkEgmayzu+8NC/FvbOQBaS0KOA SE+w+Dn8kmhiHHmERtNMh8z9q12UapgTR75pUQu5ncvpXZvz0ICsd7OSfuF04E13 z7GiU3BMQM66VwOwek1a3rEqEdu8mJkUwLatxMzFFjDSrcrnvxYuCS8HGEJG028Q gA6ZPUgrLDh6uqBir9FnsJatKrQhge6SnbboBNlrImq2kvwEdHHG1Q== =w7IG -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Oct 16 14:41:11 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14769 for ; Tue, 16 Oct 2001 14:41:10 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GIIdY06781 for ietf-openpgp-bks; Tue, 16 Oct 2001 11:18:39 -0700 (PDT) Received: from hotmail.com (oe65.law3.hotmail.com [209.185.240.81]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GIIbD06777 for ; Tue, 16 Oct 2001 11:18:37 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 16 Oct 2001 11:18:34 -0700 X-Originating-IP: [63.211.85.132] From: "vedaal" To: , "Michael Young" References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> <009a01c15668$5d5abde0$dfc32609@transarc.ibm.com> Subject: Re: separation of signed and encrypted messages Date: Tue, 16 Oct 2001 14:17:59 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 16 Oct 2001 18:18:34.0922 (UTC) FILETIME=[F7F0A8A0:01C1566E] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 - ----- Original Message ----- From: "Michael Young" To: Sent: Tuesday, October 16, 2001 1:31 PM Subject: Re: separation of signed and encrypted messages > I think you may have two different uses of symmetric keys mixed up. > A symmetric key protects the private part of your public/private keypair; > it is the one generated from your passphrase (using a hash, such as MD5). > Another "session key" protects the contents of a message; for messages > encrypted to a public key, it is random, and involves no hashing or > passphrase. yes, am sorry, did indeed confuse this and thought it was the 'same' symmetric key as the session key, thanks for clearing it up, vedaal -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ Comment: { Acts of Kindness better the World, and protect the Soul } Comment: KeyID: 0x6A05A0B785306D25 Comment: Fingerprint: 96A6 5F71 1C43 8423 D9AE 02FD A711 97BA iQEVAwUBO8x51WoFoLeFMG0lAQNVuwf9HeLrP/9K5zJGt2zPJd9dWs3Ag77U/VWu 6pULyqUQKOLXsjDi+MxpIa32V8afg7qMvuPKedmOhJpWeKvLpQPiB9GhlccW8u+2 KPPD180kv4oYZxAX2ci8i6w2Auo2BH2RC0Xy7kg3ogl1hMoMZSHb388lZVvncXyu aYlJcbIW78L9yZz87+8KhxQaz8I9CqsqY0XXzairDAh+bLJzTH+RPQd3LkCwoJGe O9I1hcE5yNogbhWb+R7qS5ywxlhCU8yy1dWiRSVdr9am4j2rPVHH+3XJ0asaIh4J l6+QCAe6y6ES5GvJzrJrr2XfeEfC9em2GQwB4upGpOLqnx2XKP4VoQ== =jB6A -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Oct 16 14:56:35 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA15398 for ; Tue, 16 Oct 2001 14:56:34 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GIf0F07125 for ietf-openpgp-bks; Tue, 16 Oct 2001 11:41:00 -0700 (PDT) Received: from colon.colondot.net (exim@[212.135.138.209]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GIewD07120 for ; Tue, 16 Oct 2001 11:40:58 -0700 (PDT) Received: from mbm by colon.colondot.net with local (Exim 3.31 #1) id 15tZ8v-000GYX-00; Tue, 16 Oct 2001 19:40:45 +0100 Date: Tue, 16 Oct 2001 19:40:45 +0100 From: Matthew Byng-Maddick To: vedaal Cc: ietf-openpgp@imc.org Subject: Re: separation of signed and encrypted messages Message-ID: <20011016194045.B47206@colon.colondot.net> References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from vedaal@hotmail.com on Tue, Oct 16, 2001 at 01:08:23PM -0400 Organization: Colondot.net Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Tue, Oct 16, 2001 at 01:08:23PM -0400, vedaal wrote: > for an rsa key, > if one has the session key, ciphertext and plaintext, > and, at some point, > *if* > md5 is 'fully' broken, > would it not be possible to retrieve the secret key and passphrase? Erm. No. Think about the encryption process in the first place. MBM -- Matthew Byng-Maddick http://colondot.net/ From owner-ietf-openpgp@mail.imc.org Wed Oct 17 04:19:39 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA16094 for ; Wed, 17 Oct 2001 04:19:38 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9H86Ij07486 for ietf-openpgp-bks; Wed, 17 Oct 2001 01:06:18 -0700 (PDT) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9H86HD07482 for ; Wed, 17 Oct 2001 01:06:17 -0700 (PDT) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.33 #1) id 15tlhz-0003Sv-00 for ietf-openpgp@imc.org; Wed, 17 Oct 2001 10:05:47 +0200 To: ietf-openpgp@imc.org Subject: Re: separation of signed and encrypted messages References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> From: Florian Weimer Date: 17 Oct 2001 10:05:47 +0200 In-Reply-To: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> ("Michael Young"'s message of "Tue, 16 Oct 2001 11:29:06 -0400") Message-ID: Lines: 18 User-Agent: Gnus/5.090001 (Oort Gnus v0.01) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: "Michael Young" writes: > >but is there any way to do it, short of rewriting gpg, pgp to include a -d > > > command similar to the -d command of 2.6.3? > > It doesn't appear that GnuPG has such a switch now. But it would > be easy to build. The diff is a couple of lines. I can provide details if someone wants to work on it. We've got a working patch for 1.0.3 or so, but chances are minuscule that it will appear in the official GnuPG distribution. (That's not Werner's fault, the FSF is not interested in contributions from the University of Stuttgart in general.) -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 From owner-ietf-openpgp@mail.imc.org Wed Oct 17 04:55:10 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA16470 for ; Wed, 17 Oct 2001 04:55:10 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9H8gRM11762 for ietf-openpgp-bks; Wed, 17 Oct 2001 01:42:27 -0700 (PDT) Received: from kasiski.gnupg.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9H8gOD11758 for ; Wed, 17 Oct 2001 01:42:24 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.22 #1 (Debian)) id 15tmNy-0008Vj-00; Wed, 17 Oct 2001 10:49:10 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.32 #1 (Debian)) id 15tmHc-0005WZ-00; Wed, 17 Oct 2001 10:42:36 +0200 To: Florian Weimer Cc: ietf-openpgp@imc.org Subject: Re: separation of signed and encrypted messages References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> From: Werner Koch Organisation: g10 Code GmbH X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com Date: Wed, 17 Oct 2001 10:42:36 +0200 In-Reply-To: (Florian Weimer's message of "17 Oct 2001 10:05:47 +0200") Message-ID: <87itdezmgz.fsf@alberti.gnupg.de> Lines: 23 User-Agent: Gnus/5.090004 (Oort Gnus v0.04) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 17 Oct 2001 10:05:47 +0200, Florian Weimer said: > (That's not Werner's fault, the FSF is not interested in contributions > from the University of Stuttgart in general.) That is a bit too simplistic view. The fact is that the FSF requires copyright assignment for all core GNU software (see http://www.gnu.org/copyleft/why-assign.html). For reasons German lawyers - specialized on Free Software issues - can't agree with, that university does not want to sign such papers. One of the reasons to found the FSF-Europe ist to tackle such legal problems. Eben Moglen is now working with European lawyers to get these things solved. Ciao, Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus From owner-ietf-openpgp@mail.imc.org Wed Oct 17 15:07:17 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA04139 for ; Wed, 17 Oct 2001 15:07:16 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9HIgNv17698 for ietf-openpgp-bks; Wed, 17 Oct 2001 11:42:23 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9HIgGD17694 for ; Wed, 17 Oct 2001 11:42:22 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA03197; Wed, 17 Oct 2001 14:42:13 -0400 (EDT) Message-Id: <200110171842.OAA03197@ietf.org> To: IETF-Announce: ; Subject: RFC 3156 on MIME Security with OpenPGP Cc: rfc-ed@ISI.EDU, ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" From: RFC Editor Date: Wed, 17 Oct 2001 14:42:13 -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: A new Request for Comments is now available in online RFC libraries. RFC 3156 Title: MIME Security with OpenPGP Author(s): M. Elkins, D. Del Torto, R. Levien, T. Roessler Status: Standards Track Date: August 2001 Mailbox: ddt@cryptorights.org, raph@acm.org, roessler@does-not-exist.org Pages: 15 Characters: 26809 Updates: RFC 2015 I-D Tag: draft-ietf-openpgp-mime-08.txt URL: ftp://ftp.rfc-editor.org/in-notes/rfc3156.txt This document describes how the OpenPGP Message Format can be used to provide privacy and authentication using the Multipurpose Internet Mail Extensions (MIME) security content types described in RFC 1847. This document is a product of the An Open Specification for Pretty Good Privacy Working Group of the IETF. This is now a Proposed Standard Protocol. This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from the IETF distribution list should be sent to IETF-REQUEST@IETF.ORG. Requests to be added to or deleted from the RFC-DIST distribution list should be sent to RFC-DIST-REQUEST@RFC-EDITOR.ORG. Details on obtaining RFCs via FTP or EMAIL may be obtained by sending an EMAIL message to rfc-info@RFC-EDITOR.ORG with the message body help: ways_to_get_rfcs. For example: To: rfc-info@RFC-EDITOR.ORG Subject: getting rfcs help: ways_to_get_rfcs Requests for special distribution should be addressed to either the author of the RFC in question, or to RFC-Manager@RFC-EDITOR.ORG. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution.echo Submissions for Requests for Comments should be sent to RFC-EDITOR@RFC-EDITOR.ORG. Please consult RFC 2223, Instructions to RFC Authors, for further information. Joyce K. Reynolds and Sandy Ginoza USC/Information Sciences Institute ... Below is the data which will enable a MIME compliant Mail Reader implementation to automatically retrieve the ASCII version of the RFCs. ----- End Included Message ----- ---------- X-Sun-Data-Type: Multipart X-Sun-Content-Length: 490 X-Sun-Charset: us-ascii X-Sun-Content-Lines: 22 --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="RFC-INFO@RFC-EDITOR.ORG" Content-Type: text/plain Content-ID: <010817090928.RFC@RFC-EDITOR.ORG> RETRIEVE: rfc DOC-ID: rfc3156 --OtherAccess Content-Type: Message/External-body; name="rfc3156.txt"; site="ftp.isi.edu"; access-type="anon-ftp"; directory="in-notes" Content-Type: text/plain Content-ID: <010817090928.RFC@RFC-EDITOR.ORG> --OtherAccess-- --NextPart-- From owner-ietf-openpgp@mail.imc.org Fri Oct 19 07:10:13 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA13973 for ; Fri, 19 Oct 2001 07:10:13 -0400 (EDT) Received: by above.proper.com (8.11.6/8.11.3) id f9JAr1v24605 for ietf-openpgp-bks; Fri, 19 Oct 2001 03:53:01 -0700 (PDT) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9JAr0D24601 for ; Fri, 19 Oct 2001 03:53:00 -0700 (PDT) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.33 #1) id 15uXGQ-0002Ai-00 for ietf-openpgp@imc.org; Fri, 19 Oct 2001 12:52:30 +0200 To: ietf-openpgp@imc.org Subject: Re: separation of signed and encrypted messages References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> <87itdezmgz.fsf@alberti.gnupg.de> From: Florian Weimer Date: 19 Oct 2001 12:52:30 +0200 In-Reply-To: <87itdezmgz.fsf@alberti.gnupg.de> (Werner Koch's message of "Wed, 17 Oct 2001 10:42:36 +0200") Message-ID: Lines: 30 User-Agent: Gnus/5.090001 (Oort Gnus v0.01) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Werner Koch writes: > On 17 Oct 2001 10:05:47 +0200, Florian Weimer said: > > > (That's not Werner's fault, the FSF is not interested in contributions > > from the University of Stuttgart in general.) > > That is a bit too simplistic view. It's the view most favorable for the FSF. ;-) The contributions which had already been written were relatively minor (a fraction of a man month, I think, at least if you exclude the problem isolation phase and all the testing), so they weren't worth the extra trouble an individual assignment contract would involve. Of course, this has stifled further development, but the FSF should not be surprised by this. > For reasons German lawyers - specialized on Free Software issues - > can't agree with, that university does not want to sign such papers. However, the FSF still has to tell the university the result of their consultations. :-/ (We should take this to private mail, I think.) -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 From owner-ietf-openpgp@mail.imc.org Fri Oct 19 18:38:10 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA03712 for ; Fri, 19 Oct 2001 18:38:09 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9JMGtO12123 for ietf-openpgp-bks; Fri, 19 Oct 2001 15:16:55 -0700 (PDT) Received: from gamma.isi.edu (gamma.isi.edu [128.9.144.145]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9JMGjD12115 for ; Fri, 19 Oct 2001 15:16:49 -0700 (PDT) Received: from ISI.EDU (jet.isi.edu [128.9.160.87]) by gamma.isi.edu (8.11.6/8.11.2) with ESMTP id f9JMGkH27358; Fri, 19 Oct 2001 15:16:46 -0700 (PDT) Message-Id: <200110192216.f9JMGkH27358@gamma.isi.edu> To: IETF-Announce: ; Subject: RFC 3156 on MIME Security with OpenPGP Cc: rfc-ed@ISI.EDU, ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary=NextPart Date: Fri, 19 Oct 2001 15:16:46 -0700 From: RFC Editor Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --NextPart A new Request for Comments is now available in online RFC libraries. RFC 3156 Title: MIME Security with OpenPGP Author(s): M. Elkins, D. Del Torto, R. Levien, T. Roessler Status: Standards Track Date: August 2001 Mailbox: ddt@cryptorights.org, raph@acm.org, roessler@does-not-exist.org Pages: 15 Characters: 26809 Updates: RFC 2015 I-D Tag: draft-ietf-openpgp-mime-08.txt URL: ftp://ftp.rfc-editor.org/in-notes/rfc3156.txt This document describes how the OpenPGP Message Format can be used to provide privacy and authentication using the Multipurpose Internet Mail Extensions (MIME) security content types described in RFC 1847. This document is a product of the An Open Specification for Pretty Good Privacy Working Group of the IETF. This is now a Proposed Standard Protocol. This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from the IETF distribution list should be sent to IETF-REQUEST@IETF.ORG. Requests to be added to or deleted from the RFC-DIST distribution list should be sent to RFC-DIST-REQUEST@RFC-EDITOR.ORG. Details on obtaining RFCs via FTP or EMAIL may be obtained by sending an EMAIL message to rfc-info@RFC-EDITOR.ORG with the message body help: ways_to_get_rfcs. For example: To: rfc-info@RFC-EDITOR.ORG Subject: getting rfcs help: ways_to_get_rfcs Requests for special distribution should be addressed to either the author of the RFC in question, or to RFC-Manager@RFC-EDITOR.ORG. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution.echo Submissions for Requests for Comments should be sent to RFC-EDITOR@RFC-EDITOR.ORG. Please consult RFC 2223, Instructions to RFC Authors, for further information. Joyce K. Reynolds and Sandy Ginoza USC/Information Sciences Institute ... Below is the data which will enable a MIME compliant Mail Reader implementation to automatically retrieve the ASCII version of the RFCs. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="RFC-INFO@RFC-EDITOR.ORG" Content-Type: text/plain Content-ID: <011019151559.RFC@RFC-EDITOR.ORG> RETRIEVE: rfc DOC-ID: rfc3156 --OtherAccess Content-Type: Message/External-body; name="rfc3156.txt"; site="ftp.isi.edu"; access-type="anon-ftp"; directory="in-notes" Content-Type: text/plain Content-ID: <011019151559.RFC@RFC-EDITOR.ORG> --OtherAccess-- --NextPart-- From owner-ietf-openpgp@mail.imc.org Mon Oct 22 14:22:20 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA26096 for ; Mon, 22 Oct 2001 14:22:20 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9MI0a728733 for ietf-openpgp-bks; Mon, 22 Oct 2001 11:00:36 -0700 (PDT) Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9MI0Y828725 for ; Mon, 22 Oct 2001 11:00:35 -0700 (PDT) Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id 4D5AE2C9C; Mon, 22 Oct 2001 20:00:30 +0200 (MET DST) Received: id ; Mon, 22 Oct 2001 20:02:26 +0200 (CEST) Message-Id: Date: Mon, 22 Oct 2001 20:02:26 +0200 (CEST) To: ietf-openpgp@imc.org From: moeller@cdc.informatik.tu-darmstadt.de (Bodo Moeller) Subject: Re: draft-ietf-openpgp-rfc2440bis-03.txt Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit The "Security Considerations" of the OpenPGP specification should contain the following item, or words to that effect. (This was initially pointed out in my 8 July 1999 message to this list.) * Public key packets in the current version 4 format do not contain a validity period. It has been moved to the signature packet and appears in the optional key expiration time subpacket (section 5.2.3.5), which is to be used only in self-signatures. Unlike with the version 3 public key packet format, certification signatures do not automatically cover the expiration time. When certifying a user ID and a public key given in version 4 format that has an associated validity period, a signature expiration time subpacket (section 5.2.3.9) should be used to limit the validity of the certification according to the validity of the public key being certified. Otherwise, if the certified key is compromised after it has expired, earlier certifications would still appear to be valid if the key is fraudulently published with a new self-signature giving an updated expiration date. Probably some warning (or mandatory rule) should also appear earlier in the text. -- Bodo Möller PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9MI0a728733 for ietf-openpgp-bks; Mon, 22 Oct 2001 11:00:36 -0700 (PDT) Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9MI0Y828725 for ; Mon, 22 Oct 2001 11:00:35 -0700 (PDT) Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id 4D5AE2C9C; Mon, 22 Oct 2001 20:00:30 +0200 (MET DST) Received: id ; Mon, 22 Oct 2001 20:02:26 +0200 (CEST) Message-Id: Date: Mon, 22 Oct 2001 20:02:26 +0200 (CEST) To: ietf-openpgp@imc.org From: moeller@cdc.informatik.tu-darmstadt.de (Bodo Moeller) Subject: Re: draft-ietf-openpgp-rfc2440bis-03.txt Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: The "Security Considerations" of the OpenPGP specification should contain the following item, or words to that effect. (This was initially pointed out in my 8 July 1999 message to this list.) * Public key packets in the current version 4 format do not contain a validity period. It has been moved to the signature packet and appears in the optional key expiration time subpacket (section 5.2.3.5), which is to be used only in self-signatures. Unlike with the version 3 public key packet format, certification signatures do not automatically cover the expiration time. When certifying a user ID and a public key given in version 4 format that has an associated validity period, a signature expiration time subpacket (section 5.2.3.9) should be used to limit the validity of the certification according to the validity of the public key being certified. Otherwise, if the certified key is compromised after it has expired, earlier certifications would still appear to be valid if the key is fraudulently published with a new self-signature giving an updated expiration date. Probably some warning (or mandatory rule) should also appear earlier in the text. -- Bodo Möller PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9JMGtO12123 for ietf-openpgp-bks; Fri, 19 Oct 2001 15:16:55 -0700 (PDT) Received: from gamma.isi.edu (gamma.isi.edu [128.9.144.145]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9JMGjD12115 for ; Fri, 19 Oct 2001 15:16:49 -0700 (PDT) Received: from ISI.EDU (jet.isi.edu [128.9.160.87]) by gamma.isi.edu (8.11.6/8.11.2) with ESMTP id f9JMGkH27358; Fri, 19 Oct 2001 15:16:46 -0700 (PDT) Message-Id: <200110192216.f9JMGkH27358@gamma.isi.edu> To: IETF-Announce: ; Subject: RFC 3156 on MIME Security with OpenPGP Cc: rfc-ed@ISI.EDU, ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary=NextPart Date: Fri, 19 Oct 2001 15:16:46 -0700 From: RFC Editor Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --NextPart A new Request for Comments is now available in online RFC libraries. RFC 3156 Title: MIME Security with OpenPGP Author(s): M. Elkins, D. Del Torto, R. Levien, T. Roessler Status: Standards Track Date: August 2001 Mailbox: ddt@cryptorights.org, raph@acm.org, roessler@does-not-exist.org Pages: 15 Characters: 26809 Updates: RFC 2015 I-D Tag: draft-ietf-openpgp-mime-08.txt URL: ftp://ftp.rfc-editor.org/in-notes/rfc3156.txt This document describes how the OpenPGP Message Format can be used to provide privacy and authentication using the Multipurpose Internet Mail Extensions (MIME) security content types described in RFC 1847. This document is a product of the An Open Specification for Pretty Good Privacy Working Group of the IETF. This is now a Proposed Standard Protocol. This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from the IETF distribution list should be sent to IETF-REQUEST@IETF.ORG. Requests to be added to or deleted from the RFC-DIST distribution list should be sent to RFC-DIST-REQUEST@RFC-EDITOR.ORG. Details on obtaining RFCs via FTP or EMAIL may be obtained by sending an EMAIL message to rfc-info@RFC-EDITOR.ORG with the message body help: ways_to_get_rfcs. For example: To: rfc-info@RFC-EDITOR.ORG Subject: getting rfcs help: ways_to_get_rfcs Requests for special distribution should be addressed to either the author of the RFC in question, or to RFC-Manager@RFC-EDITOR.ORG. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution.echo Submissions for Requests for Comments should be sent to RFC-EDITOR@RFC-EDITOR.ORG. Please consult RFC 2223, Instructions to RFC Authors, for further information. Joyce K. Reynolds and Sandy Ginoza USC/Information Sciences Institute ... Below is the data which will enable a MIME compliant Mail Reader implementation to automatically retrieve the ASCII version of the RFCs. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="RFC-INFO@RFC-EDITOR.ORG" Content-Type: text/plain Content-ID: <011019151559.RFC@RFC-EDITOR.ORG> RETRIEVE: rfc DOC-ID: rfc3156 --OtherAccess Content-Type: Message/External-body; name="rfc3156.txt"; site="ftp.isi.edu"; access-type="anon-ftp"; directory="in-notes" Content-Type: text/plain Content-ID: <011019151559.RFC@RFC-EDITOR.ORG> --OtherAccess-- --NextPart-- Received: by above.proper.com (8.11.6/8.11.3) id f9JAr1v24605 for ietf-openpgp-bks; Fri, 19 Oct 2001 03:53:01 -0700 (PDT) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9JAr0D24601 for ; Fri, 19 Oct 2001 03:53:00 -0700 (PDT) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.33 #1) id 15uXGQ-0002Ai-00 for ietf-openpgp@imc.org; Fri, 19 Oct 2001 12:52:30 +0200 To: ietf-openpgp@imc.org Subject: Re: separation of signed and encrypted messages References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> <87itdezmgz.fsf@alberti.gnupg.de> From: Florian Weimer Date: 19 Oct 2001 12:52:30 +0200 In-Reply-To: <87itdezmgz.fsf@alberti.gnupg.de> (Werner Koch's message of "Wed, 17 Oct 2001 10:42:36 +0200") Message-ID: Lines: 30 User-Agent: Gnus/5.090001 (Oort Gnus v0.01) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Werner Koch writes: > On 17 Oct 2001 10:05:47 +0200, Florian Weimer said: > > > (That's not Werner's fault, the FSF is not interested in contributions > > from the University of Stuttgart in general.) > > That is a bit too simplistic view. It's the view most favorable for the FSF. ;-) The contributions which had already been written were relatively minor (a fraction of a man month, I think, at least if you exclude the problem isolation phase and all the testing), so they weren't worth the extra trouble an individual assignment contract would involve. Of course, this has stifled further development, but the FSF should not be surprised by this. > For reasons German lawyers - specialized on Free Software issues - > can't agree with, that university does not want to sign such papers. However, the FSF still has to tell the university the result of their consultations. :-/ (We should take this to private mail, I think.) -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9HIgNv17698 for ietf-openpgp-bks; Wed, 17 Oct 2001 11:42:23 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9HIgGD17694 for ; Wed, 17 Oct 2001 11:42:22 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA03197; Wed, 17 Oct 2001 14:42:13 -0400 (EDT) Message-Id: <200110171842.OAA03197@ietf.org> To: IETF-Announce: ; Subject: RFC 3156 on MIME Security with OpenPGP Cc: rfc-ed@ISI.EDU, ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" From: RFC Editor Date: Wed, 17 Oct 2001 14:42:13 -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: A new Request for Comments is now available in online RFC libraries. RFC 3156 Title: MIME Security with OpenPGP Author(s): M. Elkins, D. Del Torto, R. Levien, T. Roessler Status: Standards Track Date: August 2001 Mailbox: ddt@cryptorights.org, raph@acm.org, roessler@does-not-exist.org Pages: 15 Characters: 26809 Updates: RFC 2015 I-D Tag: draft-ietf-openpgp-mime-08.txt URL: ftp://ftp.rfc-editor.org/in-notes/rfc3156.txt This document describes how the OpenPGP Message Format can be used to provide privacy and authentication using the Multipurpose Internet Mail Extensions (MIME) security content types described in RFC 1847. This document is a product of the An Open Specification for Pretty Good Privacy Working Group of the IETF. This is now a Proposed Standard Protocol. This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from the IETF distribution list should be sent to IETF-REQUEST@IETF.ORG. Requests to be added to or deleted from the RFC-DIST distribution list should be sent to RFC-DIST-REQUEST@RFC-EDITOR.ORG. Details on obtaining RFCs via FTP or EMAIL may be obtained by sending an EMAIL message to rfc-info@RFC-EDITOR.ORG with the message body help: ways_to_get_rfcs. For example: To: rfc-info@RFC-EDITOR.ORG Subject: getting rfcs help: ways_to_get_rfcs Requests for special distribution should be addressed to either the author of the RFC in question, or to RFC-Manager@RFC-EDITOR.ORG. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution.echo Submissions for Requests for Comments should be sent to RFC-EDITOR@RFC-EDITOR.ORG. Please consult RFC 2223, Instructions to RFC Authors, for further information. Joyce K. Reynolds and Sandy Ginoza USC/Information Sciences Institute ... Below is the data which will enable a MIME compliant Mail Reader implementation to automatically retrieve the ASCII version of the RFCs. ----- End Included Message ----- ---------- X-Sun-Data-Type: Multipart X-Sun-Content-Length: 490 X-Sun-Charset: us-ascii X-Sun-Content-Lines: 22 --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="RFC-INFO@RFC-EDITOR.ORG" Content-Type: text/plain Content-ID: <010817090928.RFC@RFC-EDITOR.ORG> RETRIEVE: rfc DOC-ID: rfc3156 --OtherAccess Content-Type: Message/External-body; name="rfc3156.txt"; site="ftp.isi.edu"; access-type="anon-ftp"; directory="in-notes" Content-Type: text/plain Content-ID: <010817090928.RFC@RFC-EDITOR.ORG> --OtherAccess-- --NextPart-- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9H8gRM11762 for ietf-openpgp-bks; Wed, 17 Oct 2001 01:42:27 -0700 (PDT) Received: from kasiski.gnupg.de (porta.u64.de [194.77.88.106]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9H8gOD11758 for ; Wed, 17 Oct 2001 01:42:24 -0700 (PDT) Received: from uucp by kasiski.gnupg.de with local-rmail (Exim 3.22 #1 (Debian)) id 15tmNy-0008Vj-00; Wed, 17 Oct 2001 10:49:10 +0200 Received: from wk by alberti.gnupg.de with local (Exim 3.32 #1 (Debian)) id 15tmHc-0005WZ-00; Wed, 17 Oct 2001 10:42:36 +0200 To: Florian Weimer Cc: ietf-openpgp@imc.org Subject: Re: separation of signed and encrypted messages References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> From: Werner Koch Organisation: g10 Code GmbH X-PGP-KeyID: 621CC013 X-Request-PGP: finger://wk@g10code.com Date: Wed, 17 Oct 2001 10:42:36 +0200 In-Reply-To: (Florian Weimer's message of "17 Oct 2001 10:05:47 +0200") Message-ID: <87itdezmgz.fsf@alberti.gnupg.de> Lines: 23 User-Agent: Gnus/5.090004 (Oort Gnus v0.04) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 17 Oct 2001 10:05:47 +0200, Florian Weimer said: > (That's not Werner's fault, the FSF is not interested in contributions > from the University of Stuttgart in general.) That is a bit too simplistic view. The fact is that the FSF requires copyright assignment for all core GNU software (see http://www.gnu.org/copyleft/why-assign.html). For reasons German lawyers - specialized on Free Software issues - can't agree with, that university does not want to sign such papers. One of the reasons to found the FSF-Europe ist to tackle such legal problems. Eben Moglen is now working with European lawyers to get these things solved. Ciao, Werner -- Werner Koch Omnis enim res, quae dando non deficit, dum habetur g10 Code GmbH et non datur, nondum habetur, quomodo habenda est. Privacy Solutions -- Augustinus Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9H86Ij07486 for ietf-openpgp-bks; Wed, 17 Oct 2001 01:06:18 -0700 (PDT) Received: from mercury.rus.uni-stuttgart.de (mercury.rus.uni-stuttgart.de [129.69.1.226]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9H86HD07482 for ; Wed, 17 Oct 2001 01:06:17 -0700 (PDT) Received: from rusfw by mercury.rus.uni-stuttgart.de with local (Exim 3.33 #1) id 15tlhz-0003Sv-00 for ietf-openpgp@imc.org; Wed, 17 Oct 2001 10:05:47 +0200 To: ietf-openpgp@imc.org Subject: Re: separation of signed and encrypted messages References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> From: Florian Weimer Date: 17 Oct 2001 10:05:47 +0200 In-Reply-To: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> ("Michael Young"'s message of "Tue, 16 Oct 2001 11:29:06 -0400") Message-ID: Lines: 18 User-Agent: Gnus/5.090001 (Oort Gnus v0.01) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: "Michael Young" writes: > >but is there any way to do it, short of rewriting gpg, pgp to include a -d > > > command similar to the -d command of 2.6.3? > > It doesn't appear that GnuPG has such a switch now. But it would > be easy to build. The diff is a couple of lines. I can provide details if someone wants to work on it. We've got a working patch for 1.0.3 or so, but chances are minuscule that it will appear in the official GnuPG distribution. (That's not Werner's fault, the FSF is not interested in contributions from the University of Stuttgart in general.) -- Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GIf0F07125 for ietf-openpgp-bks; Tue, 16 Oct 2001 11:41:00 -0700 (PDT) Received: from colon.colondot.net (exim@[212.135.138.209]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GIewD07120 for ; Tue, 16 Oct 2001 11:40:58 -0700 (PDT) Received: from mbm by colon.colondot.net with local (Exim 3.31 #1) id 15tZ8v-000GYX-00; Tue, 16 Oct 2001 19:40:45 +0100 Date: Tue, 16 Oct 2001 19:40:45 +0100 From: Matthew Byng-Maddick To: vedaal Cc: ietf-openpgp@imc.org Subject: Re: separation of signed and encrypted messages Message-ID: <20011016194045.B47206@colon.colondot.net> References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from vedaal@hotmail.com on Tue, Oct 16, 2001 at 01:08:23PM -0400 Organization: Colondot.net Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Tue, Oct 16, 2001 at 01:08:23PM -0400, vedaal wrote: > for an rsa key, > if one has the session key, ciphertext and plaintext, > and, at some point, > *if* > md5 is 'fully' broken, > would it not be possible to retrieve the secret key and passphrase? Erm. No. Think about the encryption process in the first place. MBM -- Matthew Byng-Maddick http://colondot.net/ Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GIIdY06781 for ietf-openpgp-bks; Tue, 16 Oct 2001 11:18:39 -0700 (PDT) Received: from hotmail.com (oe65.law3.hotmail.com [209.185.240.81]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GIIbD06777 for ; Tue, 16 Oct 2001 11:18:37 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 16 Oct 2001 11:18:34 -0700 X-Originating-IP: [63.211.85.132] From: "vedaal" To: , "Michael Young" References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> <009a01c15668$5d5abde0$dfc32609@transarc.ibm.com> Subject: Re: separation of signed and encrypted messages Date: Tue, 16 Oct 2001 14:17:59 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 16 Oct 2001 18:18:34.0922 (UTC) FILETIME=[F7F0A8A0:01C1566E] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 - ----- Original Message ----- From: "Michael Young" To: Sent: Tuesday, October 16, 2001 1:31 PM Subject: Re: separation of signed and encrypted messages > I think you may have two different uses of symmetric keys mixed up. > A symmetric key protects the private part of your public/private keypair; > it is the one generated from your passphrase (using a hash, such as MD5). > Another "session key" protects the contents of a message; for messages > encrypted to a public key, it is random, and involves no hashing or > passphrase. yes, am sorry, did indeed confuse this and thought it was the 'same' symmetric key as the session key, thanks for clearing it up, vedaal -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ Comment: { Acts of Kindness better the World, and protect the Soul } Comment: KeyID: 0x6A05A0B785306D25 Comment: Fingerprint: 96A6 5F71 1C43 8423 D9AE 02FD A711 97BA iQEVAwUBO8x51WoFoLeFMG0lAQNVuwf9HeLrP/9K5zJGt2zPJd9dWs3Ag77U/VWu 6pULyqUQKOLXsjDi+MxpIa32V8afg7qMvuPKedmOhJpWeKvLpQPiB9GhlccW8u+2 KPPD180kv4oYZxAX2ci8i6w2Auo2BH2RC0Xy7kg3ogl1hMoMZSHb388lZVvncXyu aYlJcbIW78L9yZz87+8KhxQaz8I9CqsqY0XXzairDAh+bLJzTH+RPQd3LkCwoJGe O9I1hcE5yNogbhWb+R7qS5ywxlhCU8yy1dWiRSVdr9am4j2rPVHH+3XJ0asaIh4J l6+QCAe6y6ES5GvJzrJrr2XfeEfC9em2GQwB4upGpOLqnx2XKP4VoQ== =jB6A -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GHVSI05763 for ietf-openpgp-bks; Tue, 16 Oct 2001 10:31:28 -0700 (PDT) Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GHVQD05758 for ; Tue, 16 Oct 2001 10:31:26 -0700 (PDT) Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id NAA10566 for ; Tue, 16 Oct 2001 13:22:57 -0400 (EDT) Received: from mwyoung (dhcp-195-23.transarc.ibm.com [9.38.195.223]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id NAA17165 for ; Tue, 16 Oct 2001 13:31:22 -0400 (EDT) Message-ID: <009a01c15668$5d5abde0$dfc32609@transarc.ibm.com> From: "Michael Young" To: References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> Subject: Re: separation of signed and encrypted messages Date: Tue, 16 Oct 2001 13:31:17 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- vedaal wrote: > for an rsa key, > if one has the session key, ciphertext and plaintext, > and, at some point, > *if* > md5 is 'fully' broken, > would it not be possible to retrieve the secret key and passphrase? I think you may have two different uses of symmetric keys mixed up. A symmetric key protects the private part of your public/private keypair; it is the one generated from your passphrase (using a hash, such as MD5). Another "session key" protects the contents of a message; for messages encrypted to a public key, it is random, and involves no hashing or passphrase. An "attacker" can already generate any number of session keys and ciphertexts to go with your plaintext and signature (once you're willing to reveal that). They can encrypt those session keys with your public key. Giving out the one session key for a particular ciphertext does no harm, unless that session key is (improperly) related to others. If you were considering encrypting directly to a passphrase, and the hash were *badly* broken (such that you could generate pre-images of a constrained pattern from an end hash), then indeed, this could be a concern. From the session key and salt, you might be able to back-compute the passphrase. If it were used elsewhere, then you could be in trouble. Still a little far-fetched. Moreover, you said "RSA", so I don't think this is what you meant. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO8xuxGNDnIII+QUHAQELKggAptcs6Eirbbm4HGTsBeIDdypPDbOsKrZq 42u7g69nnE7ulfPQOfGhya3xDSf/dj79e5Mxu3s3JG/xPjFTiKScwHiuw1eGdnaK KD64Ex/gdsXxzTmSWjQwarG3fEv9eve2j9Wsr6rkEgmayzu+8NC/FvbOQBaS0KOA SE+w+Dn8kmhiHHmERtNMh8z9q12UapgTR75pUQu5ncvpXZvz0ICsd7OSfuF04E13 z7GiU3BMQM66VwOwek1a3rEqEdu8mJkUwLatxMzFFjDSrcrnvxYuCS8HGEJG028Q gA6ZPUgrLDh6uqBir9FnsJatKrQhge6SnbboBNlrImq2kvwEdHHG1Q== =w7IG -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GH92S05238 for ietf-openpgp-bks; Tue, 16 Oct 2001 10:09:02 -0700 (PDT) Received: from hotmail.com (oe55.law3.hotmail.com [209.185.240.55]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GH90D05234 for ; Tue, 16 Oct 2001 10:09:00 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 16 Oct 2001 10:08:57 -0700 X-Originating-IP: [63.211.85.132] From: "vedaal" To: , "Michael Young" References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> Subject: Re: separation of signed and encrypted messages Date: Tue, 16 Oct 2001 13:08:23 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 16 Oct 2001 17:08:57.0913 (UTC) FILETIME=[3E3FAA90:01C15665] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 - ----- Original Message ----- From: "Michael Young" To: Sent: Tuesday, October 16, 2001 11:29 AM Subject: Re: separation of signed and encrypted messages > If you're willing to show the plaintext, why do you care about > protecting the session key? Are you reusing it? This might be an > issue for a PGPdisk, for example, where one symmetric key protects the > entire contents... you can't reveal+prove selected parts. for an rsa key, if one has the session key, ciphertext and plaintext, and, at some point, *if* md5 is 'fully' broken, would it not be possible to retrieve the secret key and passphrase? vedaal -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ Comment: { Acts of Kindness better the World, and protect the Soul } Comment: KeyID: 0x6A05A0B785306D25 Comment: Fingerprint: 96A6 5F71 1C43 8423 D9AE 02FD A711 97BA iQEVAwUBO8xphmoFoLeFMG0lAQOeXgf+L0PAnxSnZ6NXzM9wfJN+4IquwhjMsJXQ Y3Odn6TDcPTJY9CA8IHYNCoh59b0pAwwR4R9phmRaIbH45HmmKLTZBXei8UtI3Ok J162JyJTcas8SMKkMNJTz5q1GJ3V+Ij8TevJAAWjYH1CL1zoZ/xIYfLauLP4HocB rFhrQm/QvYYse+qbCEm+erkY5SlarmkG4w/GjRWQPkjASNzNX6xZBsywKuqTUcYi +pI2el+JUSvVD9VHTHlMb7xE0Awfmp3c5v7OCKTrz6uaON7BN52MXRJlXZK8VAvT 5ee6wwyn5FoatHAjnf/Z/GAvcJQdLj8rYTF719BF4wLoi1wX0frNKA== =FR1H -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GFrqP00511 for ietf-openpgp-bks; Tue, 16 Oct 2001 08:53:52 -0700 (PDT) Received: from rcn.ihtfp.org (me@ORANGE-TOUR.IHTFP.ORG [204.107.200.33]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GFroD00504 for ; Tue, 16 Oct 2001 08:53:50 -0700 (PDT) Received: (from warlord@localhost) by rcn.ihtfp.org (8.9.3) id LAA01992; Tue, 16 Oct 2001 11:40:18 -0400 To: "Michael Young" Cc: Subject: Re: separation of signed and encrypted messages References: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> From: Derek Atkins Date: 16 Oct 2001 11:40:18 -0400 In-Reply-To: "Michael Young"'s message of "Tue, 16 Oct 2001 11:29:06 -0400" Message-ID: Lines: 30 X-Mailer: Gnus v5.5/Emacs 20.3 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Actually, revealing the encrypted-session-key for an OpenPGP message should give you sufficient information to link the plaintext to the encrypted message without actually giving away your private key or passphrase. Considering that PGP implementations should be choosing random session keys, this implies that session keys should not be re-used. -derek "Michael Young" writes: > No. The message(+signature) contents are symmetrically encrypted. > There is no way to prove that the plaintext generates that specific > ciphertext without giving up the session key. Demonstrating > a decrypted signature or MDC shouldn't convince anyone that the > full plaintext matches that ciphertext. > > If you're willing to show the plaintext, why do you care about > protecting the session key? Are you reusing it? This might be an > issue for a PGPdisk, for example, where one symmetric key protects the > entire contents... you can't reveal+prove selected parts. It > shouldn't be for ordinary OpenPGP uses. Are you afraid that > your randomness source has been compromised, such that other > session keys could be deduced? If so, you have a serious problem. -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GFTSK27019 for ietf-openpgp-bks; Tue, 16 Oct 2001 08:29:28 -0700 (PDT) Received: from xfw.transarc.ibm.com (xfw.transarc.ibm.com [192.54.226.51]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GFTPD27015 for ; Tue, 16 Oct 2001 08:29:26 -0700 (PDT) Received: from mailhost.transarc.ibm.com (mailhost.transarc.ibm.com [9.38.192.124]) by xfw.transarc.ibm.com (AIX4.3/UCB 8.7/8.7) with ESMTP id LAA12954 for ; Tue, 16 Oct 2001 11:20:45 -0400 (EDT) Received: from mwyoung (dhcp-195-23.transarc.ibm.com [9.38.195.223]) by mailhost.transarc.ibm.com (8.8.0/8.8.0) with SMTP id LAA16445 for ; Tue, 16 Oct 2001 11:29:10 -0400 (EDT) Message-ID: <008201c15657$4b6f1880$dfc32609@transarc.ibm.com> From: "Michael Young" To: References: Subject: Re: separation of signed and encrypted messages Date: Tue, 16 Oct 2001 11:29:06 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- >but is there any way to do it, short of rewriting gpg, pgp to include a -d > > command similar to the -d command of 2.6.3? It doesn't appear that GnuPG has such a switch now. But it would be easy to build. > one could simply {from a remote area, without anyone needed to 'witness' > the decryption process} > separate it into the armored signed file, and release that to the > 'authorities', and show that it had to have come from > the specific signed and encrypted e-mail in question. No. The message(+signature) contents are symmetrically encrypted. There is no way to prove that the plaintext generates that specific ciphertext without giving up the session key. Demonstrating a decrypted signature or MDC shouldn't convince anyone that the full plaintext matches that ciphertext. If you're willing to show the plaintext, why do you care about protecting the session key? Are you reusing it? This might be an issue for a PGPdisk, for example, where one symmetric key protects the entire contents... you can't reveal+prove selected parts. It shouldn't be for ordinary OpenPGP uses. Are you afraid that your randomness source has been compromised, such that other session keys could be deduced? If so, you have a serious problem. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBO8xSM2NDnIII+QUHAQGY1wf+MxsUxkKXd0O1KTmuAD8CX2ud0CVEiaUN MroPdg2pjhEcIS8FOx2c4bDeq0nS89ZrvjcujdaJbro7ydcsWwFVn7xrJrC3XWm7 m7dw5xHnl7Is8Gcnw5fm+CvbJK4dBDvL7jCbmIiRYv1wsTAgdRBZlLgzhq9n3XCo 2LzOlVvsg0WTQkk2i0c3SEIg0ucFP0soGZ7QzVueMccHwxpZrxfIMF2oN02BjjD1 xu8PrNs912MFZX4EJEM2U2Z4Pa3agQc/OuI7/P46GLnd74L+BUx9i6xPfzVXbeMI 53dmvolobItRSQ0BnS/TnXc4EtS9zQo53mOFQ1KUWk26nooUznNzCA== =fxp3 -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9GE2Zc21775 for ietf-openpgp-bks; Tue, 16 Oct 2001 07:02:35 -0700 (PDT) Received: from hotmail.com (oe58.law3.hotmail.com [209.185.240.58]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9GE2YD21769 for ; Tue, 16 Oct 2001 07:02:34 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 16 Oct 2001 07:02:30 -0700 X-Originating-IP: [63.211.85.132] From: "vedaal" To: Subject: re: separation of signed and encrypted messages Date: Tue, 16 Oct 2001 10:01:57 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 16 Oct 2001 14:02:30.0698 (UTC) FILETIME=[322620A0:01C1564B] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: David Hopwood wrote: >vedaal wrote: > is there any way to separate a message that was signed and encrypted > to a dh key, into a free-standing verifiable signed message? >If-and-only-if the private encryption key is known, yes. This is no >different to 'sign and RSA-encrypt' yes, but is there any way to do it, short of rewriting gpg, pgp to include a -d command similar to the -d command of 2.6.3? on a related note: the separation that can be done now, is from 2.6.x using the command: pgp -da (filename).pgp which (after giving the correct passphrase), produces filename.asc which is a free-standing armored signed file, verifiable, and displaying the text of the original message, but, is clearly different from an intentional armored signature file, which usually begins with 'ow' as the first two characters of the pgp block, so, would it be possible to somehow link such a separated signed file, and show that it had to be from a specific signed and encrypted file? {possibly through an mdc tag on the armor} if it 'could' be done, then, one would 'not' have to surrender a session key or secret key, to decrypt a signed and encrypted e-mail, one could simply {from a remote area, without anyone needed to 'witness' the decryption process} separate it into the armored signed file, and release that to the 'authorities', and show that it had to have come from the specific signed and encrypted e-mail in question. vedaal Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9G406Y22859 for ietf-openpgp-bks; Mon, 15 Oct 2001 21:00:06 -0700 (PDT) Received: from zetnet.co.uk (root@irwell.zetnet.co.uk [194.247.47.48]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9G405D22855 for ; Mon, 15 Oct 2001 21:00:05 -0700 (PDT) Received: from zetnet.co.uk (man-s252.dialup.zetnet.co.uk [194.247.45.123]) by zetnet.co.uk (8.11.3/8.11.3/Debian 8.11.2-1) with ESMTP id f9G404N08029; Tue, 16 Oct 2001 05:00:05 +0100 Message-ID: <3BCA51EB.D3D5F054@zetnet.co.uk> Date: Mon, 15 Oct 2001 04:03:07 +0100 From: David Hopwood X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en-GB,en,fr-FR,fr,de-DE,de,ru MIME-Version: 1.0 To: vedaal , ietf-openpgp@imc.org Subject: Re: separation of signed and encrypted messages into free-standing signed messages -- revisited References: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- vedaal wrote: > is there any way to separate a message that was signed and encrypted > to a dh key, into a free-standing verifiable signed message? If-and-only-if the private encryption key is known, yes. This is no different to 'sign and RSA-encrypt'. - -- David Hopwood Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/ RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01 Nothing in this message is intended to be legally binding. If I revoke a public key but refuse to specify why, it is because the private key has been seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBO8pR3jkCAxeYt5gVAQFXRwgAzXRc21D9ZNqzHHtfi58c48Q6Wpv87QNV nmm6su1lnIXdwZo0uncbPAx0Mjf7i3ZAYmVYDLQfNSvnWXXt9oSm+RXBjDGaArK6 DQ2zfLvEAHbHpMy0QooMbKXy/hHfvqicZAW5TxWJE1vQLgfG0eICc40oBpUyrdXk 9GavouQILTN3sEHpqjTm2YmkWtmHHKM4eCNV5m2DWuOkVsfFpgL/NcwlqdNyllhx jS5//zOhhg8VEuIVCmzeO34b6YFA44doE3w9vc5eDy34i6sgjzfSimWLFz9Y5wXY 6HXC8Ae5OOwWaagdkM73eoA23FS1xr2vHNvLACL3DiuCydw834Yuew== =/3dB -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9G3R6w22455 for ietf-openpgp-bks; Mon, 15 Oct 2001 20:27:06 -0700 (PDT) Received: from zetnet.co.uk (root@irwell.zetnet.co.uk [194.247.47.48]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9G3R4D22449 for ; Mon, 15 Oct 2001 20:27:04 -0700 (PDT) Received: from zetnet.co.uk (man-s252.dialup.zetnet.co.uk [194.247.45.123]) by zetnet.co.uk (8.11.3/8.11.3/Debian 8.11.2-1) with ESMTP id f9G3QuN04574 for ; Tue, 16 Oct 2001 04:26:56 +0100 Message-ID: <3BCA4A25.40F4DB4B@zetnet.co.uk> Date: Mon, 15 Oct 2001 03:29:57 +0100 From: David Hopwood X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en-GB,en,fr-FR,fr,de-DE,de,ru MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: Comments on ECC draft References: <55E02B6F8FA8D311985300902740BB2004C5748C@SNC-5-88.nai.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- "Jivsov, Andrey" wrote: > bmoeller@hrzpub.tu-darmstadt.de wrote: > > (Note that the FIPS recommended curves over prime fields all are based > > on pseudo-Mersenne primes. Of course applications that want to use > > optimized modular arithmetic for these primes can do so, whether or > > not special field descriptors are used.) > > US patents 5,159,632, 5,463,690 and 5,271,061 "Method and apparatus for > public key exchange in a cryptographic system" cover 2^m-C prime field with > NeXT as an assignee. While there are some patents with J. Solinas as an > inventor and NSA as an assignee covering Koblitz curves, there are no > similar patents for the 2^m-C. says that there is prior art for all the interesting claims of this patent, in a CRYPTO '89 article published more than one year before the patent was filed. 5,271,061 and 5,463,690 are continuations of 5,159,632. - -- David Hopwood Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/ RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01 Nothing in this message is intended to be legally binding. If I revoke a public key but refuse to specify why, it is because the private key has been seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQEVAwUBO8pKAjkCAxeYt5gVAQEU8Qf+NaxC++Bi+tPPwGMx0HcKUCNMFp6rlN7H Cr8YTAzbON7u18r8lEcV3g4bBrD2B5C5H1xteLtKUv1/nGCiYtEPbqw1wixdizxf Bsm+uvpMgjp+gdTBStj+8ak5h2q1HnO+Mu7fPo0lD0qgSxXsY5maIDEEQnxGgkWg MZeXdTORBhya6y+566Uf5WOg7D1DD94QYR6ryQRLemdpV2qfV3o7CIgtp/Q4PyhU f0KTgGMF+7ytpBjdlLNJmad9kHZ4ne40seg3pauN1I+/WWS0ayShK4TE1pHz1PN0 vJjT8+GD+1D4KcBm3U0FfvnOvyenQLA46vOWzQiwM1Thdt7s9xpRIA== =r+OX -----END PGP SIGNATURE----- Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9FIuUg13940 for ietf-openpgp-bks; Mon, 15 Oct 2001 11:56:30 -0700 (PDT) Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9FIuSD13936 for ; Mon, 15 Oct 2001 11:56:28 -0700 (PDT) Received: from cdc-ws1 (cdc-ws1 [130.83.23.82]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id C089D2C8C for ; Mon, 15 Oct 2001 20:56:29 +0200 (MET DST) Date: Mon, 15 Oct 2001 16:02:32 +0200 From: Bodo Moeller To: "Jivsov, Andrey" Cc: hal@finney.org, Dominikus.Scherkl@biodata.com, ietf-openpgp@imc.org Subject: Re: Comments on ECC draft Message-ID: <20011015160232.C7738b@cdc.informatik.tu-darmstadt.de> References: <55E02B6F8FA8D311985300902740BB2004C5748C@SNC-5-88.nai.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2i In-Reply-To: <55E02B6F8FA8D311985300902740BB2004C5748C@SNC-5-88.nai.com>; from Andrey_Jivsov@NAI.com on Wed, Oct 03, 2001 at 01:24:36PM -0500 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Wed, Oct 03, 2001 at 01:24:36PM -0500, Jivsov, Andrey wrote: >> From: bmoeller@hrzpub.tu-darmstadt.de >>> Our concern with the special primes 1-2 is that this area seems >>> to be covered by patents. >> What patents? These should be patents applied for by the NSA (the >> optimizations for pseudo-Mersenne primes are due to Jerry Solinas). >> I'm not sure how they'd handle licensing -- the patents for Jerry's >> algorithms for Koblitz curves have already been issued earlier this >> year, and presumably licensing would be similar to that, whatever this >> means. (Hopefully no restrictions, as for DSA, which is also >> patented.) >> >> (Note that the FIPS recommended curves over prime fields all are based >> on pseudo-Mersenne primes. Of course applications that want to use >> optimized modular arithmetic for these primes can do so, whether or >> not special field descriptors are used.) > US patents 5,159,632, 5,463,690 and 5,271,061 "Method and apparatus for > public key exchange in a cryptographic system" cover 2^m-C prime field with > NeXT as an assignee. [...] Thanks for the pointers. > The 1999 paper "Generalized Mersenne Numbers" by J. Solinas has > abovementioned patent 5,159,632 in a reference section. Solinas cites Knuth for efficient arithmetic modulo Mersenne numbers (m = 2^k - 1) and writes (in the introduction to his 1999 Technical Report "Generalized Mersenne Numbers") "It is [...] of interest to generalize the above technique to families of numbers containing primes. One such family is due to Richard Crandall [2], namely, the integers 2^k - c for c positive and small enough to fit into one word. In this paper, we generalize in a different direction. Although there is some overlap, many of the generalized Mersenne numbers presented here are not Crandall numbers." ([2] is Crandall's patent 5,159,632.) So while there are patent issues with efficient arithmetic for Crandall's pseudo Mersenne prime fields, it seems there is no known patent affecting Solinas' generalized Mersenne prime fields. > This paper describes > primes in the form 2^m+B_n+...+B_0 instead, where B_n+...+B_0=C is not small > (applicable to NIST curves). Therefore, group types 1 and 2 from the draft > can only be used to describe patented fields. ... where the types applicable to prime fields are defined as follows (in draft-scherkl-openpgp-ecc-00.txt): 0: Named curve (followed by curve_name) 1: Pseudo mersenne prime field F(p) (followed by r and c. p = 2^r - c, "below some twopower") 2: Pseudo mersenne prime field F(p) (followed by r and c. p = 2^r + c, "above some twopower") 3: Prime field F(p) (followed by p) Type 3 obviously covers any finite prime field, but does not indicate what optimizations may apply. Types 1 and 2 also cover any finite prime field because the definition does not impose limits on c; in the case of the Crandall patents you cited above, c would be very small (usually a single processor word), whereas in the case of NIST curves and similar curves, it would be quite long, but shorter than p. So not *all* curves using on type 1 or 2 fields would be covered by the Crandall patents. But maybe a field type more suitable for generalized Mersenne numbers should be defined. -- Bodo Möller PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f9FICx413168 for ietf-openpgp-bks; Mon, 15 Oct 2001 11:12:59 -0700 (PDT) Received: from hotmail.com (oe42.law3.hotmail.com [209.185.240.210]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f9FICwD13164 for ; Mon, 15 Oct 2001 11:12:58 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Oct 2001 11:01:22 -0700 X-Originating-IP: [63.211.85.132] From: "vedaal" To: Subject: separation of signed and encrypted messages into free-standing signed messages -- revisited Date: Mon, 15 Oct 2001 14:00:50 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Message-ID: X-OriginalArrivalTime: 15 Oct 2001 18:01:22.0940 (UTC) FILETIME=[666AF3C0:01C155A3] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 is there any way to separate a message that was signed and encrypted to a dh key, into a free-standing verifiable signed message? am aware that rfc 2440 requires this, but has it actually been 'tested' with dh keys to see if it is so? {do 'not' mean to criticize dh keys, on the contrary, would find it a security 'benefit' of a dh key if it could 'not' be done, even if it required reconsideration of this aspect of the rfc-2440 } so far, have been able to separate messages signed and encrypted to an rsa key, both for rsa and dh/dss signatures tia, vedaal -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ Comment: { Acts of Kindness better the World, and protect the Soul } Comment: KeyID: 0x6A05A0B785306D25 Comment: Fingerprint: 96A6 5F71 1C43 8423 D9AE 02FD A711 97BA iQEVAwUBO8skUWoFoLeFMG0lAQN+4ggAkaXA96GA/LVzj7TbBdB/13jX0MN6z/IO uiEC+StWc/gf20bk0t/QuYSEVDEGeMwoe8W5kiEGGzEQnEWUjVdUunGMW5R9gz22 y9j7q0qAnkAaGFCEZX/wGeUJtbIaZ/16P+ZLdvKkKi0QjK/AuH58tNVEC/KiHQGu nRNVrRYt5kn0Em+ccRc+NswXQFdfRG+VDA4+YFapjXl+DzQnB1869zdn2jF6Q5Re 6+997gldQ9Ml5OZou6HqbtVnawuzCmxTM+QFn3Ca6mm/F/lymplRbyRhNyqpkVom vGAnFU6U2aXfVh20GLbG+U0a2dyS8d0F89k+2c5zk8BvRtUdltHokg== =Gxhy -----END PGP SIGNATURE----- Received: by above.proper.com (8.11.6/8.11.3) id f93IP4s18878 for ietf-openpgp-bks; Wed, 3 Oct 2001 11:25:04 -0700 (PDT) Received: from nairelaymail.nai.com (relay2.nai.com [161.69.213.4]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f93IP0D18874 for ; Wed, 3 Oct 2001 11:25:00 -0700 (PDT) Received: from txwsout1.nai.com ([161.69.96.120]) by nairelaymail.nai.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id TYFZCK13; Wed, 3 Oct 2001 13:23:07 -0500 Received: FROM tx-ex-bridge1.nai.com BY txwsout1.nai.com ; Wed Oct 03 13:25:20 2001 -0500 Received: by DAL-96-124.nai.com with Internet Mail Service (5.5.2653.19) id ; Wed, 3 Oct 2001 13:24:46 -0500 Message-ID: <55E02B6F8FA8D311985300902740BB2004C5748C@SNC-5-88.nai.com> From: "Jivsov, Andrey" To: "'moeller@cdc.informatik.tu-darmstadt.de'" , hal@finney.org Cc: Dominikus.Scherkl@biodata.com, ietf-openpgp@imc.org Subject: RE: Comments on ECC draft Date: Wed, 3 Oct 2001 13:24:36 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: > -----Original Message----- > From: bmoeller@hrzpub.tu-darmstadt.de > [mailto:bmoeller@hrzpub.tu-darmstadt.de] > Sent: Monday, September 10, 2001 12:50 PM > To: hal@finney.org > Cc: Dominikus.Scherkl@biodata.com; ietf-openpgp@imc.org; > andrey_jivsov@NAI.com; hal_finney@NAI.com > Subject: Re: Comments on ECC draft ... > > Our concern with the special primes 1-2 is that this area seems > > to be covered by patents. ... > What patents? These should be patents applied for by the NSA (the > optimizations for pseudo-Mersenne primes are due to Jerry Solinas). > I'm not sure how they'd handle licensing -- the patents for Jerry's > algorithms for Koblitz curves have already been issued earlier this > year, and presumably licensing would be similar to that, whatever this > means. (Hopefully no restrictions, as for DSA, which is also > patented.) > > (Note that the FIPS recommended curves over prime fields all are based > on pseudo-Mersenne primes. Of course applications that want to use > optimized modular arithmetic for these primes can do so, whether or > not special field descriptors are used.) US patents 5,159,632, 5,463,690 and 5,271,061 "Method and apparatus for public key exchange in a cryptographic system" cover 2^m-C prime field with NeXT as an assignee. While there are some patents with J. Solinas as an inventor and NSA as an assignee covering Koblitz curves, there are no similar patents for the 2^m-C. The 1999 paper "Generalized Mersenne Numbers" by J. Solinas has abovementioned patent 5,159,632 in a reference section. This paper describes primes in the form 2^m+B_n+...+B_0 instead, where B_n+...+B_0=C is not small (applicable to NIST curves). Therefore, group types 1 and 2 from the draft can only be used to describe patented fields. In contrast with Mersenne prime fields, binary fields were around for a long time, patent-free for software implementation, sufficiently fast for software and superior for hardware implementations, allow Koblitz curve optimizations and are the only current choice for IKE ECC DH groups. Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f92Ls7600448 for ietf-openpgp-bks; Tue, 2 Oct 2001 14:54:07 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f92Ls6D00444 for ; Tue, 2 Oct 2001 14:54:06 -0700 (PDT) Received: from [63.73.97.181] (63.84.37.127) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.0.3); Tue, 2 Oct 2001 14:53:57 -0700 Mime-Version: 1.0 X-Sender: jon@merrymeet.com Message-Id: In-Reply-To: References: Date: Tue, 2 Oct 2001 14:45:37 -0700 To: Jan Petranek , From: Jon Callas Subject: Re: (slight) Error in rfc2440 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Thanks. I've massaged that paragraph. The new one reads: OpenPGP combines symmetric-key encryption and public key encryption to provide confidentiality. When made confidential, first the object is encrypted using a symmetric encryption algorithm. Each symmetric key is used only once. A new "session key" is generated as a random number for each message. Since it is used only once, the session key is bound to the message and transmitted with it. To protect the key, it is encrypted with the receiver's public key. The sequence is as follows: Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f92Ftm115515 for ietf-openpgp-bks; Tue, 2 Oct 2001 08:55:48 -0700 (PDT) Received: from mx03.uni-tuebingen.de (mx03.uni-tuebingen.de [134.2.3.13]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f92FtkD15505 for ; Tue, 2 Oct 2001 08:55:46 -0700 (PDT) Received: from linux45.zdv.uni-tuebingen.de (linux45.zdv.uni-tuebingen.de [134.2.18.45]) by mx03.uni-tuebingen.de (8.9.3/8.9.3) with ESMTP id RAA20098 for ; Tue, 2 Oct 2001 17:55:46 +0200 Date: Tue, 2 Oct 2001 17:55:46 +0200 (CEST) From: Jan Petranek X-Sender: To: Subject: (slight) Error in rfc2440 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hello out there, I just read the rfc2440 (on OpenPGP), dated from November 1998 and it seems, there is an error in it. In section 2.1. "Confidentiality via Encryption", it says: "With public-key encryption, the object is encrypted using a symmetric encryption algorithm." I believe, it should read "With symmetric-key encryption, the object is encrypted using a symmetric ^^^^^^^^^^^^^ encryption algorithm." I believe, the author intended to talk about the symmetric encryption here, because in the next sentences, he discusses the role of symmetric encryption used in OpenPGP. Furthermore, if the key of a symmetric encryption would be public, as the original text suggests, it would render the encryption completely worthless. As I'm already messing with the rfc, I just as well may add this suggestion: In the section describing the paket lenghts, the lenghts in the text are written in decimal, where they are written in octal in the examples (of course). It might improve readability, if in the text both notations would be used, like "100 (0x64) pakets will follow" With my best whishes, Jan Petranek