From owner-ietf-openpgp@mail.imc.org Thu May 1 00:32:59 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA06576 for ; Thu, 1 May 2003 00:32:58 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h414J5i2006051 for ; Wed, 30 Apr 2003 21:19:05 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h414J5FC006050 for ietf-openpgp-bks; Wed, 30 Apr 2003 21:19:05 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h414J0i2006042 for ; Wed, 30 Apr 2003 21:19:03 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by hermes.cs.auckland.ac.nz (8.12.9/8.12.9) with ESMTP id h414InMB026316; Thu, 1 May 2003 16:18:49 +1200 Received: (from pgut001@localhost) by medusa01.cs.auckland.ac.nz (8.11.6/8.11.6) id h414IlM07649; Thu, 1 May 2003 16:18:47 +1200 Date: Thu, 1 May 2003 16:18:47 +1200 Message-Id: <200305010418.h414IlM07649@medusa01.cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: hal@finney.org, ietf-openpgp@imc.org, john.dlugosz@kodak.com Subject: Re: Low-level question about OpenPGP - why CFB mode? Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: "Hal Finney" writes: >I think this may have been the reason that Phil chose CFB. As for the non- >standard "sync" operation, I don't remember why he did that. Probably it just >seemed to be a natural way of handling CFB given his understanding of its >rationale in terms of the way it interfaced with the underlying cipher. I believe it was an implementation bug/quirk, not a deliberate design decision. Peter. From owner-ietf-openpgp@mail.imc.org Thu May 1 01:04:21 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA07280 for ; Thu, 1 May 2003 01:04:20 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h414rui2007088 for ; Wed, 30 Apr 2003 21:53:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h414ruZD007087 for ietf-openpgp-bks; Wed, 30 Apr 2003 21:53:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h414rsi2007078 for ; Wed, 30 Apr 2003 21:53:55 -0700 (PDT) (envelope-from A.Back@exeter.ac.uk) Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.14) id 19B64r-00O8nr-NR; Thu, 01 May 2003 05:53:49 +0100 Date: Thu, 1 May 2003 05:53:40 +0100 From: Adam Back To: Peter Gutmann Cc: hal@finney.org, ietf-openpgp@imc.org, john.dlugosz@kodak.com, Adam Back Subject: Re: Low-level question about OpenPGP - why CFB mode? Message-ID: <20030501055340.A8413562@exeter.ac.uk> References: <200305010418.h414IlM07649@medusa01.cs.auckland.ac.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: <200305010418.h414IlM07649@medusa01.cs.auckland.ac.nz>; from pgut001@cs.auckland.ac.nz on Thu, May 01, 2003 at 04:18:47PM +1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I seem to remeber some comments in the 2.x code tree from Colin Plumb discussing the merits of the CFB resync. Here we go: * That is, the last 4 bytes of a 12-byte field are en/decrypted using * the first 4 bytes of IDEA(previous 8 bytes of ciphertext), but then * the last 4 bytes of that IDEA computation are thrown away, and the * first 8 bytes of the next field are en/decrypted using * IDEA(last 8 bytes of ciphertext). This is equivalent to using a * shorter feedback length (if you're familiar with the general CFB * technique) briefly, and doesn't weaken the cipher any (using shorter * CFB lengths makes it stronger, actually), it just makes it a bit unusual. from idea.c; actually it looks to be just a comment about the security of different feedback lengths in CFB mode. On use of CFB instead of CBC, I think this is actually goos because it avoids the whole padding issue which people frequently get wrong with bad security implications. Plus it's simpler to not have to pad. Error recovery is a phantom property, as in no mode is it secure. Adam On Thu, May 01, 2003 at 04:18:47PM +1200, Peter Gutmann wrote: > > "Hal Finney" writes: > > >I think this may have been the reason that Phil chose CFB. As for the non- > >standard "sync" operation, I don't remember why he did that. Probably it just > >seemed to be a natural way of handling CFB given his understanding of its > >rationale in terms of the way it interfaced with the underlying cipher. > > I believe it was an implementation bug/quirk, not a deliberate design > decision. > > Peter. > From owner-ietf-openpgp@mail.imc.org Thu May 1 03:41:36 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA01261 for ; Thu, 1 May 2003 03:41:35 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h417G7i2023207 for ; Thu, 1 May 2003 00:16:07 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h417G7Cx023206 for ietf-openpgp-bks; Thu, 1 May 2003 00:16:07 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h417G5i2023174 for ; Thu, 1 May 2003 00:16:06 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by hermes.cs.auckland.ac.nz (8.12.9/8.12.9) with ESMTP id h417FdMB029828; Thu, 1 May 2003 19:15:39 +1200 Received: (from pgut001@localhost) by medusa01.cs.auckland.ac.nz (8.11.6/8.11.6) id h417FdB08293; Thu, 1 May 2003 19:15:39 +1200 Date: Thu, 1 May 2003 19:15:39 +1200 Message-Id: <200305010715.h417FdB08293@medusa01.cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: adam@cypherspace.org, pgut001@cs.auckland.ac.nz Subject: Re: Low-level question about OpenPGP - why CFB mode? Cc: hal@finney.org, ietf-openpgp@imc.org, john.dlugosz@kodak.com Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Adam Back writes: >On use of CFB instead of CBC, I think this is actually goos because it avoids >the whole padding issue which people frequently get wrong with bad security >implications. Plus it's simpler to not have to pad. Error recovery is a >phantom property, as in no mode is it secure. PKCS #5 padding is trivial to get right, any minor gains are more than made up for by the painful and clunky pseudo-IV handling, particularly since most crypto implementations have an "IV, data, go"-type interface which requires error-prone manual handling of the pseudo-IV. Peter. From owner-ietf-openpgp@mail.imc.org Thu May 1 12:20:46 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA20479 for ; Thu, 1 May 2003 12:20:45 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41FuEi2069286 for ; Thu, 1 May 2003 08:56:14 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41FuE2W069285 for ietf-openpgp-bks; Thu, 1 May 2003 08:56:14 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41FuDi2069280 for ; Thu, 1 May 2003 08:56:13 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (guderian.cryptohill.net [24.244.145.14]) by mx1.cryptohill.net (Postfix) with ESMTP id 337321C890; Thu, 1 May 2003 11:56:14 -0400 (EDT) Message-ID: <3EB14346.1A3AF846@systemics.com> Date: Thu, 01 May 2003 11:54:46 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: Low-level question about OpenPGP - why CFB mode? References: <200305010418.h414IlM07649@medusa01.cs.auckland.ac.nz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit Peter Gutmann wrote: > > "Hal Finney" writes: > > >I think this may have been the reason that Phil chose CFB. As for the non- > >standard "sync" operation, I don't remember why he did that. Probably it just > >seemed to be a natural way of handling CFB given his understanding of its > >rationale in terms of the way it interfaced with the underlying cipher. > > I believe it was an implementation bug/quirk, not a deliberate design > decision. I had heard that it was an attempt to make it "more secure", like the salting of the Unix password (DES) :-) Either way, their appears to be no justification for continuing its use, and a good reason for deprecating it: it is rather complex to document and program up, this conversation about the munged CFB mode has been had many times in the past (here and elsewhere) and will be had many times in the future. In the spirit of improving the codability of OpenPGP, I'd suggest it be replaced with a standard textbook or FIPS mode. (Not in the current version of course, but at the next convenient moment.) -- iang From owner-ietf-openpgp@mail.imc.org Thu May 1 12:52:18 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA22022 for ; Thu, 1 May 2003 12:52:17 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41GWji2070119 for ; Thu, 1 May 2003 09:32:45 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41GWjlc070118 for ietf-openpgp-bks; Thu, 1 May 2003 09:32:45 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41GWii2070112 for ; Thu, 1 May 2003 09:32:44 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41GWjm1012552; Thu, 1 May 2003 12:32:45 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41GWimI010324; Thu, 1 May 2003 12:32:44 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h41GWiFJ010910; Thu, 1 May 2003 12:32:44 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id MAA22001; Thu, 1 May 2003 12:32:44 -0400 (EDT) To: iang@systemics.com Cc: ietf-openpgp@imc.org From: Derek Atkins Subject: Re: Low-level question about OpenPGP - why CFB mode? References: <200305010418.h414IlM07649@medusa01.cs.auckland.ac.nz> <3EB14346.1A3AF846@systemics.com> Date: 01 May 2003 12:32:44 -0400 In-Reply-To: <3EB14346.1A3AF846@systemics.com> Message-ID: Lines: 29 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ian Grigg writes: > In the spirit of improving the codability of > OpenPGP, I'd suggest it be replaced with a > standard textbook or FIPS mode. In the interest of finishing the OpenPGP work, I claim it is too late in the process to make such a major change to the protocol in terms of losing compatibility with all prior versions. Having implemented this non-FIPS mode, it is NOT that complicated, and the text we have that describes it (indeed, the text in RFC 1991 that described it!) has never been a hinderance to implementation. The only questions have been "why do you do it this way?" which is not IMHO a reasonable reason to force a change at this late date. It may be a reasonable reason to add text explaining why we do it this way, or comparing it to the FIPS CFB mode, but that could go in an appendix just as easily as it could go into the text. -derek -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com From owner-ietf-openpgp@mail.imc.org Thu May 1 13:38:32 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA24483 for ; Thu, 1 May 2003 13:38:31 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41HOCi2071697 for ; Thu, 1 May 2003 10:24:12 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41HOC4Y071696 for ietf-openpgp-bks; Thu, 1 May 2003 10:24:12 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41HOBi2071691 for ; Thu, 1 May 2003 10:24:11 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41HOCm1006449 for ; Thu, 1 May 2003 13:24:12 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41HOCmI017969 for ; Thu, 1 May 2003 13:24:12 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h41HOBFJ013134 for ; Thu, 1 May 2003 13:24:11 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id NAA22112; Thu, 1 May 2003 13:24:11 -0400 (EDT) To: ietf-openpgp@imc.org From: Derek Atkins Subject: OpenPGP Administrivia Date: 01 May 2003 13:24:11 -0400 Message-ID: Lines: 36 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, As was announced yesterday, I'm the new chair of OpenPGP. My goals (as somewhat explained to me by the ADs) are to finish up the existing work and try to ramp down the WG. This means finishing up all the open issues, getting 2440bis out the door, and either shutting down or rechartering based on what else is left to do. Another task that I've been asked is to use an online system to keep track of all the open issues. To further this end we've had an RT Queue created at https://rt.psg.com/ to keep track of all the open issues. I'd like to try to use this system to make sure we don't lose anything through the cracks. However, I'm as new to this as you are, so this is going to be a learning experience for all of us. The ADs have asked for me to write up the issues with using RT. However, one thing I am lacking is a list of open issues in the existing work. I'm hoping that John or Jon has a list so we can seed the RT queue. If all else fails I can go re-read the last year's worth of email and try to glom out the open issues (but I suspect many of the issues are older than that). You can send issues to the list, to me directly, or add them to the RT queue. Lastly, Vienna is coming up soon (well, soonish)... If we're going to meet I need to know if we have topics to discuss, and if so what they are and how long it will take. We still have plenty of time to request a slot, but as always the early-bird gets the good slots ;) That's all for now, from your friendly neighborhood working-group chair. -derek -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com From owner-ietf-openpgp@mail.imc.org Thu May 1 14:18:45 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA26969 for ; Thu, 1 May 2003 14:18:44 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41HtGi2072544 for ; Thu, 1 May 2003 10:55:16 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41HtGPh072543 for ietf-openpgp-bks; Thu, 1 May 2003 10:55:16 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41HtEi2072537 for ; Thu, 1 May 2003 10:55:15 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41HtFjf021528; Thu, 1 May 2003 13:55:15 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41Hr5J8023220; Thu, 1 May 2003 13:53:05 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h41Hr5FJ014452; Thu, 1 May 2003 13:53:05 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id NAA22182; Thu, 1 May 2003 13:53:05 -0400 (EDT) To: ietf-openpgp@imc.org Cc: Derek Atkins Subject: Re: OpenPGP Administrivia References: From: Derek Atkins Date: 01 May 2003 13:53:05 -0400 In-Reply-To: Message-ID: Lines: 58 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: A clueful member of the WG asked: > What is the username and password for the RT? Unfortunately I was just informed that the RT Queue is not completely set up for public access, yet. I'm sorry for jumping the gun on publishing the URL. I'll let you know the guest username/password when I find it out. I'm an RT newbie myself and have never used it before, so I was unaware of the lack of prominent guest account. I'll be sure to mail out the info as soon as I find it. -derek > Derek Atkins writes: > > > Hi, > > > > As was announced yesterday, I'm the new chair of OpenPGP. My goals > > (as somewhat explained to me by the ADs) are to finish up the existing > > work and try to ramp down the WG. This means finishing up all the > > open issues, getting 2440bis out the door, and either shutting down > > or rechartering based on what else is left to do. > > > > Another task that I've been asked is to use an online system to keep > > track of all the open issues. To further this end we've had an RT > > Queue created at https://rt.psg.com/ to keep track of all the open > > issues. I'd like to try to use this system to make sure we don't lose > > anything through the cracks. However, I'm as new to this as you are, > > so this is going to be a learning experience for all of us. The ADs > > have asked for me to write up the issues with using RT. > > > > However, one thing I am lacking is a list of open issues in the > > existing work. I'm hoping that John or Jon has a list so we can seed > > the RT queue. If all else fails I can go re-read the last year's > > worth of email and try to glom out the open issues (but I suspect many > > of the issues are older than that). You can send issues to the list, > > to me directly, or add them to the RT queue. > > > > Lastly, Vienna is coming up soon (well, soonish)... If we're going to > > meet I need to know if we have topics to discuss, and if so what they > > are and how long it will take. We still have plenty of time to request > > a slot, but as always the early-bird gets the good slots ;) > > > > That's all for now, from your friendly neighborhood working-group chair. > > > > -derek > > > > -- > > Derek Atkins > > Computer and Internet Security Consultant > > derek@ihtfp.com www.ihtfp.com > -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com From owner-ietf-openpgp@mail.imc.org Thu May 1 14:48:34 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA28748 for ; Thu, 1 May 2003 14:48:33 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41IWFi2074697 for ; Thu, 1 May 2003 11:32:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41IWFfY074695 for ietf-openpgp-bks; Thu, 1 May 2003 11:32:15 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41IWDi2074675 for ; Thu, 1 May 2003 11:32:13 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h41ITDZZ027959 for ; Thu, 1 May 2003 14:29:23 -0400 Received: from berkshire.research.att.com (guard.research.att.com [135.207.1.20]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h41IVnV03810 for ; Thu, 1 May 2003 14:31:49 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id D7EAC7B4D for ; Thu, 1 May 2003 14:31:47 -0400 (EDT) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 From: "Steven M. Bellovin" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Administrivia In-Reply-To: Your message of "01 May 2003 13:53:05 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 01 May 2003 14:31:47 -0400 Message-Id: <20030501183148.D7EAC7B4D@berkshire.research.att.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: In message , Derek Atkins writes: > >A clueful member of the WG asked: > >> What is the username and password for the RT? > >Unfortunately I was just informed that the RT Queue is not completely >set up for public access, yet. I'm sorry for jumping the gun on >publishing the URL. I'll let you know the guest username/password >when I find it out. I'm an RT newbie myself and have never used it >before, so I was unaware of the lack of prominent guest account. > >I'll be sure to mail out the info as soon as I find it. To amplify what Derek said -- this is intended to be very open, but we're just not there yet. The server was set up (literally) yesterday; we haven't finished configuring it yet. My goal as AD is to make simple-to-use management tools available to all WG chairs. We need to learn what functions are needed, and how best to use common tools. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) From owner-ietf-openpgp@mail.imc.org Thu May 1 18:04:55 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA14419 for ; Thu, 1 May 2003 18:04:54 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41Lopi2081467 for ; Thu, 1 May 2003 14:50:51 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41LopYT081466 for ietf-openpgp-bks; Thu, 1 May 2003 14:50:51 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41Loli2081456 for ; Thu, 1 May 2003 14:50:50 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h41Loiq28455 for ietf-openpgp@imc.org; Thu, 1 May 2003 17:50:44 -0400 Date: Thu, 1 May 2003 17:50:44 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: OpenPGP Administrivia Message-ID: <20030501215043.GB3020@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is New User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 01, 2003 at 01:24:11PM -0400, Derek Atkins wrote: > However, one thing I am lacking is a list of open issues in the > existing work. I'm hoping that John or Jon has a list so we can > seed the RT queue. If all else fails I can go re-read the last > year's worth of email and try to glom out the open issues (but I > suspect many of the issues are older than that). You can send > issues to the list, to me directly, or add them to the RT queue. One thing that would be useful would be to know exactly where we stand now in 2440bis. The last draft was bis-07 from March, but there have been a number of issues discussed since then, and it is not clear which were incorporated (or earmarked for later incorporation) into the draft. A diff (or an 08) would be extremely helpful. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+sZaz4mZch0nhy8kRAmAgAJ40ujuPgmaZ9NVXJu/uxyI5va1xpACfVNCm Ig4T0ReP2r2otj4ER3vhJaI= =5dlq -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Thu May 1 18:30:33 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA16601 for ; Thu, 1 May 2003 18:30:32 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41MGNi2082169 for ; Thu, 1 May 2003 15:16:23 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41MGNJh082167 for ietf-openpgp-bks; Thu, 1 May 2003 15:16:23 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41MGMi2082162 for ; Thu, 1 May 2003 15:16:22 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h41MGOd3011326; Thu, 1 May 2003 18:16:24 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by central-city-carrier-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41MGNA2028024; Thu, 1 May 2003 18:16:23 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h41MGNFJ026346; Thu, 1 May 2003 18:16:23 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id SAA22677; Thu, 1 May 2003 18:16:23 -0400 (EDT) To: David Shaw Cc: ietf-openpgp@imc.org From: Derek Atkins Subject: Re: OpenPGP Administrivia References: <20030501215043.GB3020@jabberwocky.com> Date: 01 May 2003 18:16:23 -0400 In-Reply-To: <20030501215043.GB3020@jabberwocky.com> Message-ID: Lines: 28 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is indeed part of what I was looking for. Jon, what's the current status of the work on -08? -derek David Shaw writes: > On Thu, May 01, 2003 at 01:24:11PM -0400, Derek Atkins wrote: > > > However, one thing I am lacking is a list of open issues in the > > existing work. I'm hoping that John or Jon has a list so we can > > seed the RT queue. If all else fails I can go re-read the last > > year's worth of email and try to glom out the open issues (but I > > suspect many of the issues are older than that). You can send > > issues to the list, to me directly, or add them to the RT queue. > > One thing that would be useful would be to know exactly where we stand > now in 2440bis. The last draft was bis-07 from March, but there have > been a number of issues discussed since then, and it is not clear > which were incorporated (or earmarked for later incorporation) into > the draft. A diff (or an 08) would be extremely helpful. > > David -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com From owner-ietf-openpgp@mail.imc.org Thu May 1 18:58:33 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA17573 for ; Thu, 1 May 2003 18:58:32 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41MlFi2083255 for ; Thu, 1 May 2003 15:47:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41MlF3r083254 for ietf-openpgp-bks; Thu, 1 May 2003 15:47:15 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41MlEi2083248 for ; Thu, 1 May 2003 15:47:14 -0700 (PDT) (envelope-from jon@callas.org) Received: from [192.168.1.41] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Thu, 1 May 2003 15:47:12 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Thu, 01 May 2003 15:47:22 -0700 Subject: Re: OpenPGP Administrivia From: Jon Callas To: Derek Atkins , David Shaw CC: OpenPGP Message-ID: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On 5/1/03 3:16 PM, "Derek Atkins" wrote: > > This is indeed part of what I was looking for. Jon, what's the > current status of the work on -08? I have a number of changes done. What I have pending is some work deprecating old stuff as we've discussed. We also need to break up the references into normative and non-normative. Those are the big ones. I am looking forward to having a place where issues can be stored. Jon From owner-ietf-openpgp@mail.imc.org Sat May 3 15:56:04 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA07382 for ; Sat, 3 May 2003 15:56:03 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h43JYSi2048724 for ; Sat, 3 May 2003 12:34:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h43JYSvw048723 for ietf-openpgp-bks; Sat, 3 May 2003 12:34:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h43JYQi2048718 for ; Sat, 3 May 2003 12:34:27 -0700 (PDT) (envelope-from A.Back@exeter.ac.uk) Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.14) id 19C2m5-00OmOD-Rz; Sat, 03 May 2003 20:34:21 +0100 Date: Sat, 3 May 2003 20:34:10 +0100 From: Adam Back To: Peter Gutmann Cc: hal@finney.org, ietf-openpgp@imc.org, john.dlugosz@kodak.com Subject: CFB vs CBC (Re: Low-level question about OpenPGP - why CFB mode?) Message-ID: <20030503203410.A8238090@exeter.ac.uk> References: <200305010715.h417FdB08293@medusa01.cs.auckland.ac.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: <200305010715.h417FdB08293@medusa01.cs.auckland.ac.nz>; from pgut001@cs.auckland.ac.nz on Thu, May 01, 2003 at 07:15:39PM +1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: PKCS#5 padding is simple to code, however: - having to pad at all is an inconvenience for some applications where space is tight - having to pad is inconvenent for streaming (need to know ahead when the last block is) - there are people who have used non-PKCS#5 padding, and instead made up their own (clueless people, etc; but it's one more thing) - the PKCS#5 padding end tag offers tends to encourage programmers to make their implementations into decryption oracles which can be used as an attack point (viz the interactive attack against block ciphers using the misformed padding error) - the psuedo-IV handling (requirement not repeat IV for same key) is a non-issue in most contexts where the key changes everytime anyway (symmetric key transport already covers cases in PGP where the symmetric key is derived from a password) Adam On Thu, May 01, 2003 at 07:15:39PM +1200, Peter Gutmann wrote: > Adam Back writes: > > >On use of CFB instead of CBC, I think this is actually goos because it avoids > >the whole padding issue which people frequently get wrong with bad security > >implications. Plus it's simpler to not have to pad. Error recovery is a > >phantom property, as in no mode is it secure. > > PKCS #5 padding is trivial to get right, any minor gains are more than made up > for by the painful and clunky pseudo-IV handling, particularly since most > crypto implementations have an "IV, data, go"-type interface which requires > error-prone manual handling of the pseudo-IV. > > Peter. From owner-ietf-openpgp@mail.imc.org Tue May 6 17:34:38 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA09948 for ; Tue, 6 May 2003 17:34:37 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46L6ki2002648 for ; Tue, 6 May 2003 14:06:46 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h46L6kSP002646 for ietf-openpgp-bks; Tue, 6 May 2003 14:06:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46L6ji2002639 for ; Tue, 6 May 2003 14:06:45 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h46JKeS05203 for ietf-openpgp@imc.org; Tue, 6 May 2003 15:20:40 -0400 Date: Tue, 6 May 2003 15:20:40 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: OpenPGP Administrivia Message-ID: <20030506192040.GB4805@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (23% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 01, 2003 at 01:24:11PM -0400, Derek Atkins wrote: > As was announced yesterday, I'm the new chair of OpenPGP. My goals > (as somewhat explained to me by the ADs) are to finish up the existing > work and try to ramp down the WG. This means finishing up all the > open issues, getting 2440bis out the door, and either shutting down > or rechartering based on what else is left to do. I'm curious what shutting down actually entails. Once 2440bis is complete, what happens when/if something needs to happen in the OpenPGP space? Is the WG officially reconvened, or are things not that formal? Even if the WG is shut down, I think it would be useful if this mailing list would continue to exist. It is a good forum, with an excellent signal to noise ratio, and it reaches nearly all of the people working on OpenPGP today. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+uAsH4mZch0nhy8kRAvRRAJ9Dx8AqvjG+D2XWAuOZWtrCOA2kSACgpE5K ca/Jqaw2PIZKqtaFPXhB28c= =fdjl -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue May 6 18:09:23 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA11397 for ; Tue, 6 May 2003 18:09:23 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46LjQi2003972 for ; Tue, 6 May 2003 14:45:26 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h46LjQSB003971 for ietf-openpgp-bks; Tue, 6 May 2003 14:45:26 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46LjOi2003962 for ; Tue, 6 May 2003 14:45:24 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h46LgPZs012807; Tue, 6 May 2003 17:42:25 -0400 Received: from berkshire.research.att.com (sigaba.research.att.com [135.207.23.169]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h46LjLV11266; Tue, 6 May 2003 17:45:21 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id DEC3D7B4D; Tue, 6 May 2003 17:45:20 -0400 (EDT) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 From: "Steven M. Bellovin" To: David Shaw Cc: ietf-openpgp@imc.org Subject: Re: OpenPGP Administrivia In-Reply-To: Your message of "Tue, 06 May 2003 15:20:40 EDT." <20030506192040.GB4805@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 06 May 2003 17:45:20 -0400 Message-Id: <20030506214520.DEC3D7B4D@berkshire.research.att.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: In message <20030506192040.GB4805@jabberwocky.com>, David Shaw writes: > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Thu, May 01, 2003 at 01:24:11PM -0400, Derek Atkins wrote: > >> As was announced yesterday, I'm the new chair of OpenPGP. My goals >> (as somewhat explained to me by the ADs) are to finish up the existing >> work and try to ramp down the WG. This means finishing up all the >> open issues, getting 2440bis out the door, and either shutting down >> or rechartering based on what else is left to do. > >I'm curious what shutting down actually entails. Once 2440bis is >complete, what happens when/if something needs to happen in the >OpenPGP space? Is the WG officially reconvened, or are things not >that formal? Even if the WG is shut down, I think it would be useful >if this mailing list would continue to exist. It is a good forum, >with an excellent signal to noise ratio, and it reaches nearly all of >the people working on OpenPGP today. > Mailing lists can (and often do) continue indefinitely. As for the WG -- it can go dormant, or it can be disbanded. If there's a need for a new WG in that space, one can be spun up -- the issue would be the charter, since any new WG would be doing something different. Minor changes could be done by individual submissions. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) From owner-ietf-openpgp@mail.imc.org Wed May 7 01:56:56 2003 Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA21525 for ; Wed, 7 May 2003 01:56:56 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h475Thi2017461 for ; Tue, 6 May 2003 22:29:43 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h475ThpV017459 for ietf-openpgp-bks; Tue, 6 May 2003 22:29:43 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from uslims56.ca.com (mail3.ca.com [208.232.182.10]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h475Tgi2017449 for ; Tue, 6 May 2003 22:29:42 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from mail pickup service by uslims56.ca.com with Microsoft SMTPSVC; Wed, 7 May 2003 00:17:14 -0500 Received: from usilms53.ca.com ([141.202.248.39]) by uslims56.ca.com with Microsoft SMTPSVC(5.0.2195.5329); Tue, 6 May 2003 22:05:56 -0500 Received: from mail pickup service by usilms53.ca.com with Microsoft SMTPSVC; Tue, 6 May 2003 23:05:54 -0400 Received: from usilms44.ca.com ([141.202.248.115]) by uslims57.ca.com with Microsoft SMTPSVC(5.0.2195.5329); Tue, 6 May 2003 16:39:57 -0500 Received: from smtp.opengroup.org (192.153.166.4) by usilms44.ca.com (141.202.248.115) Received: from above.proper.com (mail.proper.com [208.184.76.45]) by smtp.opengroup.org (8.11.6/8.11.6) with ESMTP id h46Ldjn26388 for ; Tue, 6 May 2003 22:39:46 +0100 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46L6ki2002648 for ; Tue, 6 May 2003 14:06:46 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h46L6kSP002646 for ietf-openpgp-bks; Tue, 6 May 2003 14:06:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46L6ji2002639 for ; Tue, 6 May 2003 14:06:45 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h46JKeS05203 for ietf-openpgp@imc.org; Tue, 6 May 2003 15:20:40 -0400 Date: Tue, 6 May 2003 15:20:40 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: OpenPGP Administrivia Message-ID: <20030506192040.GB4805@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (23% of Full) User-Agent: Mutt/1.5.4i List-Archive: List-Unsubscribe: List-ID: X-Spam-Status: No, hits=-40.1 required=5.0 tests=AWL,BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT,X_AUTH_WARNING autolearn=ham version=2.53 X-OriginalArrivalTime: 06 May 2003 21:39:57.0260 (UTC) FILETIME=[09CB60C0:01C31418] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 01, 2003 at 01:24:11PM -0400, Derek Atkins wrote: > As was announced yesterday, I'm the new chair of OpenPGP. My goals > (as somewhat explained to me by the ADs) are to finish up the existing > work and try to ramp down the WG. This means finishing up all the > open issues, getting 2440bis out the door, and either shutting down > or rechartering based on what else is left to do. I'm curious what shutting down actually entails. Once 2440bis is complete, what happens when/if something needs to happen in the OpenPGP space? Is the WG officially reconvened, or are things not that formal? Even if the WG is shut down, I think it would be useful if this mailing list would continue to exist. It is a good forum, with an excellent signal to noise ratio, and it reaches nearly all of the people working on OpenPGP today. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+uAsH4mZch0nhy8kRAvRRAJ9Dx8AqvjG+D2XWAuOZWtrCOA2kSACgpE5K ca/Jqaw2PIZKqtaFPXhB28c= =fdjl -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Wed May 21 06:46:37 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA14380 for ; Wed, 21 May 2003 06:46:36 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4LADWAF017432 for ; Wed, 21 May 2003 03:13:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4LADW92017431 for ietf-openpgp-bks; Wed, 21 May 2003 03:13:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from lake.cyberia.net.lb (lake.cyberia.net.lb [195.112.195.73]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4LADSAF017413 for ; Wed, 21 May 2003 03:13:29 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-17-95.cyberia.net.lb ([195.112.192.193]) by lake.cyberia.net.lb with SMTP id <20030521100332.BWZB9885.lake@ppp-17-95.cyberia.net.lb> for ; Wed, 21 May 2003 13:03:32 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Suggested DER Prefixes Date: Wed, 21 May 2003 13:11:35 +0200 Organization: ECLiPSE Message-ID: X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h4LADVAF017427 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Greetings, Please find below some suggested DER prefixes for the hash algorithms with no OID's. Best regards Imad R Faiad PS Can someone clarify OpenPGP symmetric algorithm ID: 6 (DES/SK), I mean, what variant of the DES algorithm are we talking about. TIA //Double width SHA (SHA1x) experimental algorithm //Used In: PGP 5.x //OpenPGP Hash Algorithm ID: 04 unsigned char const SHA1xDERprefix[] = { 0x30, /* Universal, Constructed, Sequence */ 0x35, /* Length 53 (bytes following) */ 0x30, /* Universal, Constructed, Sequence */ 0x09, /* Length 9 bytes*/ 0x04, /* Universal, Primitive, Octet string */ 0x05, /*Length 5 bytes*/ 0x53, 0x48, 0x41, 0x31, 0x78, /*SHA1x*/ 0x05, /* Universal, Primitive, NULL */ 0x00, /* Length 0 */ 0x04, /* Universal, Primitive, Octet string */ 0x28 /* Length 40 bytes = 320 bits*/ /* 40 bytes SHA1x digest start here */ }; //HAVAL 5 pass, 160 bits (HAVAL-5-160) //OpenPGP Hash Algorithm ID: 07 //Used in: PGP 2.6.3ia-multi04+ unsigned char const HAVAL-5-160DERprefix[] = { 0x30, /* Universal, Constructed, Sequence */ 0x27, /* Length 39 (bytes following) */ 0x30, /* Universal, Constructed, Sequence */ 0x0f, /* Length 15 bytes*/ 0x04, /* Universal, Primitive, Octet string */ 0x0B, /*Length 11 bytes*/ 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, 0x35, 0x2D, 0x31, 0x36, 0x30, /*HAVAL-5-160*/ 0x05, /* Universal, Primitive, NULL */ 0x00, /* Length 0 */ 0x04, /* Universal, Primitive, Octet string */ 0x14 /* Length 20 bytes = 160 bits*/ /* 20 bytes HAVAL-5-160 digest start here */ }; //HAVAL 5 pass, 256 bits (HAVAL-5-256) //OpenPGP Hash Algorithm ID: None //Used in: PGP 2.6.3ia-multi04+ //Hash Algorithm ID used: 11 unsigned char const HAVAL-5-256DERprefix[] = { 0x30, /* Universal, Constructed, Sequence */ 0x33, /* Length 51 (bytes following) */ 0x30, /* Universal, Constructed, Sequence */ 0x0f, /* Length 15 bytes*/ 0x04, /* Universal, Primitive, Octet string */ 0x0B, /*Length 11 bytes*/ 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, 0x35, 0x2D, 0x32, 0x35, 0x36, /*HAVAL-5-256*/ 0x05, /* Universal, Primitive, NULL */ 0x00, /* Length 0 */ 0x04, /* Universal, Primitive, Octet string */ 0x20 /* Length 32 bytes = 256 bits*/ /* 32 bytes HAVAL-5-256 digest start here */ }; -----BEGIN PGP SIGNATURE----- iQEVAwUBPstebrzDFxiDPxutAQG59gf/RacmJy5hXblTPLE3TWPxm6kr+BttAL0b osCJX125UxrhCailjERQwhy9ZGonw2rAPLScY6J2dfle/Zcu69ZL8Mppp9MEsHGT J9nqAyR1gWvC5omSSr9CQoYHO1MkDzfSAec3QVd+tL9rEouqEcuTkVAJ1s1fbDT5 SxazIu0u/XIL5O2qwFBcVGPhvc4Otn++drz7u5Eh9ZlzktoyJFPQwSQIsbAAyKgN dlonhygYvDVGdrq/NbjSP9cMg0Azs4e/EJp5AUnZPJmQ7jixhQa7Fc6JczVm2qMZ RY7ph9cF+R7HdCI+6l1wOYEbQuvXdyKL4hrmYSAEotDDPCyCViTKmQ== =wSbE -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Wed May 21 13:01:29 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA28182 for ; Wed, 21 May 2003 13:01:29 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4LGYIAF040021 for ; Wed, 21 May 2003 09:34:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4LGYId1040020 for ietf-openpgp-bks; Wed, 21 May 2003 09:34:18 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4LGYDAF040003 for ; Wed, 21 May 2003 09:34:13 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.180] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Wed, 21 May 2003 09:34:08 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Wed, 21 May 2003 09:34:17 -0700 Subject: Re: Suggested DER Prefixes From: Jon Callas To: "Imad R. Faiad" , OpenPGP Message-ID: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On 5/21/03 4:11 AM, "Imad R. Faiad" wrote: > PS Can someone clarify OpenPGP symmetric > algorithm ID: 6 (DES/SK), I mean, what > variant of the DES algorithm are we talking about. > TIA > DES/SK is being removed. Don't implemented it. > //Double width SHA (SHA1x) experimental algorithm > //Used In: PGP 5.x > //OpenPGP Hash Algorithm ID: 04 > unsigned char const SHA1xDERprefix[] = { > 0x30, /* Universal, Constructed, Sequence */ > 0x35, /* Length 53 (bytes following) */ > 0x30, /* Universal, Constructed, Sequence */ > 0x09, /* Length 9 bytes*/ > 0x04, /* Universal, Primitive, Octet string */ > 0x05, /*Length 5 bytes*/ > 0x53, 0x48, 0x41, 0x31, 0x78, /*SHA1x*/ > 0x05, /* Universal, Primitive, NULL */ > 0x00, /* Length 0 */ > 0x04, /* Universal, Primitive, Octet string */ > 0x28 /* Length 40 bytes = 320 bits*/ > /* 40 bytes SHA1x digest start here */ > }; > Double-width SHA was an experimental thing some people were using for wider DSA, it was never widely implemented. Don't implement it. > //HAVAL 5 pass, 160 bits (HAVAL-5-160) > //OpenPGP Hash Algorithm ID: 07 > //Used in: PGP 2.6.3ia-multi04+ > unsigned char const HAVAL-5-160DERprefix[] = { > 0x30, /* Universal, Constructed, Sequence */ > 0x27, /* Length 39 (bytes following) */ > 0x30, /* Universal, Constructed, Sequence */ > 0x0f, /* Length 15 bytes*/ > 0x04, /* Universal, Primitive, Octet string */ > 0x0B, /*Length 11 bytes*/ > 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, > 0x35, 0x2D, 0x31, 0x36, 0x30, /*HAVAL-5-160*/ > 0x05, /* Universal, Primitive, NULL */ > 0x00, /* Length 0 */ > 0x04, /* Universal, Primitive, Octet string */ > 0x14 /* Length 20 bytes = 160 bits*/ > /* 20 bytes HAVAL-5-160 digest start here */ > }; > > //HAVAL 5 pass, 256 bits (HAVAL-5-256) > //OpenPGP Hash Algorithm ID: None > //Used in: PGP 2.6.3ia-multi04+ > //Hash Algorithm ID used: 11 > unsigned char const HAVAL-5-256DERprefix[] = { > 0x30, /* Universal, Constructed, Sequence */ > 0x33, /* Length 51 (bytes following) */ > 0x30, /* Universal, Constructed, Sequence */ > 0x0f, /* Length 15 bytes*/ > 0x04, /* Universal, Primitive, Octet string */ > 0x0B, /*Length 11 bytes*/ > 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, > 0x35, 0x2D, 0x32, 0x35, 0x36, /*HAVAL-5-256*/ > 0x05, /* Universal, Primitive, NULL */ > 0x00, /* Length 0 */ > 0x04, /* Universal, Primitive, Octet string */ > 0x20 /* Length 32 bytes = 256 bits*/ > /* 32 bytes HAVAL-5-256 digest start here */ > }; Haval is being removed. Don't bother. Now that there are the wide SHAs, they are what you should be implementing. Jon From owner-ietf-openpgp@mail.imc.org Wed May 28 13:56:17 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA13488 for ; Wed, 28 May 2003 13:56:17 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4SHUSAF055107 for ; Wed, 28 May 2003 10:30:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4SHUStb055106 for ietf-openpgp-bks; Wed, 28 May 2003 10:30:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4SHUQAF055101 for ; Wed, 28 May 2003 10:30:26 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.180] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Wed, 28 May 2003 10:30:22 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Tue, 27 May 2003 19:57:35 -0700 Subject: Re: Signature targets and where they should be used From: Jon Callas To: David Shaw , OpenPGP Message-ID: In-Reply-To: <20030416213837.GE1184@jabberwocky.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On 4/16/03 2:38 PM, "David Shaw" wrote: Is there a consensus on this? Personally, I think that the SHOULD is good enough. If you want to do a blind notary, you have the perfect reason not to put the target packet there. However, I included this text: "Note that we really do mean SHOULD. There are plausible uses for this (such a a blind notary that only sees the signature, not the key nor source document) that cannot include a target subpacket." Jon > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, Apr 16, 2003 at 03:40:24PM -0400, Michael Young wrote: >> >> From: "David Shaw" > >>> In the case of notary signatures, there is no "C" to specify. It is >>> merely signature A (the 0x50 signature), on data B (the signature to >>> be notarized). There is no benefit in specifying B twice as the data >>> to be signed and then again as an additional subpacket. >> >> I'd agree that the benefit is slight at best. I suppose if >> you had "B" and the material it covered (so that you could generate >> B's hash), and you had a disorganized bunch of notary signatures, >> then you could pick out the matching ones faster if they had >> target subpackets. This doesn't seem like a compelling scenario. :-) > > There is actually another reason why using targets for notary > signatures is not really good: one of the nice features of notary > signatures is that the notarizer doesn't need the original signer's > public key or the material the original signature covered. All the > notarizer needs is the signature packet. Unfortunately, to use a > signature target in the notary signature, the notarizer needs the > original signer's public key to extract the hash from the original > signature packet... > > I suppose we could solve that problem by defining a signature target > to be the canonical hash of the signature being targeted, but even > then there is still no good reason why using a target for notary > signatures needs to be a SHOULD. > > David > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2rc2 (GNU/Linux) > Comment: http://www.jabberwocky.com/david/keys.asc > > iD8DBQE+nc1c4mZch0nhy8kRAjTQAJ42SnhAoD42MFWJjin3KJXBxZrMDACeNDqK > hGj20/LjG6I8lBPGqigWOlA= > =a8B8 > -----END PGP SIGNATURE----- > From owner-ietf-openpgp@mail.imc.org Wed May 28 17:41:53 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA25400 for ; Wed, 28 May 2003 17:41:51 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4SLElAF067578 for ; Wed, 28 May 2003 14:14:47 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4SLElNA067577 for ietf-openpgp-bks; Wed, 28 May 2003 14:14:47 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4SLEiAF067546 for ; Wed, 28 May 2003 14:14:45 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-12-13.cyberia.net.lb ([195.112.203.14]) by sand.cyberia.net.lb with SMTP id <20030528211017.GXWM1948.sand@ppp-12-13.cyberia.net.lb>; Thu, 29 May 2003 00:10:17 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org, jon@callas.org Subject: Re: Suggested DER Prefixes Date: Thu, 29 May 2003 00:12:53 +0200 Organization: ECLiPSE Message-ID: References: In-Reply-To: X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h4SLEkAF067571 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: HAVAL-5-160 ;) Hello Mr Callas, Please, do allow me to table the followings:- And while you are at it, please do kindly remove IDEA, CAST5, MD2, MD5, and AES < 256 bits. The above algorithms, will, no doubt, be rendered useless, given any advances in the attacks. The OpenPGP suite of symmetric ciphers, and hashing algorithms are deficient, more algorithms are needed. While less is better, I don't think that this principle should be applied to the fundamental level of ciphers and hashes. The implementer does not write the code for these, he just plugs them in. If he is too lazy to do so, then, I think, that he ought to consider some other endeavor. I wish that the "less is better" principle is applied to the higher levels, this is where all the complexities lies. my 2c, Best Regards, Imad R. Faiad P.S. Just out of curiosity, what in the heck is "DES/SK"? any references? On Wed, 21 May 2003 09:34:17 -0700, you wrote: >On 5/21/03 4:11 AM, "Imad R. Faiad" wrote: > >> PS Can someone clarify OpenPGP symmetric >> algorithm ID: 6 (DES/SK), I mean, what >> variant of the DES algorithm are we talking about. >> TIA >> > >DES/SK is being removed. Don't implemented it. > >> //Double width SHA (SHA1x) experimental algorithm >> //Used In: PGP 5.x >> //OpenPGP Hash Algorithm ID: 04 >> unsigned char const SHA1xDERprefix[] = { >> 0x30, /* Universal, Constructed, Sequence */ >> 0x35, /* Length 53 (bytes following) */ >> 0x30, /* Universal, Constructed, Sequence */ >> 0x09, /* Length 9 bytes*/ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x05, /*Length 5 bytes*/ >> 0x53, 0x48, 0x41, 0x31, 0x78, /*SHA1x*/ >> 0x05, /* Universal, Primitive, NULL */ >> 0x00, /* Length 0 */ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x28 /* Length 40 bytes = 320 bits*/ >> /* 40 bytes SHA1x digest start here */ >> }; >> > >Double-width SHA was an experimental thing some people were using for >wider DSA, it was never widely implemented. Don't implement it. > >> //HAVAL 5 pass, 160 bits (HAVAL-5-160) >> //OpenPGP Hash Algorithm ID: 07 >> //Used in: PGP 2.6.3ia-multi04+ >> unsigned char const HAVAL-5-160DERprefix[] = { >> 0x30, /* Universal, Constructed, Sequence */ >> 0x27, /* Length 39 (bytes following) */ >> 0x30, /* Universal, Constructed, Sequence */ >> 0x0f, /* Length 15 bytes*/ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x0B, /*Length 11 bytes*/ >> 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, >> 0x35, 0x2D, 0x31, 0x36, 0x30, /*HAVAL-5-160*/ >> 0x05, /* Universal, Primitive, NULL */ >> 0x00, /* Length 0 */ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x14 /* Length 20 bytes = 160 bits*/ >> /* 20 bytes HAVAL-5-160 digest start here */ >> }; >> >> //HAVAL 5 pass, 256 bits (HAVAL-5-256) >> //OpenPGP Hash Algorithm ID: None >> //Used in: PGP 2.6.3ia-multi04+ >> //Hash Algorithm ID used: 11 >> unsigned char const HAVAL-5-256DERprefix[] = { >> 0x30, /* Universal, Constructed, Sequence */ >> 0x33, /* Length 51 (bytes following) */ >> 0x30, /* Universal, Constructed, Sequence */ >> 0x0f, /* Length 15 bytes*/ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x0B, /*Length 11 bytes*/ >> 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, >> 0x35, 0x2D, 0x32, 0x35, 0x36, /*HAVAL-5-256*/ >> 0x05, /* Universal, Primitive, NULL */ >> 0x00, /* Length 0 */ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x20 /* Length 32 bytes = 256 bits*/ >> /* 32 bytes HAVAL-5-256 digest start here */ >> }; > >Haval is being removed. Don't bother. > >Now that there are the wide SHAs, they are what you should be >implementing. > > Jon -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2irf iQEVAwUBPtUz4LzDFxiDPxutAQcWxwgAgL5lhy2wvkmlf7UCyksWhma2GK0I9oyu BHGxlnCrYGHP+UopQT/Gk2ZmOz3qxKg+n+CelR7/FRyDoM5eyUp+8MUHMpBVdkoP ZBt39/6J1BW5OC+/XNbCgE4ftRvnlz5/sJjdWYq1RSdtfMIN68K2188KmUxmBJ4E LdszetQ64L1hFY8blpVtYpPQMgtJUhvQ0bCsWij7Xm6nTsFruABvIcoalQ7TcM3V IEf9ygDBYdF/wSYLEHMotSfyoogjv1GC1aN8+9Zl045vBvC3gJoGrIP5NBb17bwa DilBynG5Wf3uFS1V742eaSKvsny+8g0bsjx1dDURVlq5PzA/NrgBTA== =CLcJ -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Wed May 28 23:53:28 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA05487 for ; Wed, 28 May 2003 23:53:28 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4T3NSAF079739 for ; Wed, 28 May 2003 20:23:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4T3NSkc079738 for ietf-openpgp-bks; Wed, 28 May 2003 20:23:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4T3NRAF079733 for ; Wed, 28 May 2003 20:23:27 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h4T3NIw29409; Wed, 28 May 2003 23:23:18 -0400 Date: Wed, 28 May 2003 23:23:18 -0400 From: David Shaw To: Jon Callas Cc: OpenPGP Subject: Re: Signature targets and where they should be used Message-ID: <20030529032318.GD24935@jabberwocky.com> Mail-Followup-To: Jon Callas , OpenPGP References: <20030416213837.GE1184@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (4% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, May 27, 2003 at 07:57:35PM -0700, Jon Callas wrote: > > On 4/16/03 2:38 PM, "David Shaw" wrote: > > Is there a consensus on this? > > Personally, I think that the SHOULD is good enough. If you want to do a > blind notary, you have the perfect reason not to put the target packet > there. > > However, I included this text: "Note that we really do mean SHOULD. There > are plausible uses for this (such a a blind notary that only sees the > signature, not the key nor source document) that cannot include a target > subpacket." The gist of my original comment was that a signature target is actually needed when issuing a certification revocation signature (i.e. 0x30). This is a signature (the 0x30 sig) on the hash of an object (the pk+user ID) that actually refers to another signature (the signature being revoked). A signature target there is necessary to know which signature is being revoked. With notary signatures, on the other hand, it is clear which signature is being signed. The notary signature itself won't even verify if we check it against the wrong signature. Including a signature target there is like making a signature (the 0x50) on the hash of an object (the signature being notarized), that contains a second copy of the signature being notarized in the signature target subpacket. Why SHOULD someone include it twice? Saying nothing at all on the subject of signature targets and notary signatures, or even making it a "MAY" just seems simpler. All that said, I'm okay with the added clarification above. :) David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+1X0m4mZch0nhy8kRApH6AKDRPC7Y+o9p3O1d9kIYLFeJZp1/FgCghVdi Cw/SrIx2YnPes9/1Vp2Csfs= =KK5x -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Thu May 29 04:06:14 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA22372 for ; Thu, 29 May 2003 04:06:13 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4T7p1AF004641 for ; Thu, 29 May 2003 00:51:01 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4T7p1qB004640 for ietf-openpgp-bks; Thu, 29 May 2003 00:51:01 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4T7oqAF004583 for ; Thu, 29 May 2003 00:50:53 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.180] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Thu, 29 May 2003 00:50:51 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Thu, 29 May 2003 00:50:53 -0700 Subject: Re: Suggested DER Prefixes From: Jon Callas To: "Imad R. Faiad" , OpenPGP Message-ID: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On 5/28/03 3:12 PM, "Imad R. Faiad" wrote: > And while you are at it, please do kindly remove > IDEA, CAST5, MD2, MD5, and AES < 256 bits. > > The above algorithms, will, no doubt, be rendered useless, > given any advances in the attacks. > In the soon-to-be finished bis08, IDEA is a MAY. MD2 has been removed (since anything that used it is long-dead), and MD5 is moved to a MAY with lots of grumbling. There's no reason to remove CAST5, and no reason to remove AES below 256. In fact, there are those who feel safer with AES at 128 than at 256. > P.S. Just out of curiosity, what in the heck is "DES/SK"? > any references? It is an improvement on DES from Uri Blumenthal and Steve Bellovin. Here's a reference: . It's a way to get reasonable security out of DES without having to do 3DES. It's a pretty cool idea, but it never went anywhere, for a number of reasons. Jon From owner-ietf-openpgp@mail.imc.org Thu May 29 07:48:19 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA28352 for ; Thu, 29 May 2003 07:48:19 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TBVLAF027577 for ; Thu, 29 May 2003 04:31:21 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TBVL99027576 for ietf-openpgp-bks; Thu, 29 May 2003 04:31:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TBVHAF027561 for ; Thu, 29 May 2003 04:31:17 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h4TBQN3j018906; Thu, 29 May 2003 07:26:24 -0400 Received: from berkshire.research.att.com (raptor.research.att.com [135.207.23.32]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h4TBUfV20616; Thu, 29 May 2003 07:30:48 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id ACD857B4D; Thu, 29 May 2003 07:30:40 -0400 (EDT) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Jon Callas Cc: "Imad R. Faiad" , OpenPGP Subject: Re: Suggested DER Prefixes Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 29 May 2003 07:30:40 -0400 From: "Steven M. Bellovin" Message-Id: <20030529113040.ACD857B4D@berkshire.research.att.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: In message , Jon Callas writes: > > >> P.S. Just out of curiosity, what in the heck is "DES/SK"? >> any references? > >It is an improvement on DES from Uri Blumenthal and Steve Bellovin. Here's a >reference: . It's a way to >get reasonable security out of DES without having to do 3DES. It's a pretty >cool idea, but it never went anywhere, for a number of reasons. > And with the advent of AES, I don't forsee anyone using it. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) From owner-ietf-openpgp@mail.imc.org Thu May 29 11:05:19 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA06602 for ; Thu, 29 May 2003 11:05:18 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TEiJAF036142 for ; Thu, 29 May 2003 07:44:19 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TEiJRh036141 for ietf-openpgp-bks; Thu, 29 May 2003 07:44:19 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail2.wiktel.com (mail.northborderrealty.com [204.221.145.8]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TEiHAF036136 for ; Thu, 29 May 2003 07:44:18 -0700 (PDT) (envelope-from rlaager@wiktel.com) Received: from NB1131 (unverified [209.32.118.218]) by wiktel.com (Rockliffe SMTPRA 5.3.4) with ESMTP id for ; Thu, 29 May 2003 09:45:26 -0500 From: "Richard Laager" To: Subject: RE: Suggested DER Prefixes Date: Thu, 29 May 2003 09:44:11 -0500 Organization: Wikstrom Telecom Internet Message-ID: <001201c325f0$c4c501d0$da7620d1@umcrookston.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jon Callas wrote: > In fact, there are those who feel safer with AES > at 128 than at > 256. Any particular reason(s)? Is there any merit to these reason(s)? Thanks, Richard Laager -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ iQA/AwUBPtYb1m31OrleHxvOEQJUuwCghKCDPQ4NtBRi+zkz425uNJzO5DoAoOZa Hlg8Xxym5RIuZ7TJ0+Fvg52Q =tH7T -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Thu May 29 11:38:48 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA07651 for ; Thu, 29 May 2003 11:38:47 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TFLxAF040952 for ; Thu, 29 May 2003 08:21:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TFLxlv040951 for ietf-openpgp-bks; Thu, 29 May 2003 08:21:59 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TFLvAF040945 for ; Thu, 29 May 2003 08:21:58 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h4TFLwNM011059; Thu, 29 May 2003 11:21:58 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h4TFLv7e003399; Thu, 29 May 2003 11:21:57 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h4TFLuU8019075; Thu, 29 May 2003 11:21:57 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id LAA13657; Thu, 29 May 2003 11:21:56 -0400 (EDT) To: "Richard Laager" Cc: Subject: Re: Suggested DER Prefixes References: <001201c325f0$c4c501d0$da7620d1@umcrookston.edu> From: Derek Atkins Date: 29 May 2003 11:21:56 -0400 In-Reply-To: <001201c325f0$c4c501d0$da7620d1@umcrookston.edu> Message-ID: Lines: 21 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: "Richard Laager" writes: > Jon Callas wrote: > > In fact, there are those who feel safer with AES > > at 128 than at > > 256. > > Any particular reason(s)? Is there any merit to these reason(s)? The difficulty in obtaining 256 bits of key entropy? > Thanks, > Richard Laager -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available From owner-ietf-openpgp@mail.imc.org Thu May 29 13:16:07 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA10716 for ; Thu, 29 May 2003 13:16:06 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TGquAF044230 for ; Thu, 29 May 2003 09:52:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TGquG4044229 for ietf-openpgp-bks; Thu, 29 May 2003 09:52:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from possum.cryptohill.net (cambist.cryptohill.net [24.244.145.35]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TGqsAF044224 for ; Thu, 29 May 2003 09:52:55 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from vangelderen.org (grolsch.cryptohill.net [24.244.145.13]) by possum.cryptohill.net (Postfix) with ESMTP id 9A9D2AE0E3; Thu, 29 May 2003 12:52:55 -0400 (EDT) Date: Thu, 29 May 2003 12:52:56 -0400 Subject: Re: Suggested DER Prefixes Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) Cc: "Richard Laager" , To: Derek Atkins From: "Jeroen C. van Gelderen" In-Reply-To: Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On Thursday, May 29, 2003, at 11:21 US/Eastern, Derek Atkins wrote: > > "Richard Laager" writes: > >> Jon Callas wrote: >>> In fact, there are those who feel safer with AES >>> at 128 than at >>> 256. >> >> Any particular reason(s)? Is there any merit to these reason(s)? > > The difficulty in obtaining 256 bits of key entropy? Hmm... if I read you correctly that would imply that AES-256 with a key containing 128 bits of entropy is less secure than AES-128 with a key containing 128 bits of entropy. Do you know of a document where this would be explained? Cheers! -J -- Jeroen C. van Gelderen - jeroen@vangelderen.org When Germany invaded Czechoslovakia and Poland, its declared justification was to free the Germans living in those countries from the tyranny of the Czech and Polish governments. When Germany invaded the Soviet Union in 1941, one of its declared purposes was to "liberate" the Russian people from communist tyranny. From owner-ietf-openpgp@mail.imc.org Thu May 29 13:16:40 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA10733 for ; Thu, 29 May 2003 13:16:40 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TGtWAF044379 for ; Thu, 29 May 2003 09:55:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TGtW7G044378 for ietf-openpgp-bks; Thu, 29 May 2003 09:55:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TGtUAF044373 for ; Thu, 29 May 2003 09:55:30 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h4TGtVNM015428; Thu, 29 May 2003 12:55:31 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h4TGtU7e015474; Thu, 29 May 2003 12:55:31 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h4TGtUFJ006481; Thu, 29 May 2003 12:55:30 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id MAA13856; Thu, 29 May 2003 12:55:30 -0400 (EDT) To: "Jeroen C. van Gelderen" Cc: "Richard Laager" , From: Derek Atkins Subject: Re: Suggested DER Prefixes References: Date: 29 May 2003 12:55:29 -0400 In-Reply-To: Message-ID: Lines: 24 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: "Jeroen C. van Gelderen" writes: > >>> In fact, there are those who feel safer with AES > >>> at 128 than at > >>> 256. > >> > >> Any particular reason(s)? Is there any merit to these reason(s)? > > > > The difficulty in obtaining 256 bits of key entropy? > > Hmm... if I read you correctly that would imply that AES-256 with a > key containing 128 bits of entropy is less secure than AES-128 with a > key containing 128 bits of entropy. Do you know of a document where > this would be explained? I certainly did not say "less secure", did I? It's certainly much SLOWER, and certainly is not MORE secure... -derek -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com From owner-ietf-openpgp@mail.imc.org Thu May 29 13:21:16 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA10819 for ; Thu, 29 May 2003 13:21:16 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TH57AF044698 for ; Thu, 29 May 2003 10:05:07 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TH57jR044697 for ietf-openpgp-bks; Thu, 29 May 2003 10:05:07 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from possum.cryptohill.net (cambist.cryptohill.net [24.244.145.35]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TH56AF044691 for ; Thu, 29 May 2003 10:05:06 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from vangelderen.org (grolsch.cryptohill.net [24.244.145.13]) by possum.cryptohill.net (Postfix) with ESMTP id 029E8AE0E3; Thu, 29 May 2003 13:05:08 -0400 (EDT) Date: Thu, 29 May 2003 13:05:08 -0400 Subject: Re: Suggested DER Prefixes Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) Cc: "Richard Laager" , To: Derek Atkins From: Jeroen van Gelderen In-Reply-To: Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On Thursday, May 29, 2003, at 12:55 US/Eastern, Derek Atkins wrote: > "Jeroen C. van Gelderen" writes: > >>>>> In fact, there are those who feel safer with AES >>>>> at 128 than at >>>>> 256. >>>> >>>> Any particular reason(s)? Is there any merit to these reason(s)? >>> >>> The difficulty in obtaining 256 bits of key entropy? >> >> Hmm... if I read you correctly that would imply that AES-256 with a >> key containing 128 bits of entropy is less secure than AES-128 with a >> key containing 128 bits of entropy. Do you know of a document where >> this would be explained? > > I certainly did not say "less secure", did I? It's certainly > much SLOWER, and certainly is not MORE secure... The original statement was: "In fact, there are those who feel safer with AES at 128 than at 256." According to my English interpreter this implied "...more secure with AES 128...". Still does. You answered with what appeared to be a rationale for precisely this statement. Cheers, -J -- Jeroen C. van Gelderen - jeroen@vangelderen.org When Germany invaded Czechoslovakia and Poland, its declared justification was to free the Germans living in those countries from the tyranny of the Czech and Polish governments. When Germany invaded the Soviet Union in 1941, one of its declared purposes was to "liberate" the Russian people from communist tyranny. From owner-ietf-openpgp@mail.imc.org Thu May 29 13:49:53 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA11755 for ; Thu, 29 May 2003 13:49:52 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4THU7AF046558 for ; Thu, 29 May 2003 10:30:07 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4THU6PY046557 for ietf-openpgp-bks; Thu, 29 May 2003 10:30:06 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4THU5AF046552 for ; Thu, 29 May 2003 10:30:06 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (guderian.cryptohill.net [24.244.145.14]) by mx1.cryptohill.net (Postfix) with ESMTP id DF8051C8A7; Thu, 29 May 2003 13:30:03 -0400 (EDT) Message-ID: <3ED6427A.42B5230A@systemics.com> Date: Thu, 29 May 2003 13:25:14 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: OpenPGP Subject: Use of the term "notarised signature"? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit When the word "notarised signature" is used, is this a term that has been tested against the legal meaning of the words? Specifically, the term has quite different significances under civil code and common law. In the civil code, a notary is a very important person, perhaps more significant than an attorney. He or she has to study for 6 years to obtain their qualification, and it is a tightly constrained field (at least in the country I'm mildly familiar with). When a notary notarises a document in a civil law country, he is inherently taking some view on the document. In some cases, a notary refuses to participate on some arbitrary grounds such as an unfamiliar document or a person not within jurisdiction. Signatures also may be meaningless unless notarised. This seems to be in complete contrast to the common law view, where only the signature is notarised and the signer is identified. My question then would be, has anyone tested this notion of implying a notary function with a civil law expert? If not, as a minimum, it might be a good idea to add a statement that the use of the term is not meant to draw from the legal definition(s) of same. Or, describe the feature as potentially providing a feature useful for notaries, rather than calling it "notarised signatures." The main issue here is that if someone does use OpenPGP's new notarised signature form, will that imply an unexpected legal meaning in the wrong country? I know some countries are very jumpity about the misuse of terms, and at least one big/rich country in particular puts people in jail for misrepresenting their status. (Apologies for jumping in late and briefly on this one.) -- iang From owner-ietf-openpgp@mail.imc.org Thu May 29 14:53:23 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14122 for ; Thu, 29 May 2003 14:53:20 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TISDAF050606 for ; Thu, 29 May 2003 11:28:13 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TISDP1050604 for ietf-openpgp-bks; Thu, 29 May 2003 11:28:13 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.infoseccorp.com ([12.2.121.3]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TISCAF050595 for ; Thu, 29 May 2003 11:28:12 -0700 (PDT) (envelope-from markowitz@infoseccorp.com) Received: from mjm340.infoseccorp.com (mjm [12.2.121.12]) by mail.infoseccorp.com (AIX4.3/8.9.3/8.9.3) with ESMTP id NAA18066; Thu, 29 May 2003 13:29:38 -0500 Message-Id: <5.2.0.9.2.20030529131915.02833f40@12.2.121.3> X-Sender: mjm@12.2.121.3 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 29 May 2003 13:27:47 -0500 To: Jeroen van Gelderen From: Mike Markowitz Subject: AES-128 (was Re: Suggested DER Prefixes) Cc: Derek Atkins , "Richard Laager" , In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 01:05 PM 5/29/2003 -0400, Jeroen van Gelderen wrote: >The original statement was: > > "In fact, there are those who feel safer with AES at 128 than at 256." I believe that when rumors of the initial Courtois & Pieprzyk work first made the rounds (Crypto '01?), it was "whispered" that their attack only applied to (or was simply more efficient at?) the 2 larger key sizes, but not to/at 128. The situation now seems to be much more complicated. See, for example: http://www.minrank.org/aes/ -mjm From owner-ietf-openpgp@mail.imc.org Thu May 29 15:15:37 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA15937 for ; Thu, 29 May 2003 15:15:37 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TItVAF053717 for ; Thu, 29 May 2003 11:55:31 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TItVuu053716 for ietf-openpgp-bks; Thu, 29 May 2003 11:55:31 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TItUAF053700 for ; Thu, 29 May 2003 11:55:30 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h4TItQv02398 for ietf-openpgp@imc.org; Thu, 29 May 2003 14:55:26 -0400 Date: Thu, 29 May 2003 14:55:26 -0400 From: David Shaw To: OpenPGP Subject: Re: Use of the term "notarised signature"? Message-ID: <20030529185526.GA2193@jabberwocky.com> Mail-Followup-To: OpenPGP References: <3ED6427A.42B5230A@systemics.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <3ED6427A.42B5230A@systemics.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (2% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 29, 2003 at 01:25:14PM -0400, Ian Grigg wrote: > > When the word "notarised signature" is used, is this > a term that has been tested against the legal meaning > of the words? > > Specifically, the term has quite different significances > under civil code and common law. In the civil code, a > notary is a very important person, perhaps more significant > than an attorney. He or she has to study for 6 years to > obtain their qualification, and it is a tightly constrained > field (at least in the country I'm mildly familiar with). The term "notary signature" should not imply any legal meaning whatsoever. As you point out, it means different things to different people in different places. I can't imagine the terminology is a problem. After all, the terms "signature", and "certification" mean different things in different legal juristictions as well, and PGP has been using those terms for over a decade. > If not, as a minimum, it might be a good idea to add > a statement that the use of the term is not meant to > draw from the legal definition(s) of same. I'm okay with this if the WG thinks it is necessary, though if we're going to go down that route, it would probably be simpler to put a single sentence in the introduction disclaiming any legal standing for terminology used in the whole document than it would be to add specific notes to the notary section. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+1lee4mZch0nhy8kRAmC8AKCf4/EvXjuYkvabEs8IwXK3hlE/XACgr7+/ ntnmo2Iqd4wIFtYFVIowIU8= =pfIG -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Thu May 29 19:49:35 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA28103 for ; Thu, 29 May 2003 19:49:34 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TNXRAF064274 for ; Thu, 29 May 2003 16:33:27 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TNXRoj064273 for ietf-openpgp-bks; Thu, 29 May 2003 16:33:27 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TNXPAF064267 for ; Thu, 29 May 2003 16:33:26 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h4TNXRm8004561; Thu, 29 May 2003 19:33:27 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by central-city-carrier-station.mit.edu (8.12.4/8.9.2) with ESMTP id h4TNXQWu018848; Thu, 29 May 2003 19:33:27 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h4TNXQU8016388; Thu, 29 May 2003 19:33:26 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id TAA14560; Thu, 29 May 2003 19:33:26 -0400 (EDT) To: David Shaw Cc: OpenPGP From: Derek Atkins Subject: Re: Use of the term "notarised signature"? References: <3ED6427A.42B5230A@systemics.com> <20030529185526.GA2193@jabberwocky.com> Date: 29 May 2003 19:33:26 -0400 In-Reply-To: <20030529185526.GA2193@jabberwocky.com> Message-ID: Lines: 60 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ian, Feel free to bring a lawyer to the table to provide input, but we're here to create Internet Standards, not Legal Standards. So long as we define our own terminology (or use references to definitions) I see no problem with using the same term as another field in a way different than that other field uses it. This is orthogonal to the issue of whether the OpenPGP Notarized Signature is useful to a "Notary" (in the legal sense). Making something that is useful is a Good Thing (TM). I'd rather make something useful than make something non-useful. But not being a lawyer (or a Notary) I don't know what would be useful. I would think that having the ability to reference just the signature or also sig + document in a notary signature would be sufficient to be useful to any definition of notary.... -derek David Shaw writes: > On Thu, May 29, 2003 at 01:25:14PM -0400, Ian Grigg wrote: > > > > When the word "notarised signature" is used, is this > > a term that has been tested against the legal meaning > > of the words? > > > > Specifically, the term has quite different significances > > under civil code and common law. In the civil code, a > > notary is a very important person, perhaps more significant > > than an attorney. He or she has to study for 6 years to > > obtain their qualification, and it is a tightly constrained > > field (at least in the country I'm mildly familiar with). > > The term "notary signature" should not imply any legal meaning > whatsoever. As you point out, it means different things to different > people in different places. > > I can't imagine the terminology is a problem. After all, the terms > "signature", and "certification" mean different things in different > legal juristictions as well, and PGP has been using those terms for > over a decade. > > > If not, as a minimum, it might be a good idea to add > > a statement that the use of the term is not meant to > > draw from the legal definition(s) of same. > > I'm okay with this if the WG thinks it is necessary, though if we're > going to go down that route, it would probably be simpler to put a > single sentence in the introduction disclaiming any legal standing for > terminology used in the whole document than it would be to add > specific notes to the notary section. > > David -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com From owner-ietf-openpgp@mail.imc.org Thu May 29 20:36:59 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA28104 for ; Thu, 29 May 2003 19:49:35 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TNbpAF064635 for ; Thu, 29 May 2003 16:37:51 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TNbpKo064634 for ietf-openpgp-bks; Thu, 29 May 2003 16:37:51 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TNboAF064629 for ; Thu, 29 May 2003 16:37:50 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (guderian.cryptohill.net [24.244.145.14]) by mx1.cryptohill.net (Postfix) with ESMTP id 8551E1C8A8; Thu, 29 May 2003 19:37:52 -0400 (EDT) Message-ID: <3ED698AD.8B684152@systemics.com> Date: Thu, 29 May 2003 19:33:02 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: David Shaw Cc: OpenPGP Subject: Re: Use of the term "notarised signature"? References: <3ED6427A.42B5230A@systemics.com> <20030529185526.GA2193@jabberwocky.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit David Shaw wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, May 29, 2003 at 01:25:14PM -0400, Ian Grigg wrote: > > > > When the word "notarised signature" is used, is this > > a term that has been tested against the legal meaning > > of the words? > > > > Specifically, the term has quite different significances > > under civil code and common law. In the civil code, a > > notary is a very important person, perhaps more significant > > than an attorney. He or she has to study for 6 years to > > obtain their qualification, and it is a tightly constrained > > field (at least in the country I'm mildly familiar with). > > The term "notary signature" should not imply any legal meaning > whatsoever. As you point out, it means different things to different > people in different places. > > I can't imagine the terminology is a problem. After all, the terms > "signature", and "certification" mean different things in different > legal juristictions as well, and PGP has been using those terms for > over a decade. Right. That precisely is the issue, in that it has been observed that the misuse of the word 'signature' by the cryptographic communiity has contributed to the mess that is CAs and PKIs... People have understood that digital signatures imply legal signatures in some hand waving sense. People have therefore tried to build systems to use digital signatures to replace other forms, generally with little success. So, I guess what I'm saying is this: If one subscribes to the view that a bug in "digital signatures" is the word "signature", then perhaps we should not compound that bug by expanding the term to "notarised signature". If so, then what in cryptographic terms is that new form of signature? As far as I can see it is a 3rd party signature over a sig: 0x50: Notary signature. This signature is a signature over some other OpenPGP signature packet. It is a notary seal on the signed data. ... I'd suggest something like: 0x50: 3rd party confirmatory signature. This signature is a signature over some other OpenPGP signature packet. It provides a mechanism for a 3rd party to confirm the first signature over the signed data, and is analogous to a notary seal. ... Except that is a little clumsy. (also 5.2.3.25.) > > If not, as a minimum, it might be a good idea to add > > a statement that the use of the term is not meant to > > draw from the legal definition(s) of same. > > I'm okay with this if the WG thinks it is necessary, though if we're > going to go down that route, it would probably be simpler to put a > single sentence in the introduction disclaiming any legal standing for > terminology used in the whole document than it would be to add > specific notes to the notary section. Sure. I'm not wedded to the change myself, I'm just much more sensitive to the legal system having been recently squeezed through the mill (and, PGP signatures played a small part in that ;-) My perspective comes down to: "how can we reduce costs in future disputes?" The issue with the current text would be that some poor muggins might have to go through a court case explaining why the phrase "It is a notary seal on the signed data." does not imply that it is a notary seal on the signed data, and the person who signed it is not fraudulently purporting to be a notary. As the text is quite explicit as to what it is (normally a laudable objective!), and as the program (optimistically) conforms to the RFC, then he has a bit of a battle making the alternate case... -- iang From owner-ietf-openpgp@mail.imc.org Thu May 29 20:54:32 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA00833 for ; Thu, 29 May 2003 20:54:31 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U0fDAF066182 for ; Thu, 29 May 2003 17:41:13 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4U0fDnl066181 for ietf-openpgp-bks; Thu, 29 May 2003 17:41:13 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U0fBAF066174 for ; Thu, 29 May 2003 17:41:12 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by hermes.cs.auckland.ac.nz (8.12.9/8.12.9) with ESMTP id h4U0eTSG028762; Fri, 30 May 2003 12:40:29 +1200 Received: (from pgut001@localhost) by medusa01.cs.auckland.ac.nz (8.11.6/8.11.6) id h4U0eLr17611; Fri, 30 May 2003 12:40:21 +1200 Date: Fri, 30 May 2003 12:40:21 +1200 Message-Id: <200305300040.h4U0eLr17611@medusa01.cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: derek@ihtfp.com, jeroen@vangelderen.org Subject: Re: Suggested DER Prefixes Cc: ietf-openpgp@imc.org, rlaager@wiktel.com Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Derek Atkins writes: >"Jeroen C. van Gelderen" writes: >>Hmm... if I read you correctly that would imply that AES-256 with a >>key containing 128 bits of entropy is less secure than AES-128 with a >>key containing 128 bits of entropy. Do you know of a document where >>this would be explained? > >I certainly did not say "less secure", did I? It's certainly much SLOWER, "very slightly slower", although given people's obsession with speed at any cost I guess it'd be safe to say "unacceptably (to the user) slower". Peter. From owner-ietf-openpgp@mail.imc.org Thu May 29 21:53:54 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA04070 for ; Thu, 29 May 2003 21:53:53 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1ebAF068526 for ; Thu, 29 May 2003 18:40:37 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4U1ebPP068525 for ietf-openpgp-bks; Thu, 29 May 2003 18:40:37 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1eZAF068519 for ; Thu, 29 May 2003 18:40:36 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h4U1do707392; Thu, 29 May 2003 21:39:50 -0400 Date: Thu, 29 May 2003 21:39:50 -0400 From: David Shaw To: Derek Atkins Cc: OpenPGP Subject: Re: Use of the term "notarised signature"? Message-ID: <20030530013950.GC2193@jabberwocky.com> Mail-Followup-To: Derek Atkins , OpenPGP References: <3ED6427A.42B5230A@systemics.com> <20030529185526.GA2193@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (2% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 29, 2003 at 07:33:26PM -0400, Derek Atkins wrote: > This is orthogonal to the issue of whether the OpenPGP Notarized > Signature is useful to a "Notary" (in the legal sense). Making > something that is useful is a Good Thing (TM). I'd rather make > something useful than make something non-useful. But not being > a lawyer (or a Notary) I don't know what would be useful. I did some research on this a while back. One of the services that a (U.S.) notary provides is "acknowledgment", which to my non-notary eye looked reasonably close to what we're talking about here. This is the notary taking note that a document was signed, and documenting the fact that notice was taken. The contents of the document are generally irrelevant here: just that it was signed and the signer requested a notary to note that fact (and presumably witness the making of the signature). The main difference between an acknowledgment and this is that generally an acknowledgment contains the statement that the original signer signed the document by his/her own free will. When I asked a lawyer and notary friend about it, she said that the match I had imagined wasn't so good. In general, real life notary functions are far more concerned with identification of the signer than they are about the immutability of the signed document or signature itself. Could the building blocks (signature, notary signature) we have in OpenPGP be usable to a real notary? Maybe - but a number of underlying laws and/or assumptions and/or infrastructure would have to change first. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+1rZm4mZch0nhy8kRAmOPAKDPaSURwmfq3jTUVzRd4gT0eORlJQCdHGIW +eUBO9U+Z86MOqrffPxbGo4= =yW3n -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Thu May 29 22:04:56 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA04346 for ; Thu, 29 May 2003 22:04:55 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1omAF068922 for ; Thu, 29 May 2003 18:50:48 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4U1omn3068921 for ietf-openpgp-bks; Thu, 29 May 2003 18:50:48 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1olAF068916 for ; Thu, 29 May 2003 18:50:47 -0700 (PDT) (envelope-from jon@callas.org) Received: from [192.168.1.33] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Thu, 29 May 2003 18:50:47 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Thu, 29 May 2003 18:50:42 -0700 Subject: Re: Suggested DER Prefixes From: Jon Callas To: Richard Laager , OpenPGP Message-ID: In-Reply-To: <001201c325f0$c4c501d0$da7620d1@umcrookston.edu> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On 5/29/03 7:44 AM, "Richard Laager" wrote: > Any particular reason(s)? Is there any merit to these reason(s)? The main reason is that before the AES competition, no one ever built a 128-bit block, nor a 256-bit key. If there is a new way to analyze the mixing of key, data, and blocksize, you would expect a design oops to show up on the combination of more key and more blocksize. Is there merit? What do you mean by merit? The above concerns are reasonable. Otherwise sane security experts have said these things. Do I share them myself? Not really. Do I think that even if there's a weakness in AES-256, it will be *weaker* than AES-128? No. However, on the other hand, I think that the instant leap to longer keys is a sign of not understanding crypto. For example, I think that using Blowfish with a 448 bit key is the sign of a crypto-duffer. There is *nothing* wrong with a 128 bit key. Let's face it, whatever weakness there is in your system will almost certainly *not* be in the cipher parts of the system. The cipher system is the *strongest* part of the system, once you're at 128 bits. Any OpenPGP-approved cipher is likely to be the strongest link of the chain of whatever crypto system you're using. A chain is only as strong as its weakest link, and people who fuss over ciphers are fussing about strengthening the strongest parts. It's like putting stronger lock on a door that still hollow wood frame. The odds are that for any given user, their passphrase is the weakest link in their OpenPGP use. 128-bit keys are probably the strongest. Jon From owner-ietf-openpgp@mail.imc.org Thu May 29 22:06:20 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA04379 for ; Thu, 29 May 2003 22:06:20 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1tlAF069167 for ; Thu, 29 May 2003 18:55:47 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4U1tlIh069166 for ietf-openpgp-bks; Thu, 29 May 2003 18:55:47 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1tkAF069161 for ; Thu, 29 May 2003 18:55:46 -0700 (PDT) (envelope-from jon@callas.org) Received: from [192.168.1.33] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2) for ; Thu, 29 May 2003 18:55:48 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Thu, 29 May 2003 18:55:43 -0700 Subject: Re: Use of the term "notarised signature"? From: Jon Callas To: OpenPGP Message-ID: In-Reply-To: <3ED698AD.8B684152@systemics.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On 5/29/03 4:33 PM, "Ian Grigg" wrote: > 0x50: 3rd party confirmatory signature. I used "Third-Party Confirmation Signature." Jon From owner-ietf-openpgp@mail.imc.org Fri May 30 16:11:29 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA25895 for ; Fri, 30 May 2003 16:11:29 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UJmjAF049778 for ; Fri, 30 May 2003 12:48:45 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4UJmjxx049777 for ietf-openpgp-bks; Fri, 30 May 2003 12:48:45 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UJmWAF049770 for ; Fri, 30 May 2003 12:48:45 -0700 (PDT) (envelope-from A.Back@exeter.ac.uk) Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.14) id 19LprY-00Vjhg-Gh; Fri, 30 May 2003 20:48:28 +0100 Date: Fri, 30 May 2003 20:48:17 +0100 From: Adam Back To: Derek Atkins Cc: "Jeroen C. van Gelderen" , Richard Laager , ietf-openpgp@imc.org Subject: AES-256 vs AES-128 (Re: Suggested DER Prefixes) Message-ID: <20030530204817.A10092308@exeter.ac.uk> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: ; from derek@ihtfp.com on Thu, May 29, 2003 at 12:55:29PM -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Thu, May 29, 2003 at 12:55:29PM -0400, Derek Atkins wrote: > "Jeroen C. van Gelderen" writes: > > >>> In fact, there are those who feel safer with AES > > >>> at 128 than at256. > > [...] > > I certainly did not say "less secure", did I? It's certainly > much SLOWER, and certainly is not MORE secure... Actually it may be more secure; AES-256 has more rounds to offer a more conservative security margin because the key is longer. If half of the key is unused, the extra rounds can only help. So it is either as strong (if AES-128 truly offers 128 bits of security), or stronger; but not "certainly is not MORE secure..." Adam From owner-ietf-openpgp@mail.imc.org Fri May 30 16:22:26 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA26384 for ; Fri, 30 May 2003 16:22:26 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UJvMAF049942 for ; Fri, 30 May 2003 12:57:22 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4UJvMgm049941 for ietf-openpgp-bks; Fri, 30 May 2003 12:57:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UJvLAF049936 for ; Fri, 30 May 2003 12:57:22 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h4UJvG71013589; Fri, 30 May 2003 15:57:16 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h4UJvFgR006863; Fri, 30 May 2003 15:57:16 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h4UJvFFJ013846; Fri, 30 May 2003 15:57:15 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id PAA16873; Fri, 30 May 2003 15:57:14 -0400 (EDT) To: Adam Back Cc: "Jeroen C. van Gelderen" , Richard Laager , ietf-openpgp@imc.org From: Derek Atkins Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) References: <20030530204817.A10092308@exeter.ac.uk> Date: 30 May 2003 15:57:14 -0400 In-Reply-To: <20030530204817.A10092308@exeter.ac.uk> Message-ID: Lines: 45 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I beg to differ, but extra rounds do not necessarily improve the security. You still have a 2^128 brute-force attack against the cipher if you use a 128-bit key. It doesn't matter what happens to the other bits. Regardless, I believe that AES-128 has had significantly more peer review than the larger elements, and "bigger is not necessarily better". As a security engineer you need to use prudence in choosing which tools to use in which situation. Based on the state-of-the-art in 2003, and forseeable for the next few years, I believe that AES-128 is sufficient for our needs. Adding additional ciphers will just decrease interoperability, which will reduce security because people wont use it. "The perfect is the enemy of the good". Let's get it out there, get it deployed, make it ubiquitous. Until that happens, I don't feel we should be entertaining additional ciphers. -derek Adam Back writes: > On Thu, May 29, 2003 at 12:55:29PM -0400, Derek Atkins wrote: > > "Jeroen C. van Gelderen" writes: > > > >>> In fact, there are those who feel safer with AES > > > >>> at 128 than at256. > > > > [...] > > > > I certainly did not say "less secure", did I? It's certainly > > much SLOWER, and certainly is not MORE secure... > > Actually it may be more secure; AES-256 has more rounds to offer a > more conservative security margin because the key is longer. If half > of the key is unused, the extra rounds can only help. > > So it is either as strong (if AES-128 truly offers 128 bits of > security), or stronger; but not "certainly is not MORE secure..." > > Adam -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com From owner-ietf-openpgp@mail.imc.org Fri May 30 17:51:45 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA29731 for ; Fri, 30 May 2003 17:51:44 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4ULZSAF054153 for ; Fri, 30 May 2003 14:35:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4ULZSGs054152 for ietf-openpgp-bks; Fri, 30 May 2003 14:35:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4ULZRAF054141 for ; Fri, 30 May 2003 14:35:27 -0700 (PDT) (envelope-from A.Back@exeter.ac.uk) Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.14) id 19LrX1-00VjjO-Ox; Fri, 30 May 2003 22:35:23 +0100 Date: Fri, 30 May 2003 22:35:23 +0100 From: Adam Back To: Derek Atkins Cc: ietf-openpgp@imc.org, Adam Back Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) Message-ID: <20030530223523.A10309793@exeter.ac.uk> References: <20030530204817.A10092308@exeter.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: ; from derek@ihtfp.com on Fri, May 30, 2003 at 03:57:14PM -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Fri, May 30, 2003 at 03:57:14PM -0400, Derek Atkins wrote: > You still have a 2^128 brute-force attack against the cipher if you > use a 128-bit key. It doesn't matter what happens to the other > bits. If the cipher retains 128 bits of security in both configurations AES-128 and AES-256 with a 128 bit key then the security is equal. But the point at which the security margin of the cipher becomes interesting is when someone starts to make in-roads into reduced-round variants, and starts to find attacks with work-factors sub-exponential in the key-size. > I beg to differ, but extra rounds do not necessarily improve > the security. One common method of heuristically measuring the strength of a cipher is to attack reduced-round variants, clearly indicating that less rounds is less secure. I take this to mean that practically more rounds IS more secure. Consider that the cipher state goes through a state analogous to a state it would go through in a reduced round version on it's way to the longer round version. Unless the later rounds somehow _undo_ some of the security provided by the earlier rounds it will not be less secure. Clearly the AES designers consider more rounds adds more security or AES-256 would not have more rounds than AES-128. > As a security engineer you need to use prudence in > choosing which tools to use in which situation. Based on the > state-of-the-art in 2003, and forseeable for the next few years, > I believe that AES-128 is sufficient for our needs. Some people may need security beyond the "next few years". I'd argue for standardizing on AES-256. The computational cost of a few extra rounds is negligible. > Adding additional ciphers will just decrease interoperability, which > will reduce security because people wont use it. "The perfect is > the enemy of the good". Let's get it out there, get it deployed, > make it ubiquitous. Until that happens, I don't feel we should > be entertaining additional ciphers. Having a smaller choice of options is generally a good thing I agree. Adam From owner-ietf-openpgp@mail.imc.org Fri May 30 20:05:43 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA04170 for ; Fri, 30 May 2003 20:05:43 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UNmjAF059695 for ; Fri, 30 May 2003 16:48:45 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4UNmjXx059694 for ietf-openpgp-bks; Fri, 30 May 2003 16:48:45 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UNmhAF059688 for ; Fri, 30 May 2003 16:48:44 -0700 (PDT) (envelope-from jwilkinson@attbi.com) Received: from attbi.com (h00065b1e430c.ne.client2.attbi.com[65.96.132.87]) by attbi.com (sccrmhc01) with SMTP id <2003053023484000100hrahje>; Fri, 30 May 2003 23:48:41 +0000 Message-ID: <3ED7EDD2.4050105@attbi.com> Date: Fri, 30 May 2003 19:48:34 -0400 From: John Wilkinson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) References: <20030530204817.A10092308@exeter.ac.uk> <20030530223523.A10309793@exeter.ac.uk> In-Reply-To: <20030530223523.A10309793@exeter.ac.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit With all due respect, Jon, I would like to see a quote from a recognized crypto expert who feels that AES-128 is "safer" than AES-256. AES-256 may not be *more* secure than AES-128, and, as a practical matter, I don't think that it is. However, the addition of more rounds *cannot* make it weaker. The differences in the key schedule could theoretically make AES-256 weaker than AES-128, but there is no reason to believe this is the case, and there are good reasons to believe that the key schedule of AES-256 makes the cipher at least as strong as or stronger than AES-128. One should NEVER fix any bytes of the key to be zero, in order to use a 128-bit key with AES-256; this may not make the cipher vulnerable, if it is resistant to related-key attacks, but it is not good practice. If the choice for standardization is between AES-128 and AES-256, and the sole criterion is algorithm strength, I would recommend AES-256, because is might be stronger, and there is very little chance that it is weaker. If, however, there are other reasons, such as compatibility with other deployed applications, speed or effeciency, there seems little to differentiate the two security-wise, and one should choose the more compatible/deployable one. Of course, 3DES is still the most trusted block cipher of all, and there are really no security advantages to other ciphers (including AES) for encrypting less than 2^32 blocks (32 GB) of data. 3DES is the MUST implement algorithm, and this is appropriate given the widespread confidence in its design. Since most security products are advertized on the basis of their security, and many uninformed users would instinctively prefer AES-256 to AES-128 or 3DES, if we *must* migrate away from 3DES for some reason, it may be adviseable to make AES-256 the "standard" algorithm, just to make these people happy, and avoid their switching to another application with better support for AES-256 or......2048-bit RC4. Of course, if ultimate algorithm confidence is the goal, I think a better use of our time would be moving to double-encryption of the message key with RSA-KEM and ACE-KEM, as recommended by the Nessie project. Come to think of it, a much better use of our time would be implementing a form of authenticated encryption. 3DES followed by HMAC-SHA1, anyone? :) From owner-ietf-openpgp@mail.imc.org Fri May 30 21:04:54 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA06300 for ; Fri, 30 May 2003 21:04:53 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V0keAF060742 for ; Fri, 30 May 2003 17:46:40 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4V0keAa060741 for ietf-openpgp-bks; Fri, 30 May 2003 17:46:40 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V0kdAF060735 for ; Fri, 30 May 2003 17:46:39 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h4V0g53j019431 for ; Fri, 30 May 2003 20:42:05 -0400 Received: from berkshire.research.att.com (raptor.research.att.com [135.207.23.32]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h4V0kaV00531 for ; Fri, 30 May 2003 20:46:36 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id 46C3E7B4D for ; Fri, 30 May 2003 20:46:35 -0400 (EDT) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 30 May 2003 20:46:35 -0400 From: "Steven M. Bellovin" Message-Id: <20030531004635.46C3E7B4D@berkshire.research.att.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Although I'm not concerned about 128-bit keys being too short -- I don't think there will *ever* be a brute-force attack on 128 bits -- there are some points to think about. In Rich Schroeppel's comments on AES (see http://csrc.nist.gov/CryptoToolkit/aes/round2/comments/R2comments.txt) he notes that Except for RC6 and perhaps Mars, all the ciphers have the property that recovering the expanded key will translate into recovering the primary key. More seriously, the key schedules of Rijndael, and to some extent Serpent, allow an attacker who recovers (or guesses) some of the expanded key to compute additional bits of the expanded key. Recall that both differential and linear attacks on DES benefited from replicated subkey bits -- as soon as an attack finds a few subkey bits, the game is over. If the additional rounds for AES256 are not enough to properly mix in the extra key bits -- we're spreading twice as many bits over less than twice as many operations -- it might (repeat, *might*) make it easier to recover some key bits. But -- no, I don't think that AES256 is less secure than AES128. I also don't think it's needed. Remember that if you're worried about O(2^128) attacks, you really need a much larger public key, too. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) From owner-ietf-openpgp@mail.imc.org Fri May 30 21:09:11 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA06382 for ; Fri, 30 May 2003 21:09:11 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V0qsAF060855 for ; Fri, 30 May 2003 17:52:54 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4V0qs8d060854 for ietf-openpgp-bks; Fri, 30 May 2003 17:52:54 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from blue.h2np.net (blue.h2np.net [210.145.219.253]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V0qqAF060849 for ; Fri, 30 May 2003 17:52:52 -0700 (PDT) (envelope-from hironobu@mail.h2np.net) Received: from mail.h2np.net (hironobu@pc [192.168.1.10]) by blue.h2np.net (8.11.6/8.11.6) with ESMTP id h4V0qrX26514 for ; Sat, 31 May 2003 09:52:53 +0900 Message-Id: <200305310052.h4V0qrX26514@blue.h2np.net> From: Hironobu SUZUKI To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) In-reply-to: Your message of "Fri, 30 May 2003 19:48:34 -0400." <3ED7EDD2.4050105@attbi.com> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit Date: Sat, 31 May 2003 09:52:53 +0900 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit I really think AES-128 is safe against brute-force attack in next a decade but that is not enough. First of all, I have to say that I am a paranoid ;-) In PGP, TLS and other so-called PKC applications, the symmetric cipher algorithm will be used with secret key exchange protocol. There are possibility the key space of symmetric cipher shrink if key exchange protocol has flaw. Symmetric cipher is good, PKC cipher is good also. But protocol has flaw then security mergin would be shrunken. If 50% of key space (128 -> 64, 256 -> 128) corrupt?. 64bit key size is no survive. I never ignore AES-256 because it become a sort of "insurance" when the worst case of protocol problem is happened. Regards, -- Hironobu SUZUKI E-Mail: hironobu@h2np.net URL: http://h2np.net From owner-ietf-openpgp@mail.imc.org Fri May 30 21:48:00 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA07390 for ; Fri, 30 May 2003 21:47:59 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V1WuAF061592 for ; Fri, 30 May 2003 18:32:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4V1WtJC061591 for ietf-openpgp-bks; Fri, 30 May 2003 18:32:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V1WsAF061585 for ; Fri, 30 May 2003 18:32:55 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h4V1Wq511233 for ietf-openpgp@imc.org; Fri, 30 May 2003 21:32:52 -0400 Date: Fri, 30 May 2003 21:32:52 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) Message-ID: <20030531013251.GB9855@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20030530204817.A10092308@exeter.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is New User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 30, 2003 at 03:57:14PM -0400, Derek Atkins wrote: > > I beg to differ, but extra rounds do not necessarily improve > the security. You still have a 2^128 brute-force attack > against the cipher if you use a 128-bit key. It doesn't matter > what happens to the other bits. > > Regardless, I believe that AES-128 has had significantly more > peer review than the larger elements, and "bigger is not necessarily > better". As a security engineer you need to use prudence in > choosing which tools to use in which situation. Based on the > state-of-the-art in 2003, and forseeable for the next few years, > I believe that AES-128 is sufficient for our needs. > > Adding additional ciphers will just decrease interoperability, which > will reduce security because people wont use it. "The perfect is > the enemy of the good". Let's get it out there, get it deployed, > make it ubiquitous. Until that happens, I don't feel we should > be entertaining additional ciphers. Just to clarify what I thought I was reading: are you suggesting that AES-256 (and presumably AES-192) be dropped from OpenPGP, or is that just a general comment? I was in favor of dropping TIGER, MD2, SAFER, etc, but AES-192 and 256 are already widely implemented and deployed (PGP 7 and later, GnuPG 1.0.4 and later). Removing those two ciphers now would cause pretty serious interoperability problems. Perhaps I misunderstood your thrust, in which case, my apologies. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+2AZD4mZch0nhy8kRAuxFAJ9W2XXEbJVO7VEYerXJsK9FtwunWQCgmkG7 EnaQn5QSpZoVLZjja6He7HQ= =aEtu -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Fri May 30 22:32:59 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA08953 for ; Fri, 30 May 2003 22:32:58 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V2B3AF062362 for ; Fri, 30 May 2003 19:11:03 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4V2B3bd062361 for ietf-openpgp-bks; Fri, 30 May 2003 19:11:03 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V2B1AF062352 for ; Fri, 30 May 2003 19:11:02 -0700 (PDT) (envelope-from jwilkinson@attbi.com) Received: from attbi.com (h00065b1e430c.ne.client2.attbi.com[65.96.132.87]) by attbi.com (sccrmhc01) with SMTP id <2003053102105900100hrqrie>; Sat, 31 May 2003 02:10:59 +0000 Message-ID: <3ED80F2F.50105@attbi.com> Date: Fri, 30 May 2003 22:10:55 -0400 From: John Wilkinson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) References: <20030531004635.46C3E7B4D@berkshire.research.att.com> In-Reply-To: <20030531004635.46C3E7B4D@berkshire.research.att.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit Steve, I appreciate your comments, and while I acknowledge that the differing key schedules between AES-128 and AES-256 could, in theory, make AES-256 weaker than AES-128, IMHO, the reverse is more likely true. It bears repeating that I don't think it makes much difference, since, in practice, both are likely to remain unbroken for at least a few decades. If one recoveres a single round key from AES-128, one can calculate all the other round keys, and the primary key. This is by design, to conserve on memory, since the expanded key does not need to be stored. With AES-256, one has to recover two (consecutive?) round keys to recover the other round keys or the primary key. So, I respectfully disagree that AES-256 suffers from the problem of trying to spread "twice as many bits over less than twice as many operations." From owner-ietf-openpgp@mail.imc.org Sat May 31 05:26:39 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA27716 for ; Sat, 31 May 2003 05:26:39 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V97OAF002847 for ; Sat, 31 May 2003 02:07:24 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4V97Odm002846 for ietf-openpgp-bks; Sat, 31 May 2003 02:07:24 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V97MAF002833 for ; Sat, 31 May 2003 02:07:23 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19M2FL-0007Z4-00 for ; Sat, 31 May 2003 11:01:51 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19M2J6-0000V6-00; Sat, 31 May 2003 11:05:44 +0200 To: John Wilkinson Cc: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 References: <20030530204817.A10092308@exeter.ac.uk> <20030530223523.A10309793@exeter.ac.uk> <3ED7EDD2.4050105@attbi.com> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 X-FSFE-Info: http://fsfeurope.org Date: Sat, 31 May 2003 11:05:44 +0200 In-Reply-To: <3ED7EDD2.4050105@attbi.com> (John Wilkinson's message of "Fri, 30 May 2003 19:48:34 -0400") Message-ID: <87r86f5vvb.fsf_-_@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Fri, 30 May 2003 19:48:34 -0400, John Wilkinson said: > If the choice for standardization is between AES-128 and AES-256, and > the sole criterion is algorithm strength, I would recommend AES-256, It doesn't get you anything to double the length of the key if at the same time you need to make tradeoffs in choosing the quality of the random numbers. Entropy is a scare resource and one should take caution for what to spend it. I am sure that the strength of any OpenPGP algorithm is far away rom beein the weakes link in a OpenPGP cryptosystem. The probability of bugs in the software is much higher than any weakness in an algorithm. That is what a cryptoplumber should to take care about, unless the marketing departments gets involved ;-) Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From owner-ietf-openpgp@mail.imc.org Sat May 31 09:27:45 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA01441 for ; Sat, 31 May 2003 09:27:44 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VD7rAF020906 for ; Sat, 31 May 2003 06:07:53 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VD7rWn020905 for ietf-openpgp-bks; Sat, 31 May 2003 06:07:53 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VD7pAF020899 for ; Sat, 31 May 2003 06:07:52 -0700 (PDT) (envelope-from bmoe@cdc.informatik.tu-darmstadt.de) Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id BE33D2C99; Sat, 31 May 2003 15:07:50 +0200 (MET DST) Received: id ; Sat, 31 May 2003 15:10:02 +0200 (CEST) Message-Id: Date: Sat, 31 May 2003 15:10:02 +0200 (CEST) From: moeller@cdc.informatik.tu-darmstadt.de (Bodo Moeller) To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 In-Reply-To: <87r86f5vvb.fsf_-_@alberti.g10code.de> References: <3ED7EDD2.4050105@attbi.com> <87r86f5vvb.fsf_-_@alberti.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit Werner Koch : > On Fri, 30 May 2003 19:48:34 -0400, John Wilkinson said: >> If the choice for standardization is between AES-128 and AES-256, and >> the sole criterion is algorithm strength, I would recommend AES-256, > It doesn't get you anything to double the length of the key if at the > same time you need to make tradeoffs in choosing the quality of the > random numbers. Entropy is a scare resource and one should take > caution for what to spend it. This is not quite true. If you have N bits of unpredictable entropy and feed this and some "random" but predictable data into an appropriate hash function to generate a 2N-bit key, then this will provide more security against brute force and quantum brute force attacks than directly using a cipher with N-bit keys. (Not much more security, but some: a brute force attack against the cipher with N-bit keys can directly cover all of the keyspace; for the attack against the 2N-bit cipher, the hash preprocessing step has to be included into the brute-force design, which will slow down the attack.) Also if one of the ciphers is slower than the other, it is a bit more secure (literally a bit if it runs at half the speed). Of course arguably 128 bits are by far enough so that you don't really have to worry about anything of this -- unless you think that quantum attacks might become realistic. -- Bodo Möller PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 From owner-ietf-openpgp@mail.imc.org Sat May 31 09:55:36 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA01819 for ; Sat, 31 May 2003 09:55:36 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VDZdAF021976 for ; Sat, 31 May 2003 06:35:39 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VDZdx9021975 for ietf-openpgp-bks; Sat, 31 May 2003 06:35:39 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VDZcAF021969 for ; Sat, 31 May 2003 06:35:38 -0700 (PDT) (envelope-from jwilkinson@attbi.com) Received: from attbi.com (h00065b1e430c.ne.client2.attbi.com[65.96.132.87]) by attbi.com (rwcrmhc51) with SMTP id <20030531133533051002628ve>; Sat, 31 May 2003 13:35:34 +0000 Message-ID: <3ED8AFA1.5010304@attbi.com> Date: Sat, 31 May 2003 09:35:29 -0400 From: John Wilkinson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 References: <3ED7EDD2.4050105@attbi.com> <87r86f5vvb.fsf_-_@alberti.g10code.de> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit Bodo Moeller wrote: >Of course arguably 128 bits are by far enough so that you don't really >have to worry about anything of this -- unless you think that quantum >attacks might become realistic. > I think that we are all in violent agreement that 128-bit key lengths are likely sufficient, and that both AES-128 and AES-256 are likely to be the strongest link in the OpenPGP chain. I was only trying to refute the argument that AES-128 is likely to be stronger than AES-256; this isn't a persuasive argument. The answer to the question, "why not use AES-256," is, "because AES-128 is sufficient," *not*, "because AES-128 is stronger." However, since this question comes up *so* frequently, I am tempted to concur with Ross Anderson and argue that we should simply always use AES-256. WRT Werner's comment, I agree that gathering entropy is a problem. However, a known problem with many entropy gathering daemons is that they overestimate the entropy they have gathered. Ross Anderson makes the argument, and I agree, that using a 256-bit key allows the user to hope that if the EGD overestimates entropy by a factor of two, then one still has 128-bits of entropy in his 256-bit key. This is obviously a hack, and the preferred solution would be to fix the EGD. From owner-ietf-openpgp@mail.imc.org Sat May 31 11:56:58 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA04970 for ; Sat, 31 May 2003 11:56:57 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VFd3AF031590 for ; Sat, 31 May 2003 08:39:03 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VFd3gf031589 for ietf-openpgp-bks; Sat, 31 May 2003 08:39:03 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VFd2AF031584 for ; Sat, 31 May 2003 08:39:02 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (guderian.cryptohill.net [24.244.145.14]) by mx1.cryptohill.net (Postfix) with ESMTP id 86C331C8F1; Sat, 31 May 2003 11:39:02 -0400 (EDT) Message-ID: <3ED8CB66.132389DC@systemics.com> Date: Sat, 31 May 2003 11:33:58 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 References: <3ED7EDD2.4050105@attbi.com> <87r86f5vvb.fsf_-_@alberti.g10code.de> <3ED8AFA1.5010304@attbi.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit I think it's pretty clear that both AES versions should stay in OpenPGP. Until the market reaches some sort of consensus that an algorithm is dead, discussions on the relative strengths argument would appear not to be directly relevant to OpenPGP's standardisation efforts? -- iang From owner-ietf-openpgp@mail.imc.org Sat May 31 17:42:56 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA10353 for ; Sat, 31 May 2003 17:42:55 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VLIrAF047012 for ; Sat, 31 May 2003 14:18:53 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VLIrN2047011 for ietf-openpgp-bks; Sat, 31 May 2003 14:18:53 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc11.attbi.com (rwcrmhc11.attbi.com [204.127.198.35]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VLIpAF046977 for ; Sat, 31 May 2003 14:18:51 -0700 (PDT) (envelope-from jwilkinson@attbi.com) Received: from attbi.com (h00065b1e430c.ne.client2.attbi.com[65.96.132.87](misconfigured sender)) by attbi.com (rwcrmhc11) with SMTP id <2003053121184801300smdbee>; Sat, 31 May 2003 21:18:48 +0000 Message-ID: <3ED91C35.6070807@attbi.com> Date: Sat, 31 May 2003 17:18:45 -0400 From: John Wilkinson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 References: <3ED7EDD2.4050105@attbi.com> <87r86f5vvb.fsf_-_@alberti.g10code.de> <3ED8AFA1.5010304@attbi.com> <3ED8CB66.132389DC@systemics.com> In-Reply-To: <3ED8CB66.132389DC@systemics.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit Ian Grigg wrote: >I think it's pretty clear that both AES versions >should stay in OpenPGP. Until the market reaches >some sort of consensus that an algorithm is dead, >discussions on the relative strengths argument would >appear not to be directly relevant to OpenPGP's >standardisation efforts? > Agreed. As long as the MUST have cipher is 3DES, we have no problems. When and if (hopefully never) OpenPGP chooses to deprecate 3DES in favor of some other cipher, be prepared for a battle... From owner-ietf-openpgp@mail.imc.org Sat May 31 18:47:07 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA12968 for ; Sat, 31 May 2003 18:47:06 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VMPiAF050409 for ; Sat, 31 May 2003 15:25:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VMPi2E050408 for ietf-openpgp-bks; Sat, 31 May 2003 15:25:44 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VMPhAF050403 for ; Sat, 31 May 2003 15:25:43 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.180] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Sat, 31 May 2003 15:25:38 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Sat, 31 May 2003 15:25:41 -0700 Subject: Re: AES-256 vs AES-128 From: Jon Callas To: CC: OpenPGP Message-ID: In-Reply-To: <3ED8CB66.132389DC@systemics.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On 5/31/03 8:33 AM, "Ian Grigg" wrote: > > I think it's pretty clear that both AES versions > should stay in OpenPGP. Until the market reaches > some sort of consensus that an algorithm is dead, > discussions on the relative strengths argument would > appear not to be directly relevant to OpenPGP's > standardisation efforts? Just to note, OpenPGP has 3 key sizes for AES. I'd be happy to drop the 192 one for simplicity's sake. Jon From owner-ietf-openpgp@mail.imc.org Sat May 31 19:11:11 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA13309 for ; Sat, 31 May 2003 19:11:11 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VMu4AF051021 for ; Sat, 31 May 2003 15:56:04 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VMu4GA051020 for ietf-openpgp-bks; Sat, 31 May 2003 15:56:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VMu1AF051013 for ; Sat, 31 May 2003 15:56:02 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h4VMpO3j026662; Sat, 31 May 2003 18:51:24 -0400 Received: from berkshire.research.att.com (guard.research.att.com [135.207.1.20]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h4VMtvV09268; Sat, 31 May 2003 18:55:58 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id B5B9D7B4D; Sat, 31 May 2003 18:55:56 -0400 (EDT) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: John Wilkinson Cc: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 31 May 2003 18:55:56 -0400 From: "Steven M. Bellovin" Message-Id: <20030531225556.B5B9D7B4D@berkshire.research.att.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: In message <3ED91C35.6070807@attbi.com>, John Wilkinson writes: > >Ian Grigg wrote: > >>I think it's pretty clear that both AES versions >>should stay in OpenPGP. Until the market reaches >>some sort of consensus that an algorithm is dead, >>discussions on the relative strengths argument would >>appear not to be directly relevant to OpenPGP's >>standardisation efforts? >> >Agreed. As long as the MUST have cipher is 3DES, we have no problems. >When and if (hopefully never) OpenPGP chooses to deprecate 3DES in favor >of some other cipher, be prepared for a battle... > > > AD hat on... I would be unhappy if AES -- pick your key size -- were a SHOULD instead of a MUST. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) From owner-ietf-openpgp@mail.imc.org Sat May 31 19:30:38 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA13698 for ; Sat, 31 May 2003 19:30:38 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VN8tAF051370 for ; Sat, 31 May 2003 16:08:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VN8ta4051369 for ietf-openpgp-bks; Sat, 31 May 2003 16:08:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VN8sAF051362 for ; Sat, 31 May 2003 16:08:54 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h4VN8pR13579 for ietf-openpgp@imc.org; Sat, 31 May 2003 19:08:51 -0400 Date: Sat, 31 May 2003 19:08:51 -0400 From: David Shaw To: OpenPGP Subject: Re: AES-256 vs AES-128 Message-ID: <20030531230851.GD7036@jabberwocky.com> Mail-Followup-To: OpenPGP References: <3ED8CB66.132389DC@systemics.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is New User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 31, 2003 at 03:25:41PM -0700, Jon Callas wrote: > > On 5/31/03 8:33 AM, "Ian Grigg" wrote: > > > > > I think it's pretty clear that both AES versions > > should stay in OpenPGP. Until the market reaches > > some sort of consensus that an algorithm is dead, > > discussions on the relative strengths argument would > > appear not to be directly relevant to OpenPGP's > > standardisation efforts? > > Just to note, OpenPGP has 3 key sizes for AES. I'd be happy to drop the 192 > one for simplicity's sake. Please do not do this. This can cause interoperability problems since AES192 is already widely deployed and widely included in cipher preference lists. PGP 7 and 8 create keys with cipher preferences including "AES256, AES192, AES128" in that order. If AES192 is dropped, then the owner of such a key will not be able to communicate with an implementation that predates 2440bis and doesn't support AES256. A somewhat contrived example, to be sure. Still, I was and continue to be in favor of trimming the hash and cipher algorithms, but it seems bad form to remove a cipher that is already included in countless cipher preference lists. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+2TYD4mZch0nhy8kRAmoaAJ4p0eh0ZPkEdjqsuSqzpRFqQqAE8wCfUSDH hHMomeDoCTFIVhR3eKX/au8= =3vuV -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VN8tAF051370 for ; Sat, 31 May 2003 16:08:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VN8ta4051369 for ietf-openpgp-bks; Sat, 31 May 2003 16:08:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VN8sAF051362 for ; Sat, 31 May 2003 16:08:54 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h4VN8pR13579 for ietf-openpgp@imc.org; Sat, 31 May 2003 19:08:51 -0400 Date: Sat, 31 May 2003 19:08:51 -0400 From: David Shaw To: OpenPGP Subject: Re: AES-256 vs AES-128 Message-ID: <20030531230851.GD7036@jabberwocky.com> Mail-Followup-To: OpenPGP References: <3ED8CB66.132389DC@systemics.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is New User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 31, 2003 at 03:25:41PM -0700, Jon Callas wrote: > > On 5/31/03 8:33 AM, "Ian Grigg" wrote: > > > > > I think it's pretty clear that both AES versions > > should stay in OpenPGP. Until the market reaches > > some sort of consensus that an algorithm is dead, > > discussions on the relative strengths argument would > > appear not to be directly relevant to OpenPGP's > > standardisation efforts? > > Just to note, OpenPGP has 3 key sizes for AES. I'd be happy to drop the 192 > one for simplicity's sake. Please do not do this. This can cause interoperability problems since AES192 is already widely deployed and widely included in cipher preference lists. PGP 7 and 8 create keys with cipher preferences including "AES256, AES192, AES128" in that order. If AES192 is dropped, then the owner of such a key will not be able to communicate with an implementation that predates 2440bis and doesn't support AES256. A somewhat contrived example, to be sure. Still, I was and continue to be in favor of trimming the hash and cipher algorithms, but it seems bad form to remove a cipher that is already included in countless cipher preference lists. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+2TYD4mZch0nhy8kRAmoaAJ4p0eh0ZPkEdjqsuSqzpRFqQqAE8wCfUSDH hHMomeDoCTFIVhR3eKX/au8= =3vuV -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VMu4AF051021 for ; Sat, 31 May 2003 15:56:04 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VMu4GA051020 for ietf-openpgp-bks; Sat, 31 May 2003 15:56:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VMu1AF051013 for ; Sat, 31 May 2003 15:56:02 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h4VMpO3j026662; Sat, 31 May 2003 18:51:24 -0400 Received: from berkshire.research.att.com (guard.research.att.com [135.207.1.20]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h4VMtvV09268; Sat, 31 May 2003 18:55:58 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id B5B9D7B4D; Sat, 31 May 2003 18:55:56 -0400 (EDT) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: John Wilkinson Cc: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 31 May 2003 18:55:56 -0400 From: "Steven M. Bellovin" Message-Id: <20030531225556.B5B9D7B4D@berkshire.research.att.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: In message <3ED91C35.6070807@attbi.com>, John Wilkinson writes: > >Ian Grigg wrote: > >>I think it's pretty clear that both AES versions >>should stay in OpenPGP. Until the market reaches >>some sort of consensus that an algorithm is dead, >>discussions on the relative strengths argument would >>appear not to be directly relevant to OpenPGP's >>standardisation efforts? >> >Agreed. As long as the MUST have cipher is 3DES, we have no problems. >When and if (hopefully never) OpenPGP chooses to deprecate 3DES in favor >of some other cipher, be prepared for a battle... > > > AD hat on... I would be unhappy if AES -- pick your key size -- were a SHOULD instead of a MUST. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VMPiAF050409 for ; Sat, 31 May 2003 15:25:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VMPi2E050408 for ietf-openpgp-bks; Sat, 31 May 2003 15:25:44 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VMPhAF050403 for ; Sat, 31 May 2003 15:25:43 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.180] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Sat, 31 May 2003 15:25:38 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Sat, 31 May 2003 15:25:41 -0700 Subject: Re: AES-256 vs AES-128 From: Jon Callas To: CC: OpenPGP Message-ID: In-Reply-To: <3ED8CB66.132389DC@systemics.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 5/31/03 8:33 AM, "Ian Grigg" wrote: > > I think it's pretty clear that both AES versions > should stay in OpenPGP. Until the market reaches > some sort of consensus that an algorithm is dead, > discussions on the relative strengths argument would > appear not to be directly relevant to OpenPGP's > standardisation efforts? Just to note, OpenPGP has 3 key sizes for AES. I'd be happy to drop the 192 one for simplicity's sake. Jon Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VLIrAF047012 for ; Sat, 31 May 2003 14:18:53 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VLIrN2047011 for ietf-openpgp-bks; Sat, 31 May 2003 14:18:53 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc11.attbi.com (rwcrmhc11.attbi.com [204.127.198.35]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VLIpAF046977 for ; Sat, 31 May 2003 14:18:51 -0700 (PDT) (envelope-from jwilkinson@attbi.com) Received: from attbi.com (h00065b1e430c.ne.client2.attbi.com[65.96.132.87](misconfigured sender)) by attbi.com (rwcrmhc11) with SMTP id <2003053121184801300smdbee>; Sat, 31 May 2003 21:18:48 +0000 Message-ID: <3ED91C35.6070807@attbi.com> Date: Sat, 31 May 2003 17:18:45 -0400 From: John Wilkinson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 References: <3ED7EDD2.4050105@attbi.com> <87r86f5vvb.fsf_-_@alberti.g10code.de> <3ED8AFA1.5010304@attbi.com> <3ED8CB66.132389DC@systemics.com> In-Reply-To: <3ED8CB66.132389DC@systemics.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ian Grigg wrote: >I think it's pretty clear that both AES versions >should stay in OpenPGP. Until the market reaches >some sort of consensus that an algorithm is dead, >discussions on the relative strengths argument would >appear not to be directly relevant to OpenPGP's >standardisation efforts? > Agreed. As long as the MUST have cipher is 3DES, we have no problems. When and if (hopefully never) OpenPGP chooses to deprecate 3DES in favor of some other cipher, be prepared for a battle... Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VFd3AF031590 for ; Sat, 31 May 2003 08:39:03 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VFd3gf031589 for ietf-openpgp-bks; Sat, 31 May 2003 08:39:03 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VFd2AF031584 for ; Sat, 31 May 2003 08:39:02 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (guderian.cryptohill.net [24.244.145.14]) by mx1.cryptohill.net (Postfix) with ESMTP id 86C331C8F1; Sat, 31 May 2003 11:39:02 -0400 (EDT) Message-ID: <3ED8CB66.132389DC@systemics.com> Date: Sat, 31 May 2003 11:33:58 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 References: <3ED7EDD2.4050105@attbi.com> <87r86f5vvb.fsf_-_@alberti.g10code.de> <3ED8AFA1.5010304@attbi.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I think it's pretty clear that both AES versions should stay in OpenPGP. Until the market reaches some sort of consensus that an algorithm is dead, discussions on the relative strengths argument would appear not to be directly relevant to OpenPGP's standardisation efforts? -- iang Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VDZdAF021976 for ; Sat, 31 May 2003 06:35:39 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VDZdx9021975 for ietf-openpgp-bks; Sat, 31 May 2003 06:35:39 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VDZcAF021969 for ; Sat, 31 May 2003 06:35:38 -0700 (PDT) (envelope-from jwilkinson@attbi.com) Received: from attbi.com (h00065b1e430c.ne.client2.attbi.com[65.96.132.87]) by attbi.com (rwcrmhc51) with SMTP id <20030531133533051002628ve>; Sat, 31 May 2003 13:35:34 +0000 Message-ID: <3ED8AFA1.5010304@attbi.com> Date: Sat, 31 May 2003 09:35:29 -0400 From: John Wilkinson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 References: <3ED7EDD2.4050105@attbi.com> <87r86f5vvb.fsf_-_@alberti.g10code.de> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Bodo Moeller wrote: >Of course arguably 128 bits are by far enough so that you don't really >have to worry about anything of this -- unless you think that quantum >attacks might become realistic. > I think that we are all in violent agreement that 128-bit key lengths are likely sufficient, and that both AES-128 and AES-256 are likely to be the strongest link in the OpenPGP chain. I was only trying to refute the argument that AES-128 is likely to be stronger than AES-256; this isn't a persuasive argument. The answer to the question, "why not use AES-256," is, "because AES-128 is sufficient," *not*, "because AES-128 is stronger." However, since this question comes up *so* frequently, I am tempted to concur with Ross Anderson and argue that we should simply always use AES-256. WRT Werner's comment, I agree that gathering entropy is a problem. However, a known problem with many entropy gathering daemons is that they overestimate the entropy they have gathered. Ross Anderson makes the argument, and I agree, that using a 256-bit key allows the user to hope that if the EGD overestimates entropy by a factor of two, then one still has 128-bits of entropy in his 256-bit key. This is obviously a hack, and the preferred solution would be to fix the EGD. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VD7rAF020906 for ; Sat, 31 May 2003 06:07:53 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4VD7rWn020905 for ietf-openpgp-bks; Sat, 31 May 2003 06:07:53 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4VD7pAF020899 for ; Sat, 31 May 2003 06:07:52 -0700 (PDT) (envelope-from bmoe@cdc.informatik.tu-darmstadt.de) Received: from localhost (cdc-info [130.83.23.100]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with SMTP id BE33D2C99; Sat, 31 May 2003 15:07:50 +0200 (MET DST) Received: id ; Sat, 31 May 2003 15:10:02 +0200 (CEST) Message-Id: Date: Sat, 31 May 2003 15:10:02 +0200 (CEST) From: moeller@cdc.informatik.tu-darmstadt.de (Bodo Moeller) To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 In-Reply-To: <87r86f5vvb.fsf_-_@alberti.g10code.de> References: <3ED7EDD2.4050105@attbi.com> <87r86f5vvb.fsf_-_@alberti.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Werner Koch : > On Fri, 30 May 2003 19:48:34 -0400, John Wilkinson said: >> If the choice for standardization is between AES-128 and AES-256, and >> the sole criterion is algorithm strength, I would recommend AES-256, > It doesn't get you anything to double the length of the key if at the > same time you need to make tradeoffs in choosing the quality of the > random numbers. Entropy is a scare resource and one should take > caution for what to spend it. This is not quite true. If you have N bits of unpredictable entropy and feed this and some "random" but predictable data into an appropriate hash function to generate a 2N-bit key, then this will provide more security against brute force and quantum brute force attacks than directly using a cipher with N-bit keys. (Not much more security, but some: a brute force attack against the cipher with N-bit keys can directly cover all of the keyspace; for the attack against the 2N-bit cipher, the hash preprocessing step has to be included into the brute-force design, which will slow down the attack.) Also if one of the ciphers is slower than the other, it is a bit more secure (literally a bit if it runs at half the speed). Of course arguably 128 bits are by far enough so that you don't really have to worry about anything of this -- unless you think that quantum attacks might become realistic. -- Bodo Möller PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V97OAF002847 for ; Sat, 31 May 2003 02:07:24 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4V97Odm002846 for ietf-openpgp-bks; Sat, 31 May 2003 02:07:24 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V97MAF002833 for ; Sat, 31 May 2003 02:07:23 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19M2FL-0007Z4-00 for ; Sat, 31 May 2003 11:01:51 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19M2J6-0000V6-00; Sat, 31 May 2003 11:05:44 +0200 To: John Wilkinson Cc: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 References: <20030530204817.A10092308@exeter.ac.uk> <20030530223523.A10309793@exeter.ac.uk> <3ED7EDD2.4050105@attbi.com> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 X-FSFE-Info: http://fsfeurope.org Date: Sat, 31 May 2003 11:05:44 +0200 In-Reply-To: <3ED7EDD2.4050105@attbi.com> (John Wilkinson's message of "Fri, 30 May 2003 19:48:34 -0400") Message-ID: <87r86f5vvb.fsf_-_@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Fri, 30 May 2003 19:48:34 -0400, John Wilkinson said: > If the choice for standardization is between AES-128 and AES-256, and > the sole criterion is algorithm strength, I would recommend AES-256, It doesn't get you anything to double the length of the key if at the same time you need to make tradeoffs in choosing the quality of the random numbers. Entropy is a scare resource and one should take caution for what to spend it. I am sure that the strength of any OpenPGP algorithm is far away rom beein the weakes link in a OpenPGP cryptosystem. The probability of bugs in the software is much higher than any weakness in an algorithm. That is what a cryptoplumber should to take care about, unless the marketing departments gets involved ;-) Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V2B3AF062362 for ; Fri, 30 May 2003 19:11:03 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4V2B3bd062361 for ietf-openpgp-bks; Fri, 30 May 2003 19:11:03 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V2B1AF062352 for ; Fri, 30 May 2003 19:11:02 -0700 (PDT) (envelope-from jwilkinson@attbi.com) Received: from attbi.com (h00065b1e430c.ne.client2.attbi.com[65.96.132.87]) by attbi.com (sccrmhc01) with SMTP id <2003053102105900100hrqrie>; Sat, 31 May 2003 02:10:59 +0000 Message-ID: <3ED80F2F.50105@attbi.com> Date: Fri, 30 May 2003 22:10:55 -0400 From: John Wilkinson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) References: <20030531004635.46C3E7B4D@berkshire.research.att.com> In-Reply-To: <20030531004635.46C3E7B4D@berkshire.research.att.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Steve, I appreciate your comments, and while I acknowledge that the differing key schedules between AES-128 and AES-256 could, in theory, make AES-256 weaker than AES-128, IMHO, the reverse is more likely true. It bears repeating that I don't think it makes much difference, since, in practice, both are likely to remain unbroken for at least a few decades. If one recoveres a single round key from AES-128, one can calculate all the other round keys, and the primary key. This is by design, to conserve on memory, since the expanded key does not need to be stored. With AES-256, one has to recover two (consecutive?) round keys to recover the other round keys or the primary key. So, I respectfully disagree that AES-256 suffers from the problem of trying to spread "twice as many bits over less than twice as many operations." Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V1WuAF061592 for ; Fri, 30 May 2003 18:32:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4V1WtJC061591 for ietf-openpgp-bks; Fri, 30 May 2003 18:32:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V1WsAF061585 for ; Fri, 30 May 2003 18:32:55 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h4V1Wq511233 for ietf-openpgp@imc.org; Fri, 30 May 2003 21:32:52 -0400 Date: Fri, 30 May 2003 21:32:52 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) Message-ID: <20030531013251.GB9855@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20030530204817.A10092308@exeter.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is New User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 30, 2003 at 03:57:14PM -0400, Derek Atkins wrote: > > I beg to differ, but extra rounds do not necessarily improve > the security. You still have a 2^128 brute-force attack > against the cipher if you use a 128-bit key. It doesn't matter > what happens to the other bits. > > Regardless, I believe that AES-128 has had significantly more > peer review than the larger elements, and "bigger is not necessarily > better". As a security engineer you need to use prudence in > choosing which tools to use in which situation. Based on the > state-of-the-art in 2003, and forseeable for the next few years, > I believe that AES-128 is sufficient for our needs. > > Adding additional ciphers will just decrease interoperability, which > will reduce security because people wont use it. "The perfect is > the enemy of the good". Let's get it out there, get it deployed, > make it ubiquitous. Until that happens, I don't feel we should > be entertaining additional ciphers. Just to clarify what I thought I was reading: are you suggesting that AES-256 (and presumably AES-192) be dropped from OpenPGP, or is that just a general comment? I was in favor of dropping TIGER, MD2, SAFER, etc, but AES-192 and 256 are already widely implemented and deployed (PGP 7 and later, GnuPG 1.0.4 and later). Removing those two ciphers now would cause pretty serious interoperability problems. Perhaps I misunderstood your thrust, in which case, my apologies. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+2AZD4mZch0nhy8kRAuxFAJ9W2XXEbJVO7VEYerXJsK9FtwunWQCgmkG7 EnaQn5QSpZoVLZjja6He7HQ= =aEtu -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V0qsAF060855 for ; Fri, 30 May 2003 17:52:54 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4V0qs8d060854 for ietf-openpgp-bks; Fri, 30 May 2003 17:52:54 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from blue.h2np.net (blue.h2np.net [210.145.219.253]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V0qqAF060849 for ; Fri, 30 May 2003 17:52:52 -0700 (PDT) (envelope-from hironobu@mail.h2np.net) Received: from mail.h2np.net (hironobu@pc [192.168.1.10]) by blue.h2np.net (8.11.6/8.11.6) with ESMTP id h4V0qrX26514 for ; Sat, 31 May 2003 09:52:53 +0900 Message-Id: <200305310052.h4V0qrX26514@blue.h2np.net> From: Hironobu SUZUKI To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) In-reply-to: Your message of "Fri, 30 May 2003 19:48:34 -0400." <3ED7EDD2.4050105@attbi.com> Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit Date: Sat, 31 May 2003 09:52:53 +0900 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I really think AES-128 is safe against brute-force attack in next a decade but that is not enough. First of all, I have to say that I am a paranoid ;-) In PGP, TLS and other so-called PKC applications, the symmetric cipher algorithm will be used with secret key exchange protocol. There are possibility the key space of symmetric cipher shrink if key exchange protocol has flaw. Symmetric cipher is good, PKC cipher is good also. But protocol has flaw then security mergin would be shrunken. If 50% of key space (128 -> 64, 256 -> 128) corrupt?. 64bit key size is no survive. I never ignore AES-256 because it become a sort of "insurance" when the worst case of protocol problem is happened. Regards, -- Hironobu SUZUKI E-Mail: hironobu@h2np.net URL: http://h2np.net Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V0keAF060742 for ; Fri, 30 May 2003 17:46:40 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4V0keAa060741 for ietf-openpgp-bks; Fri, 30 May 2003 17:46:40 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4V0kdAF060735 for ; Fri, 30 May 2003 17:46:39 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h4V0g53j019431 for ; Fri, 30 May 2003 20:42:05 -0400 Received: from berkshire.research.att.com (raptor.research.att.com [135.207.23.32]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h4V0kaV00531 for ; Fri, 30 May 2003 20:46:36 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id 46C3E7B4D for ; Fri, 30 May 2003 20:46:35 -0400 (EDT) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 30 May 2003 20:46:35 -0400 From: "Steven M. Bellovin" Message-Id: <20030531004635.46C3E7B4D@berkshire.research.att.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Although I'm not concerned about 128-bit keys being too short -- I don't think there will *ever* be a brute-force attack on 128 bits -- there are some points to think about. In Rich Schroeppel's comments on AES (see http://csrc.nist.gov/CryptoToolkit/aes/round2/comments/R2comments.txt) he notes that Except for RC6 and perhaps Mars, all the ciphers have the property that recovering the expanded key will translate into recovering the primary key. More seriously, the key schedules of Rijndael, and to some extent Serpent, allow an attacker who recovers (or guesses) some of the expanded key to compute additional bits of the expanded key. Recall that both differential and linear attacks on DES benefited from replicated subkey bits -- as soon as an attack finds a few subkey bits, the game is over. If the additional rounds for AES256 are not enough to properly mix in the extra key bits -- we're spreading twice as many bits over less than twice as many operations -- it might (repeat, *might*) make it easier to recover some key bits. But -- no, I don't think that AES256 is less secure than AES128. I also don't think it's needed. Remember that if you're worried about O(2^128) attacks, you really need a much larger public key, too. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UNmjAF059695 for ; Fri, 30 May 2003 16:48:45 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4UNmjXx059694 for ietf-openpgp-bks; Fri, 30 May 2003 16:48:45 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UNmhAF059688 for ; Fri, 30 May 2003 16:48:44 -0700 (PDT) (envelope-from jwilkinson@attbi.com) Received: from attbi.com (h00065b1e430c.ne.client2.attbi.com[65.96.132.87]) by attbi.com (sccrmhc01) with SMTP id <2003053023484000100hrahje>; Fri, 30 May 2003 23:48:41 +0000 Message-ID: <3ED7EDD2.4050105@attbi.com> Date: Fri, 30 May 2003 19:48:34 -0400 From: John Wilkinson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) References: <20030530204817.A10092308@exeter.ac.uk> <20030530223523.A10309793@exeter.ac.uk> In-Reply-To: <20030530223523.A10309793@exeter.ac.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: With all due respect, Jon, I would like to see a quote from a recognized crypto expert who feels that AES-128 is "safer" than AES-256. AES-256 may not be *more* secure than AES-128, and, as a practical matter, I don't think that it is. However, the addition of more rounds *cannot* make it weaker. The differences in the key schedule could theoretically make AES-256 weaker than AES-128, but there is no reason to believe this is the case, and there are good reasons to believe that the key schedule of AES-256 makes the cipher at least as strong as or stronger than AES-128. One should NEVER fix any bytes of the key to be zero, in order to use a 128-bit key with AES-256; this may not make the cipher vulnerable, if it is resistant to related-key attacks, but it is not good practice. If the choice for standardization is between AES-128 and AES-256, and the sole criterion is algorithm strength, I would recommend AES-256, because is might be stronger, and there is very little chance that it is weaker. If, however, there are other reasons, such as compatibility with other deployed applications, speed or effeciency, there seems little to differentiate the two security-wise, and one should choose the more compatible/deployable one. Of course, 3DES is still the most trusted block cipher of all, and there are really no security advantages to other ciphers (including AES) for encrypting less than 2^32 blocks (32 GB) of data. 3DES is the MUST implement algorithm, and this is appropriate given the widespread confidence in its design. Since most security products are advertized on the basis of their security, and many uninformed users would instinctively prefer AES-256 to AES-128 or 3DES, if we *must* migrate away from 3DES for some reason, it may be adviseable to make AES-256 the "standard" algorithm, just to make these people happy, and avoid their switching to another application with better support for AES-256 or......2048-bit RC4. Of course, if ultimate algorithm confidence is the goal, I think a better use of our time would be moving to double-encryption of the message key with RSA-KEM and ACE-KEM, as recommended by the Nessie project. Come to think of it, a much better use of our time would be implementing a form of authenticated encryption. 3DES followed by HMAC-SHA1, anyone? :) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4ULZSAF054153 for ; Fri, 30 May 2003 14:35:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4ULZSGs054152 for ietf-openpgp-bks; Fri, 30 May 2003 14:35:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4ULZRAF054141 for ; Fri, 30 May 2003 14:35:27 -0700 (PDT) (envelope-from A.Back@exeter.ac.uk) Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.14) id 19LrX1-00VjjO-Ox; Fri, 30 May 2003 22:35:23 +0100 Date: Fri, 30 May 2003 22:35:23 +0100 From: Adam Back To: Derek Atkins Cc: ietf-openpgp@imc.org, Adam Back Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) Message-ID: <20030530223523.A10309793@exeter.ac.uk> References: <20030530204817.A10092308@exeter.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: ; from derek@ihtfp.com on Fri, May 30, 2003 at 03:57:14PM -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Fri, May 30, 2003 at 03:57:14PM -0400, Derek Atkins wrote: > You still have a 2^128 brute-force attack against the cipher if you > use a 128-bit key. It doesn't matter what happens to the other > bits. If the cipher retains 128 bits of security in both configurations AES-128 and AES-256 with a 128 bit key then the security is equal. But the point at which the security margin of the cipher becomes interesting is when someone starts to make in-roads into reduced-round variants, and starts to find attacks with work-factors sub-exponential in the key-size. > I beg to differ, but extra rounds do not necessarily improve > the security. One common method of heuristically measuring the strength of a cipher is to attack reduced-round variants, clearly indicating that less rounds is less secure. I take this to mean that practically more rounds IS more secure. Consider that the cipher state goes through a state analogous to a state it would go through in a reduced round version on it's way to the longer round version. Unless the later rounds somehow _undo_ some of the security provided by the earlier rounds it will not be less secure. Clearly the AES designers consider more rounds adds more security or AES-256 would not have more rounds than AES-128. > As a security engineer you need to use prudence in > choosing which tools to use in which situation. Based on the > state-of-the-art in 2003, and forseeable for the next few years, > I believe that AES-128 is sufficient for our needs. Some people may need security beyond the "next few years". I'd argue for standardizing on AES-256. The computational cost of a few extra rounds is negligible. > Adding additional ciphers will just decrease interoperability, which > will reduce security because people wont use it. "The perfect is > the enemy of the good". Let's get it out there, get it deployed, > make it ubiquitous. Until that happens, I don't feel we should > be entertaining additional ciphers. Having a smaller choice of options is generally a good thing I agree. Adam Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UJvMAF049942 for ; Fri, 30 May 2003 12:57:22 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4UJvMgm049941 for ietf-openpgp-bks; Fri, 30 May 2003 12:57:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UJvLAF049936 for ; Fri, 30 May 2003 12:57:22 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h4UJvG71013589; Fri, 30 May 2003 15:57:16 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h4UJvFgR006863; Fri, 30 May 2003 15:57:16 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h4UJvFFJ013846; Fri, 30 May 2003 15:57:15 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id PAA16873; Fri, 30 May 2003 15:57:14 -0400 (EDT) To: Adam Back Cc: "Jeroen C. van Gelderen" , Richard Laager , ietf-openpgp@imc.org From: Derek Atkins Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) References: <20030530204817.A10092308@exeter.ac.uk> Date: 30 May 2003 15:57:14 -0400 In-Reply-To: <20030530204817.A10092308@exeter.ac.uk> Message-ID: Lines: 45 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I beg to differ, but extra rounds do not necessarily improve the security. You still have a 2^128 brute-force attack against the cipher if you use a 128-bit key. It doesn't matter what happens to the other bits. Regardless, I believe that AES-128 has had significantly more peer review than the larger elements, and "bigger is not necessarily better". As a security engineer you need to use prudence in choosing which tools to use in which situation. Based on the state-of-the-art in 2003, and forseeable for the next few years, I believe that AES-128 is sufficient for our needs. Adding additional ciphers will just decrease interoperability, which will reduce security because people wont use it. "The perfect is the enemy of the good". Let's get it out there, get it deployed, make it ubiquitous. Until that happens, I don't feel we should be entertaining additional ciphers. -derek Adam Back writes: > On Thu, May 29, 2003 at 12:55:29PM -0400, Derek Atkins wrote: > > "Jeroen C. van Gelderen" writes: > > > >>> In fact, there are those who feel safer with AES > > > >>> at 128 than at256. > > > > [...] > > > > I certainly did not say "less secure", did I? It's certainly > > much SLOWER, and certainly is not MORE secure... > > Actually it may be more secure; AES-256 has more rounds to offer a > more conservative security margin because the key is longer. If half > of the key is unused, the extra rounds can only help. > > So it is either as strong (if AES-128 truly offers 128 bits of > security), or stronger; but not "certainly is not MORE secure..." > > Adam -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UJmjAF049778 for ; Fri, 30 May 2003 12:48:45 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4UJmjxx049777 for ietf-openpgp-bks; Fri, 30 May 2003 12:48:45 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4UJmWAF049770 for ; Fri, 30 May 2003 12:48:45 -0700 (PDT) (envelope-from A.Back@exeter.ac.uk) Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.14) id 19LprY-00Vjhg-Gh; Fri, 30 May 2003 20:48:28 +0100 Date: Fri, 30 May 2003 20:48:17 +0100 From: Adam Back To: Derek Atkins Cc: "Jeroen C. van Gelderen" , Richard Laager , ietf-openpgp@imc.org Subject: AES-256 vs AES-128 (Re: Suggested DER Prefixes) Message-ID: <20030530204817.A10092308@exeter.ac.uk> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: ; from derek@ihtfp.com on Thu, May 29, 2003 at 12:55:29PM -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Thu, May 29, 2003 at 12:55:29PM -0400, Derek Atkins wrote: > "Jeroen C. van Gelderen" writes: > > >>> In fact, there are those who feel safer with AES > > >>> at 128 than at256. > > [...] > > I certainly did not say "less secure", did I? It's certainly > much SLOWER, and certainly is not MORE secure... Actually it may be more secure; AES-256 has more rounds to offer a more conservative security margin because the key is longer. If half of the key is unused, the extra rounds can only help. So it is either as strong (if AES-128 truly offers 128 bits of security), or stronger; but not "certainly is not MORE secure..." Adam Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1tlAF069167 for ; Thu, 29 May 2003 18:55:47 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4U1tlIh069166 for ietf-openpgp-bks; Thu, 29 May 2003 18:55:47 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1tkAF069161 for ; Thu, 29 May 2003 18:55:46 -0700 (PDT) (envelope-from jon@callas.org) Received: from [192.168.1.33] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2) for ; Thu, 29 May 2003 18:55:48 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Thu, 29 May 2003 18:55:43 -0700 Subject: Re: Use of the term "notarised signature"? From: Jon Callas To: OpenPGP Message-ID: In-Reply-To: <3ED698AD.8B684152@systemics.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 5/29/03 4:33 PM, "Ian Grigg" wrote: > 0x50: 3rd party confirmatory signature. I used "Third-Party Confirmation Signature." Jon Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1omAF068922 for ; Thu, 29 May 2003 18:50:48 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4U1omn3068921 for ietf-openpgp-bks; Thu, 29 May 2003 18:50:48 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1olAF068916 for ; Thu, 29 May 2003 18:50:47 -0700 (PDT) (envelope-from jon@callas.org) Received: from [192.168.1.33] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Thu, 29 May 2003 18:50:47 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Thu, 29 May 2003 18:50:42 -0700 Subject: Re: Suggested DER Prefixes From: Jon Callas To: Richard Laager , OpenPGP Message-ID: In-Reply-To: <001201c325f0$c4c501d0$da7620d1@umcrookston.edu> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 5/29/03 7:44 AM, "Richard Laager" wrote: > Any particular reason(s)? Is there any merit to these reason(s)? The main reason is that before the AES competition, no one ever built a 128-bit block, nor a 256-bit key. If there is a new way to analyze the mixing of key, data, and blocksize, you would expect a design oops to show up on the combination of more key and more blocksize. Is there merit? What do you mean by merit? The above concerns are reasonable. Otherwise sane security experts have said these things. Do I share them myself? Not really. Do I think that even if there's a weakness in AES-256, it will be *weaker* than AES-128? No. However, on the other hand, I think that the instant leap to longer keys is a sign of not understanding crypto. For example, I think that using Blowfish with a 448 bit key is the sign of a crypto-duffer. There is *nothing* wrong with a 128 bit key. Let's face it, whatever weakness there is in your system will almost certainly *not* be in the cipher parts of the system. The cipher system is the *strongest* part of the system, once you're at 128 bits. Any OpenPGP-approved cipher is likely to be the strongest link of the chain of whatever crypto system you're using. A chain is only as strong as its weakest link, and people who fuss over ciphers are fussing about strengthening the strongest parts. It's like putting stronger lock on a door that still hollow wood frame. The odds are that for any given user, their passphrase is the weakest link in their OpenPGP use. 128-bit keys are probably the strongest. Jon Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1ebAF068526 for ; Thu, 29 May 2003 18:40:37 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4U1ebPP068525 for ietf-openpgp-bks; Thu, 29 May 2003 18:40:37 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U1eZAF068519 for ; Thu, 29 May 2003 18:40:36 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h4U1do707392; Thu, 29 May 2003 21:39:50 -0400 Date: Thu, 29 May 2003 21:39:50 -0400 From: David Shaw To: Derek Atkins Cc: OpenPGP Subject: Re: Use of the term "notarised signature"? Message-ID: <20030530013950.GC2193@jabberwocky.com> Mail-Followup-To: Derek Atkins , OpenPGP References: <3ED6427A.42B5230A@systemics.com> <20030529185526.GA2193@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (2% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 29, 2003 at 07:33:26PM -0400, Derek Atkins wrote: > This is orthogonal to the issue of whether the OpenPGP Notarized > Signature is useful to a "Notary" (in the legal sense). Making > something that is useful is a Good Thing (TM). I'd rather make > something useful than make something non-useful. But not being > a lawyer (or a Notary) I don't know what would be useful. I did some research on this a while back. One of the services that a (U.S.) notary provides is "acknowledgment", which to my non-notary eye looked reasonably close to what we're talking about here. This is the notary taking note that a document was signed, and documenting the fact that notice was taken. The contents of the document are generally irrelevant here: just that it was signed and the signer requested a notary to note that fact (and presumably witness the making of the signature). The main difference between an acknowledgment and this is that generally an acknowledgment contains the statement that the original signer signed the document by his/her own free will. When I asked a lawyer and notary friend about it, she said that the match I had imagined wasn't so good. In general, real life notary functions are far more concerned with identification of the signer than they are about the immutability of the signed document or signature itself. Could the building blocks (signature, notary signature) we have in OpenPGP be usable to a real notary? Maybe - but a number of underlying laws and/or assumptions and/or infrastructure would have to change first. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+1rZm4mZch0nhy8kRAmOPAKDPaSURwmfq3jTUVzRd4gT0eORlJQCdHGIW +eUBO9U+Z86MOqrffPxbGo4= =yW3n -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U0fDAF066182 for ; Thu, 29 May 2003 17:41:13 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4U0fDnl066181 for ietf-openpgp-bks; Thu, 29 May 2003 17:41:13 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4U0fBAF066174 for ; Thu, 29 May 2003 17:41:12 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by hermes.cs.auckland.ac.nz (8.12.9/8.12.9) with ESMTP id h4U0eTSG028762; Fri, 30 May 2003 12:40:29 +1200 Received: (from pgut001@localhost) by medusa01.cs.auckland.ac.nz (8.11.6/8.11.6) id h4U0eLr17611; Fri, 30 May 2003 12:40:21 +1200 Date: Fri, 30 May 2003 12:40:21 +1200 Message-Id: <200305300040.h4U0eLr17611@medusa01.cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: derek@ihtfp.com, jeroen@vangelderen.org Subject: Re: Suggested DER Prefixes Cc: ietf-openpgp@imc.org, rlaager@wiktel.com Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Derek Atkins writes: >"Jeroen C. van Gelderen" writes: >>Hmm... if I read you correctly that would imply that AES-256 with a >>key containing 128 bits of entropy is less secure than AES-128 with a >>key containing 128 bits of entropy. Do you know of a document where >>this would be explained? > >I certainly did not say "less secure", did I? It's certainly much SLOWER, "very slightly slower", although given people's obsession with speed at any cost I guess it'd be safe to say "unacceptably (to the user) slower". Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TNbpAF064635 for ; Thu, 29 May 2003 16:37:51 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TNbpKo064634 for ietf-openpgp-bks; Thu, 29 May 2003 16:37:51 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TNboAF064629 for ; Thu, 29 May 2003 16:37:50 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (guderian.cryptohill.net [24.244.145.14]) by mx1.cryptohill.net (Postfix) with ESMTP id 8551E1C8A8; Thu, 29 May 2003 19:37:52 -0400 (EDT) Message-ID: <3ED698AD.8B684152@systemics.com> Date: Thu, 29 May 2003 19:33:02 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: David Shaw Cc: OpenPGP Subject: Re: Use of the term "notarised signature"? References: <3ED6427A.42B5230A@systemics.com> <20030529185526.GA2193@jabberwocky.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: David Shaw wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, May 29, 2003 at 01:25:14PM -0400, Ian Grigg wrote: > > > > When the word "notarised signature" is used, is this > > a term that has been tested against the legal meaning > > of the words? > > > > Specifically, the term has quite different significances > > under civil code and common law. In the civil code, a > > notary is a very important person, perhaps more significant > > than an attorney. He or she has to study for 6 years to > > obtain their qualification, and it is a tightly constrained > > field (at least in the country I'm mildly familiar with). > > The term "notary signature" should not imply any legal meaning > whatsoever. As you point out, it means different things to different > people in different places. > > I can't imagine the terminology is a problem. After all, the terms > "signature", and "certification" mean different things in different > legal juristictions as well, and PGP has been using those terms for > over a decade. Right. That precisely is the issue, in that it has been observed that the misuse of the word 'signature' by the cryptographic communiity has contributed to the mess that is CAs and PKIs... People have understood that digital signatures imply legal signatures in some hand waving sense. People have therefore tried to build systems to use digital signatures to replace other forms, generally with little success. So, I guess what I'm saying is this: If one subscribes to the view that a bug in "digital signatures" is the word "signature", then perhaps we should not compound that bug by expanding the term to "notarised signature". If so, then what in cryptographic terms is that new form of signature? As far as I can see it is a 3rd party signature over a sig: 0x50: Notary signature. This signature is a signature over some other OpenPGP signature packet. It is a notary seal on the signed data. ... I'd suggest something like: 0x50: 3rd party confirmatory signature. This signature is a signature over some other OpenPGP signature packet. It provides a mechanism for a 3rd party to confirm the first signature over the signed data, and is analogous to a notary seal. ... Except that is a little clumsy. (also 5.2.3.25.) > > If not, as a minimum, it might be a good idea to add > > a statement that the use of the term is not meant to > > draw from the legal definition(s) of same. > > I'm okay with this if the WG thinks it is necessary, though if we're > going to go down that route, it would probably be simpler to put a > single sentence in the introduction disclaiming any legal standing for > terminology used in the whole document than it would be to add > specific notes to the notary section. Sure. I'm not wedded to the change myself, I'm just much more sensitive to the legal system having been recently squeezed through the mill (and, PGP signatures played a small part in that ;-) My perspective comes down to: "how can we reduce costs in future disputes?" The issue with the current text would be that some poor muggins might have to go through a court case explaining why the phrase "It is a notary seal on the signed data." does not imply that it is a notary seal on the signed data, and the person who signed it is not fraudulently purporting to be a notary. As the text is quite explicit as to what it is (normally a laudable objective!), and as the program (optimistically) conforms to the RFC, then he has a bit of a battle making the alternate case... -- iang Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TNXRAF064274 for ; Thu, 29 May 2003 16:33:27 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TNXRoj064273 for ietf-openpgp-bks; Thu, 29 May 2003 16:33:27 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TNXPAF064267 for ; Thu, 29 May 2003 16:33:26 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h4TNXRm8004561; Thu, 29 May 2003 19:33:27 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by central-city-carrier-station.mit.edu (8.12.4/8.9.2) with ESMTP id h4TNXQWu018848; Thu, 29 May 2003 19:33:27 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h4TNXQU8016388; Thu, 29 May 2003 19:33:26 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id TAA14560; Thu, 29 May 2003 19:33:26 -0400 (EDT) To: David Shaw Cc: OpenPGP From: Derek Atkins Subject: Re: Use of the term "notarised signature"? References: <3ED6427A.42B5230A@systemics.com> <20030529185526.GA2193@jabberwocky.com> Date: 29 May 2003 19:33:26 -0400 In-Reply-To: <20030529185526.GA2193@jabberwocky.com> Message-ID: Lines: 60 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ian, Feel free to bring a lawyer to the table to provide input, but we're here to create Internet Standards, not Legal Standards. So long as we define our own terminology (or use references to definitions) I see no problem with using the same term as another field in a way different than that other field uses it. This is orthogonal to the issue of whether the OpenPGP Notarized Signature is useful to a "Notary" (in the legal sense). Making something that is useful is a Good Thing (TM). I'd rather make something useful than make something non-useful. But not being a lawyer (or a Notary) I don't know what would be useful. I would think that having the ability to reference just the signature or also sig + document in a notary signature would be sufficient to be useful to any definition of notary.... -derek David Shaw writes: > On Thu, May 29, 2003 at 01:25:14PM -0400, Ian Grigg wrote: > > > > When the word "notarised signature" is used, is this > > a term that has been tested against the legal meaning > > of the words? > > > > Specifically, the term has quite different significances > > under civil code and common law. In the civil code, a > > notary is a very important person, perhaps more significant > > than an attorney. He or she has to study for 6 years to > > obtain their qualification, and it is a tightly constrained > > field (at least in the country I'm mildly familiar with). > > The term "notary signature" should not imply any legal meaning > whatsoever. As you point out, it means different things to different > people in different places. > > I can't imagine the terminology is a problem. After all, the terms > "signature", and "certification" mean different things in different > legal juristictions as well, and PGP has been using those terms for > over a decade. > > > If not, as a minimum, it might be a good idea to add > > a statement that the use of the term is not meant to > > draw from the legal definition(s) of same. > > I'm okay with this if the WG thinks it is necessary, though if we're > going to go down that route, it would probably be simpler to put a > single sentence in the introduction disclaiming any legal standing for > terminology used in the whole document than it would be to add > specific notes to the notary section. > > David -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TItVAF053717 for ; Thu, 29 May 2003 11:55:31 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TItVuu053716 for ietf-openpgp-bks; Thu, 29 May 2003 11:55:31 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TItUAF053700 for ; Thu, 29 May 2003 11:55:30 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h4TItQv02398 for ietf-openpgp@imc.org; Thu, 29 May 2003 14:55:26 -0400 Date: Thu, 29 May 2003 14:55:26 -0400 From: David Shaw To: OpenPGP Subject: Re: Use of the term "notarised signature"? Message-ID: <20030529185526.GA2193@jabberwocky.com> Mail-Followup-To: OpenPGP References: <3ED6427A.42B5230A@systemics.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <3ED6427A.42B5230A@systemics.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (2% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 29, 2003 at 01:25:14PM -0400, Ian Grigg wrote: > > When the word "notarised signature" is used, is this > a term that has been tested against the legal meaning > of the words? > > Specifically, the term has quite different significances > under civil code and common law. In the civil code, a > notary is a very important person, perhaps more significant > than an attorney. He or she has to study for 6 years to > obtain their qualification, and it is a tightly constrained > field (at least in the country I'm mildly familiar with). The term "notary signature" should not imply any legal meaning whatsoever. As you point out, it means different things to different people in different places. I can't imagine the terminology is a problem. After all, the terms "signature", and "certification" mean different things in different legal juristictions as well, and PGP has been using those terms for over a decade. > If not, as a minimum, it might be a good idea to add > a statement that the use of the term is not meant to > draw from the legal definition(s) of same. I'm okay with this if the WG thinks it is necessary, though if we're going to go down that route, it would probably be simpler to put a single sentence in the introduction disclaiming any legal standing for terminology used in the whole document than it would be to add specific notes to the notary section. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+1lee4mZch0nhy8kRAmC8AKCf4/EvXjuYkvabEs8IwXK3hlE/XACgr7+/ ntnmo2Iqd4wIFtYFVIowIU8= =pfIG -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TISDAF050606 for ; Thu, 29 May 2003 11:28:13 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TISDP1050604 for ietf-openpgp-bks; Thu, 29 May 2003 11:28:13 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.infoseccorp.com ([12.2.121.3]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TISCAF050595 for ; Thu, 29 May 2003 11:28:12 -0700 (PDT) (envelope-from markowitz@infoseccorp.com) Received: from mjm340.infoseccorp.com (mjm [12.2.121.12]) by mail.infoseccorp.com (AIX4.3/8.9.3/8.9.3) with ESMTP id NAA18066; Thu, 29 May 2003 13:29:38 -0500 Message-Id: <5.2.0.9.2.20030529131915.02833f40@12.2.121.3> X-Sender: mjm@12.2.121.3 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 29 May 2003 13:27:47 -0500 To: Jeroen van Gelderen From: Mike Markowitz Subject: AES-128 (was Re: Suggested DER Prefixes) Cc: Derek Atkins , "Richard Laager" , In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 01:05 PM 5/29/2003 -0400, Jeroen van Gelderen wrote: >The original statement was: > > "In fact, there are those who feel safer with AES at 128 than at 256." I believe that when rumors of the initial Courtois & Pieprzyk work first made the rounds (Crypto '01?), it was "whispered" that their attack only applied to (or was simply more efficient at?) the 2 larger key sizes, but not to/at 128. The situation now seems to be much more complicated. See, for example: http://www.minrank.org/aes/ -mjm Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4THU7AF046558 for ; Thu, 29 May 2003 10:30:07 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4THU6PY046557 for ietf-openpgp-bks; Thu, 29 May 2003 10:30:06 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4THU5AF046552 for ; Thu, 29 May 2003 10:30:06 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (guderian.cryptohill.net [24.244.145.14]) by mx1.cryptohill.net (Postfix) with ESMTP id DF8051C8A7; Thu, 29 May 2003 13:30:03 -0400 (EDT) Message-ID: <3ED6427A.42B5230A@systemics.com> Date: Thu, 29 May 2003 13:25:14 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 Cc: OpenPGP Subject: Use of the term "notarised signature"? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: When the word "notarised signature" is used, is this a term that has been tested against the legal meaning of the words? Specifically, the term has quite different significances under civil code and common law. In the civil code, a notary is a very important person, perhaps more significant than an attorney. He or she has to study for 6 years to obtain their qualification, and it is a tightly constrained field (at least in the country I'm mildly familiar with). When a notary notarises a document in a civil law country, he is inherently taking some view on the document. In some cases, a notary refuses to participate on some arbitrary grounds such as an unfamiliar document or a person not within jurisdiction. Signatures also may be meaningless unless notarised. This seems to be in complete contrast to the common law view, where only the signature is notarised and the signer is identified. My question then would be, has anyone tested this notion of implying a notary function with a civil law expert? If not, as a minimum, it might be a good idea to add a statement that the use of the term is not meant to draw from the legal definition(s) of same. Or, describe the feature as potentially providing a feature useful for notaries, rather than calling it "notarised signatures." The main issue here is that if someone does use OpenPGP's new notarised signature form, will that imply an unexpected legal meaning in the wrong country? I know some countries are very jumpity about the misuse of terms, and at least one big/rich country in particular puts people in jail for misrepresenting their status. (Apologies for jumping in late and briefly on this one.) -- iang Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TH57AF044698 for ; Thu, 29 May 2003 10:05:07 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TH57jR044697 for ietf-openpgp-bks; Thu, 29 May 2003 10:05:07 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from possum.cryptohill.net (cambist.cryptohill.net [24.244.145.35]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TH56AF044691 for ; Thu, 29 May 2003 10:05:06 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from vangelderen.org (grolsch.cryptohill.net [24.244.145.13]) by possum.cryptohill.net (Postfix) with ESMTP id 029E8AE0E3; Thu, 29 May 2003 13:05:08 -0400 (EDT) Date: Thu, 29 May 2003 13:05:08 -0400 Subject: Re: Suggested DER Prefixes Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) Cc: "Richard Laager" , To: Derek Atkins From: Jeroen van Gelderen In-Reply-To: Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Thursday, May 29, 2003, at 12:55 US/Eastern, Derek Atkins wrote: > "Jeroen C. van Gelderen" writes: > >>>>> In fact, there are those who feel safer with AES >>>>> at 128 than at >>>>> 256. >>>> >>>> Any particular reason(s)? Is there any merit to these reason(s)? >>> >>> The difficulty in obtaining 256 bits of key entropy? >> >> Hmm... if I read you correctly that would imply that AES-256 with a >> key containing 128 bits of entropy is less secure than AES-128 with a >> key containing 128 bits of entropy. Do you know of a document where >> this would be explained? > > I certainly did not say "less secure", did I? It's certainly > much SLOWER, and certainly is not MORE secure... The original statement was: "In fact, there are those who feel safer with AES at 128 than at 256." According to my English interpreter this implied "...more secure with AES 128...". Still does. You answered with what appeared to be a rationale for precisely this statement. Cheers, -J -- Jeroen C. van Gelderen - jeroen@vangelderen.org When Germany invaded Czechoslovakia and Poland, its declared justification was to free the Germans living in those countries from the tyranny of the Czech and Polish governments. When Germany invaded the Soviet Union in 1941, one of its declared purposes was to "liberate" the Russian people from communist tyranny. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TGtWAF044379 for ; Thu, 29 May 2003 09:55:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TGtW7G044378 for ietf-openpgp-bks; Thu, 29 May 2003 09:55:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TGtUAF044373 for ; Thu, 29 May 2003 09:55:30 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h4TGtVNM015428; Thu, 29 May 2003 12:55:31 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h4TGtU7e015474; Thu, 29 May 2003 12:55:31 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h4TGtUFJ006481; Thu, 29 May 2003 12:55:30 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id MAA13856; Thu, 29 May 2003 12:55:30 -0400 (EDT) To: "Jeroen C. van Gelderen" Cc: "Richard Laager" , From: Derek Atkins Subject: Re: Suggested DER Prefixes References: Date: 29 May 2003 12:55:29 -0400 In-Reply-To: Message-ID: Lines: 24 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: "Jeroen C. van Gelderen" writes: > >>> In fact, there are those who feel safer with AES > >>> at 128 than at > >>> 256. > >> > >> Any particular reason(s)? Is there any merit to these reason(s)? > > > > The difficulty in obtaining 256 bits of key entropy? > > Hmm... if I read you correctly that would imply that AES-256 with a > key containing 128 bits of entropy is less secure than AES-128 with a > key containing 128 bits of entropy. Do you know of a document where > this would be explained? I certainly did not say "less secure", did I? It's certainly much SLOWER, and certainly is not MORE secure... -derek -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TGquAF044230 for ; Thu, 29 May 2003 09:52:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TGquG4044229 for ietf-openpgp-bks; Thu, 29 May 2003 09:52:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from possum.cryptohill.net (cambist.cryptohill.net [24.244.145.35]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TGqsAF044224 for ; Thu, 29 May 2003 09:52:55 -0700 (PDT) (envelope-from jeroen@vangelderen.org) Received: from vangelderen.org (grolsch.cryptohill.net [24.244.145.13]) by possum.cryptohill.net (Postfix) with ESMTP id 9A9D2AE0E3; Thu, 29 May 2003 12:52:55 -0400 (EDT) Date: Thu, 29 May 2003 12:52:56 -0400 Subject: Re: Suggested DER Prefixes Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) Cc: "Richard Laager" , To: Derek Atkins From: "Jeroen C. van Gelderen" In-Reply-To: Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Thursday, May 29, 2003, at 11:21 US/Eastern, Derek Atkins wrote: > > "Richard Laager" writes: > >> Jon Callas wrote: >>> In fact, there are those who feel safer with AES >>> at 128 than at >>> 256. >> >> Any particular reason(s)? Is there any merit to these reason(s)? > > The difficulty in obtaining 256 bits of key entropy? Hmm... if I read you correctly that would imply that AES-256 with a key containing 128 bits of entropy is less secure than AES-128 with a key containing 128 bits of entropy. Do you know of a document where this would be explained? Cheers! -J -- Jeroen C. van Gelderen - jeroen@vangelderen.org When Germany invaded Czechoslovakia and Poland, its declared justification was to free the Germans living in those countries from the tyranny of the Czech and Polish governments. When Germany invaded the Soviet Union in 1941, one of its declared purposes was to "liberate" the Russian people from communist tyranny. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TFLxAF040952 for ; Thu, 29 May 2003 08:21:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TFLxlv040951 for ietf-openpgp-bks; Thu, 29 May 2003 08:21:59 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TFLvAF040945 for ; Thu, 29 May 2003 08:21:58 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h4TFLwNM011059; Thu, 29 May 2003 11:21:58 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h4TFLv7e003399; Thu, 29 May 2003 11:21:57 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h4TFLuU8019075; Thu, 29 May 2003 11:21:57 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id LAA13657; Thu, 29 May 2003 11:21:56 -0400 (EDT) To: "Richard Laager" Cc: Subject: Re: Suggested DER Prefixes References: <001201c325f0$c4c501d0$da7620d1@umcrookston.edu> From: Derek Atkins Date: 29 May 2003 11:21:56 -0400 In-Reply-To: <001201c325f0$c4c501d0$da7620d1@umcrookston.edu> Message-ID: Lines: 21 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: "Richard Laager" writes: > Jon Callas wrote: > > In fact, there are those who feel safer with AES > > at 128 than at > > 256. > > Any particular reason(s)? Is there any merit to these reason(s)? The difficulty in obtaining 256 bits of key entropy? > Thanks, > Richard Laager -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TEiJAF036142 for ; Thu, 29 May 2003 07:44:19 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TEiJRh036141 for ietf-openpgp-bks; Thu, 29 May 2003 07:44:19 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail2.wiktel.com (mail.northborderrealty.com [204.221.145.8]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TEiHAF036136 for ; Thu, 29 May 2003 07:44:18 -0700 (PDT) (envelope-from rlaager@wiktel.com) Received: from NB1131 (unverified [209.32.118.218]) by wiktel.com (Rockliffe SMTPRA 5.3.4) with ESMTP id for ; Thu, 29 May 2003 09:45:26 -0500 From: "Richard Laager" To: Subject: RE: Suggested DER Prefixes Date: Thu, 29 May 2003 09:44:11 -0500 Organization: Wikstrom Telecom Internet Message-ID: <001201c325f0$c4c501d0$da7620d1@umcrookston.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jon Callas wrote: > In fact, there are those who feel safer with AES > at 128 than at > 256. Any particular reason(s)? Is there any merit to these reason(s)? Thanks, Richard Laager -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ iQA/AwUBPtYb1m31OrleHxvOEQJUuwCghKCDPQ4NtBRi+zkz425uNJzO5DoAoOZa Hlg8Xxym5RIuZ7TJ0+Fvg52Q =tH7T -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TBVLAF027577 for ; Thu, 29 May 2003 04:31:21 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4TBVL99027576 for ietf-openpgp-bks; Thu, 29 May 2003 04:31:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4TBVHAF027561 for ; Thu, 29 May 2003 04:31:17 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h4TBQN3j018906; Thu, 29 May 2003 07:26:24 -0400 Received: from berkshire.research.att.com (raptor.research.att.com [135.207.23.32]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h4TBUfV20616; Thu, 29 May 2003 07:30:48 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id ACD857B4D; Thu, 29 May 2003 07:30:40 -0400 (EDT) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Jon Callas Cc: "Imad R. Faiad" , OpenPGP Subject: Re: Suggested DER Prefixes Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 29 May 2003 07:30:40 -0400 From: "Steven M. Bellovin" Message-Id: <20030529113040.ACD857B4D@berkshire.research.att.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: In message , Jon Callas writes: > > >> P.S. Just out of curiosity, what in the heck is "DES/SK"? >> any references? > >It is an improvement on DES from Uri Blumenthal and Steve Bellovin. Here's a >reference: . It's a way to >get reasonable security out of DES without having to do 3DES. It's a pretty >cool idea, but it never went anywhere, for a number of reasons. > And with the advent of AES, I don't forsee anyone using it. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4T7p1AF004641 for ; Thu, 29 May 2003 00:51:01 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4T7p1qB004640 for ietf-openpgp-bks; Thu, 29 May 2003 00:51:01 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4T7oqAF004583 for ; Thu, 29 May 2003 00:50:53 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.180] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Thu, 29 May 2003 00:50:51 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Thu, 29 May 2003 00:50:53 -0700 Subject: Re: Suggested DER Prefixes From: Jon Callas To: "Imad R. Faiad" , OpenPGP Message-ID: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 5/28/03 3:12 PM, "Imad R. Faiad" wrote: > And while you are at it, please do kindly remove > IDEA, CAST5, MD2, MD5, and AES < 256 bits. > > The above algorithms, will, no doubt, be rendered useless, > given any advances in the attacks. > In the soon-to-be finished bis08, IDEA is a MAY. MD2 has been removed (since anything that used it is long-dead), and MD5 is moved to a MAY with lots of grumbling. There's no reason to remove CAST5, and no reason to remove AES below 256. In fact, there are those who feel safer with AES at 128 than at 256. > P.S. Just out of curiosity, what in the heck is "DES/SK"? > any references? It is an improvement on DES from Uri Blumenthal and Steve Bellovin. Here's a reference: . It's a way to get reasonable security out of DES without having to do 3DES. It's a pretty cool idea, but it never went anywhere, for a number of reasons. Jon Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4T3NSAF079739 for ; Wed, 28 May 2003 20:23:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4T3NSkc079738 for ietf-openpgp-bks; Wed, 28 May 2003 20:23:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4T3NRAF079733 for ; Wed, 28 May 2003 20:23:27 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h4T3NIw29409; Wed, 28 May 2003 23:23:18 -0400 Date: Wed, 28 May 2003 23:23:18 -0400 From: David Shaw To: Jon Callas Cc: OpenPGP Subject: Re: Signature targets and where they should be used Message-ID: <20030529032318.GD24935@jabberwocky.com> Mail-Followup-To: Jon Callas , OpenPGP References: <20030416213837.GE1184@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (4% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, May 27, 2003 at 07:57:35PM -0700, Jon Callas wrote: > > On 4/16/03 2:38 PM, "David Shaw" wrote: > > Is there a consensus on this? > > Personally, I think that the SHOULD is good enough. If you want to do a > blind notary, you have the perfect reason not to put the target packet > there. > > However, I included this text: "Note that we really do mean SHOULD. There > are plausible uses for this (such a a blind notary that only sees the > signature, not the key nor source document) that cannot include a target > subpacket." The gist of my original comment was that a signature target is actually needed when issuing a certification revocation signature (i.e. 0x30). This is a signature (the 0x30 sig) on the hash of an object (the pk+user ID) that actually refers to another signature (the signature being revoked). A signature target there is necessary to know which signature is being revoked. With notary signatures, on the other hand, it is clear which signature is being signed. The notary signature itself won't even verify if we check it against the wrong signature. Including a signature target there is like making a signature (the 0x50) on the hash of an object (the signature being notarized), that contains a second copy of the signature being notarized in the signature target subpacket. Why SHOULD someone include it twice? Saying nothing at all on the subject of signature targets and notary signatures, or even making it a "MAY" just seems simpler. All that said, I'm okay with the added clarification above. :) David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+1X0m4mZch0nhy8kRApH6AKDRPC7Y+o9p3O1d9kIYLFeJZp1/FgCghVdi Cw/SrIx2YnPes9/1Vp2Csfs= =KK5x -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4SLElAF067578 for ; Wed, 28 May 2003 14:14:47 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4SLElNA067577 for ietf-openpgp-bks; Wed, 28 May 2003 14:14:47 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4SLEiAF067546 for ; Wed, 28 May 2003 14:14:45 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-12-13.cyberia.net.lb ([195.112.203.14]) by sand.cyberia.net.lb with SMTP id <20030528211017.GXWM1948.sand@ppp-12-13.cyberia.net.lb>; Thu, 29 May 2003 00:10:17 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org, jon@callas.org Subject: Re: Suggested DER Prefixes Date: Thu, 29 May 2003 00:12:53 +0200 Organization: ECLiPSE Message-ID: References: In-Reply-To: X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h4SLEkAF067571 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: HAVAL-5-160 ;) Hello Mr Callas, Please, do allow me to table the followings:- And while you are at it, please do kindly remove IDEA, CAST5, MD2, MD5, and AES < 256 bits. The above algorithms, will, no doubt, be rendered useless, given any advances in the attacks. The OpenPGP suite of symmetric ciphers, and hashing algorithms are deficient, more algorithms are needed. While less is better, I don't think that this principle should be applied to the fundamental level of ciphers and hashes. The implementer does not write the code for these, he just plugs them in. If he is too lazy to do so, then, I think, that he ought to consider some other endeavor. I wish that the "less is better" principle is applied to the higher levels, this is where all the complexities lies. my 2c, Best Regards, Imad R. Faiad P.S. Just out of curiosity, what in the heck is "DES/SK"? any references? On Wed, 21 May 2003 09:34:17 -0700, you wrote: >On 5/21/03 4:11 AM, "Imad R. Faiad" wrote: > >> PS Can someone clarify OpenPGP symmetric >> algorithm ID: 6 (DES/SK), I mean, what >> variant of the DES algorithm are we talking about. >> TIA >> > >DES/SK is being removed. Don't implemented it. > >> //Double width SHA (SHA1x) experimental algorithm >> //Used In: PGP 5.x >> //OpenPGP Hash Algorithm ID: 04 >> unsigned char const SHA1xDERprefix[] = { >> 0x30, /* Universal, Constructed, Sequence */ >> 0x35, /* Length 53 (bytes following) */ >> 0x30, /* Universal, Constructed, Sequence */ >> 0x09, /* Length 9 bytes*/ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x05, /*Length 5 bytes*/ >> 0x53, 0x48, 0x41, 0x31, 0x78, /*SHA1x*/ >> 0x05, /* Universal, Primitive, NULL */ >> 0x00, /* Length 0 */ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x28 /* Length 40 bytes = 320 bits*/ >> /* 40 bytes SHA1x digest start here */ >> }; >> > >Double-width SHA was an experimental thing some people were using for >wider DSA, it was never widely implemented. Don't implement it. > >> //HAVAL 5 pass, 160 bits (HAVAL-5-160) >> //OpenPGP Hash Algorithm ID: 07 >> //Used in: PGP 2.6.3ia-multi04+ >> unsigned char const HAVAL-5-160DERprefix[] = { >> 0x30, /* Universal, Constructed, Sequence */ >> 0x27, /* Length 39 (bytes following) */ >> 0x30, /* Universal, Constructed, Sequence */ >> 0x0f, /* Length 15 bytes*/ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x0B, /*Length 11 bytes*/ >> 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, >> 0x35, 0x2D, 0x31, 0x36, 0x30, /*HAVAL-5-160*/ >> 0x05, /* Universal, Primitive, NULL */ >> 0x00, /* Length 0 */ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x14 /* Length 20 bytes = 160 bits*/ >> /* 20 bytes HAVAL-5-160 digest start here */ >> }; >> >> //HAVAL 5 pass, 256 bits (HAVAL-5-256) >> //OpenPGP Hash Algorithm ID: None >> //Used in: PGP 2.6.3ia-multi04+ >> //Hash Algorithm ID used: 11 >> unsigned char const HAVAL-5-256DERprefix[] = { >> 0x30, /* Universal, Constructed, Sequence */ >> 0x33, /* Length 51 (bytes following) */ >> 0x30, /* Universal, Constructed, Sequence */ >> 0x0f, /* Length 15 bytes*/ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x0B, /*Length 11 bytes*/ >> 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, >> 0x35, 0x2D, 0x32, 0x35, 0x36, /*HAVAL-5-256*/ >> 0x05, /* Universal, Primitive, NULL */ >> 0x00, /* Length 0 */ >> 0x04, /* Universal, Primitive, Octet string */ >> 0x20 /* Length 32 bytes = 256 bits*/ >> /* 32 bytes HAVAL-5-256 digest start here */ >> }; > >Haval is being removed. Don't bother. > >Now that there are the wide SHAs, they are what you should be >implementing. > > Jon -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2irf iQEVAwUBPtUz4LzDFxiDPxutAQcWxwgAgL5lhy2wvkmlf7UCyksWhma2GK0I9oyu BHGxlnCrYGHP+UopQT/Gk2ZmOz3qxKg+n+CelR7/FRyDoM5eyUp+8MUHMpBVdkoP ZBt39/6J1BW5OC+/XNbCgE4ftRvnlz5/sJjdWYq1RSdtfMIN68K2188KmUxmBJ4E LdszetQ64L1hFY8blpVtYpPQMgtJUhvQ0bCsWij7Xm6nTsFruABvIcoalQ7TcM3V IEf9ygDBYdF/wSYLEHMotSfyoogjv1GC1aN8+9Zl045vBvC3gJoGrIP5NBb17bwa DilBynG5Wf3uFS1V742eaSKvsny+8g0bsjx1dDURVlq5PzA/NrgBTA== =CLcJ -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4SHUSAF055107 for ; Wed, 28 May 2003 10:30:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4SHUStb055106 for ietf-openpgp-bks; Wed, 28 May 2003 10:30:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4SHUQAF055101 for ; Wed, 28 May 2003 10:30:26 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.180] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Wed, 28 May 2003 10:30:22 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Tue, 27 May 2003 19:57:35 -0700 Subject: Re: Signature targets and where they should be used From: Jon Callas To: David Shaw , OpenPGP Message-ID: In-Reply-To: <20030416213837.GE1184@jabberwocky.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 4/16/03 2:38 PM, "David Shaw" wrote: Is there a consensus on this? Personally, I think that the SHOULD is good enough. If you want to do a blind notary, you have the perfect reason not to put the target packet there. However, I included this text: "Note that we really do mean SHOULD. There are plausible uses for this (such a a blind notary that only sees the signature, not the key nor source document) that cannot include a target subpacket." Jon > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, Apr 16, 2003 at 03:40:24PM -0400, Michael Young wrote: >> >> From: "David Shaw" > >>> In the case of notary signatures, there is no "C" to specify. It is >>> merely signature A (the 0x50 signature), on data B (the signature to >>> be notarized). There is no benefit in specifying B twice as the data >>> to be signed and then again as an additional subpacket. >> >> I'd agree that the benefit is slight at best. I suppose if >> you had "B" and the material it covered (so that you could generate >> B's hash), and you had a disorganized bunch of notary signatures, >> then you could pick out the matching ones faster if they had >> target subpackets. This doesn't seem like a compelling scenario. :-) > > There is actually another reason why using targets for notary > signatures is not really good: one of the nice features of notary > signatures is that the notarizer doesn't need the original signer's > public key or the material the original signature covered. All the > notarizer needs is the signature packet. Unfortunately, to use a > signature target in the notary signature, the notarizer needs the > original signer's public key to extract the hash from the original > signature packet... > > I suppose we could solve that problem by defining a signature target > to be the canonical hash of the signature being targeted, but even > then there is still no good reason why using a target for notary > signatures needs to be a SHOULD. > > David > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2rc2 (GNU/Linux) > Comment: http://www.jabberwocky.com/david/keys.asc > > iD8DBQE+nc1c4mZch0nhy8kRAjTQAJ42SnhAoD42MFWJjin3KJXBxZrMDACeNDqK > hGj20/LjG6I8lBPGqigWOlA= > =a8B8 > -----END PGP SIGNATURE----- > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4LGYIAF040021 for ; Wed, 21 May 2003 09:34:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4LGYId1040020 for ietf-openpgp-bks; Wed, 21 May 2003 09:34:18 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4LGYDAF040003 for ; Wed, 21 May 2003 09:34:13 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.180] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Wed, 21 May 2003 09:34:08 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Wed, 21 May 2003 09:34:17 -0700 Subject: Re: Suggested DER Prefixes From: Jon Callas To: "Imad R. Faiad" , OpenPGP Message-ID: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 5/21/03 4:11 AM, "Imad R. Faiad" wrote: > PS Can someone clarify OpenPGP symmetric > algorithm ID: 6 (DES/SK), I mean, what > variant of the DES algorithm are we talking about. > TIA > DES/SK is being removed. Don't implemented it. > //Double width SHA (SHA1x) experimental algorithm > //Used In: PGP 5.x > //OpenPGP Hash Algorithm ID: 04 > unsigned char const SHA1xDERprefix[] = { > 0x30, /* Universal, Constructed, Sequence */ > 0x35, /* Length 53 (bytes following) */ > 0x30, /* Universal, Constructed, Sequence */ > 0x09, /* Length 9 bytes*/ > 0x04, /* Universal, Primitive, Octet string */ > 0x05, /*Length 5 bytes*/ > 0x53, 0x48, 0x41, 0x31, 0x78, /*SHA1x*/ > 0x05, /* Universal, Primitive, NULL */ > 0x00, /* Length 0 */ > 0x04, /* Universal, Primitive, Octet string */ > 0x28 /* Length 40 bytes = 320 bits*/ > /* 40 bytes SHA1x digest start here */ > }; > Double-width SHA was an experimental thing some people were using for wider DSA, it was never widely implemented. Don't implement it. > //HAVAL 5 pass, 160 bits (HAVAL-5-160) > //OpenPGP Hash Algorithm ID: 07 > //Used in: PGP 2.6.3ia-multi04+ > unsigned char const HAVAL-5-160DERprefix[] = { > 0x30, /* Universal, Constructed, Sequence */ > 0x27, /* Length 39 (bytes following) */ > 0x30, /* Universal, Constructed, Sequence */ > 0x0f, /* Length 15 bytes*/ > 0x04, /* Universal, Primitive, Octet string */ > 0x0B, /*Length 11 bytes*/ > 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, > 0x35, 0x2D, 0x31, 0x36, 0x30, /*HAVAL-5-160*/ > 0x05, /* Universal, Primitive, NULL */ > 0x00, /* Length 0 */ > 0x04, /* Universal, Primitive, Octet string */ > 0x14 /* Length 20 bytes = 160 bits*/ > /* 20 bytes HAVAL-5-160 digest start here */ > }; > > //HAVAL 5 pass, 256 bits (HAVAL-5-256) > //OpenPGP Hash Algorithm ID: None > //Used in: PGP 2.6.3ia-multi04+ > //Hash Algorithm ID used: 11 > unsigned char const HAVAL-5-256DERprefix[] = { > 0x30, /* Universal, Constructed, Sequence */ > 0x33, /* Length 51 (bytes following) */ > 0x30, /* Universal, Constructed, Sequence */ > 0x0f, /* Length 15 bytes*/ > 0x04, /* Universal, Primitive, Octet string */ > 0x0B, /*Length 11 bytes*/ > 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, > 0x35, 0x2D, 0x32, 0x35, 0x36, /*HAVAL-5-256*/ > 0x05, /* Universal, Primitive, NULL */ > 0x00, /* Length 0 */ > 0x04, /* Universal, Primitive, Octet string */ > 0x20 /* Length 32 bytes = 256 bits*/ > /* 32 bytes HAVAL-5-256 digest start here */ > }; Haval is being removed. Don't bother. Now that there are the wide SHAs, they are what you should be implementing. Jon Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4LADWAF017432 for ; Wed, 21 May 2003 03:13:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h4LADW92017431 for ietf-openpgp-bks; Wed, 21 May 2003 03:13:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from lake.cyberia.net.lb (lake.cyberia.net.lb [195.112.195.73]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h4LADSAF017413 for ; Wed, 21 May 2003 03:13:29 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-17-95.cyberia.net.lb ([195.112.192.193]) by lake.cyberia.net.lb with SMTP id <20030521100332.BWZB9885.lake@ppp-17-95.cyberia.net.lb> for ; Wed, 21 May 2003 13:03:32 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Suggested DER Prefixes Date: Wed, 21 May 2003 13:11:35 +0200 Organization: ECLiPSE Message-ID: X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h4LADVAF017427 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Greetings, Please find below some suggested DER prefixes for the hash algorithms with no OID's. Best regards Imad R Faiad PS Can someone clarify OpenPGP symmetric algorithm ID: 6 (DES/SK), I mean, what variant of the DES algorithm are we talking about. TIA //Double width SHA (SHA1x) experimental algorithm //Used In: PGP 5.x //OpenPGP Hash Algorithm ID: 04 unsigned char const SHA1xDERprefix[] = { 0x30, /* Universal, Constructed, Sequence */ 0x35, /* Length 53 (bytes following) */ 0x30, /* Universal, Constructed, Sequence */ 0x09, /* Length 9 bytes*/ 0x04, /* Universal, Primitive, Octet string */ 0x05, /*Length 5 bytes*/ 0x53, 0x48, 0x41, 0x31, 0x78, /*SHA1x*/ 0x05, /* Universal, Primitive, NULL */ 0x00, /* Length 0 */ 0x04, /* Universal, Primitive, Octet string */ 0x28 /* Length 40 bytes = 320 bits*/ /* 40 bytes SHA1x digest start here */ }; //HAVAL 5 pass, 160 bits (HAVAL-5-160) //OpenPGP Hash Algorithm ID: 07 //Used in: PGP 2.6.3ia-multi04+ unsigned char const HAVAL-5-160DERprefix[] = { 0x30, /* Universal, Constructed, Sequence */ 0x27, /* Length 39 (bytes following) */ 0x30, /* Universal, Constructed, Sequence */ 0x0f, /* Length 15 bytes*/ 0x04, /* Universal, Primitive, Octet string */ 0x0B, /*Length 11 bytes*/ 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, 0x35, 0x2D, 0x31, 0x36, 0x30, /*HAVAL-5-160*/ 0x05, /* Universal, Primitive, NULL */ 0x00, /* Length 0 */ 0x04, /* Universal, Primitive, Octet string */ 0x14 /* Length 20 bytes = 160 bits*/ /* 20 bytes HAVAL-5-160 digest start here */ }; //HAVAL 5 pass, 256 bits (HAVAL-5-256) //OpenPGP Hash Algorithm ID: None //Used in: PGP 2.6.3ia-multi04+ //Hash Algorithm ID used: 11 unsigned char const HAVAL-5-256DERprefix[] = { 0x30, /* Universal, Constructed, Sequence */ 0x33, /* Length 51 (bytes following) */ 0x30, /* Universal, Constructed, Sequence */ 0x0f, /* Length 15 bytes*/ 0x04, /* Universal, Primitive, Octet string */ 0x0B, /*Length 11 bytes*/ 0x48, 0x41, 0x56, 0x41, 0x4C, 0x2D, 0x35, 0x2D, 0x32, 0x35, 0x36, /*HAVAL-5-256*/ 0x05, /* Universal, Primitive, NULL */ 0x00, /* Length 0 */ 0x04, /* Universal, Primitive, Octet string */ 0x20 /* Length 32 bytes = 256 bits*/ /* 32 bytes HAVAL-5-256 digest start here */ }; -----BEGIN PGP SIGNATURE----- iQEVAwUBPstebrzDFxiDPxutAQG59gf/RacmJy5hXblTPLE3TWPxm6kr+BttAL0b osCJX125UxrhCailjERQwhy9ZGonw2rAPLScY6J2dfle/Zcu69ZL8Mppp9MEsHGT J9nqAyR1gWvC5omSSr9CQoYHO1MkDzfSAec3QVd+tL9rEouqEcuTkVAJ1s1fbDT5 SxazIu0u/XIL5O2qwFBcVGPhvc4Otn++drz7u5Eh9ZlzktoyJFPQwSQIsbAAyKgN dlonhygYvDVGdrq/NbjSP9cMg0Azs4e/EJp5AUnZPJmQ7jixhQa7Fc6JczVm2qMZ RY7ph9cF+R7HdCI+6l1wOYEbQuvXdyKL4hrmYSAEotDDPCyCViTKmQ== =wSbE -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h475Thi2017461 for ; Tue, 6 May 2003 22:29:43 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h475ThpV017459 for ietf-openpgp-bks; Tue, 6 May 2003 22:29:43 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from uslims56.ca.com (mail3.ca.com [208.232.182.10]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h475Tgi2017449 for ; Tue, 6 May 2003 22:29:42 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from mail pickup service by uslims56.ca.com with Microsoft SMTPSVC; Wed, 7 May 2003 00:17:14 -0500 Received: from usilms53.ca.com ([141.202.248.39]) by uslims56.ca.com with Microsoft SMTPSVC(5.0.2195.5329); Tue, 6 May 2003 22:05:56 -0500 Received: from mail pickup service by usilms53.ca.com with Microsoft SMTPSVC; Tue, 6 May 2003 23:05:54 -0400 Received: from usilms44.ca.com ([141.202.248.115]) by uslims57.ca.com with Microsoft SMTPSVC(5.0.2195.5329); Tue, 6 May 2003 16:39:57 -0500 Received: from smtp.opengroup.org (192.153.166.4) by usilms44.ca.com (141.202.248.115) Received: from above.proper.com (mail.proper.com [208.184.76.45]) by smtp.opengroup.org (8.11.6/8.11.6) with ESMTP id h46Ldjn26388 for ; Tue, 6 May 2003 22:39:46 +0100 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46L6ki2002648 for ; Tue, 6 May 2003 14:06:46 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h46L6kSP002646 for ietf-openpgp-bks; Tue, 6 May 2003 14:06:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46L6ji2002639 for ; Tue, 6 May 2003 14:06:45 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h46JKeS05203 for ietf-openpgp@imc.org; Tue, 6 May 2003 15:20:40 -0400 Date: Tue, 6 May 2003 15:20:40 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: OpenPGP Administrivia Message-ID: <20030506192040.GB4805@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (23% of Full) User-Agent: Mutt/1.5.4i List-Archive: List-Unsubscribe: List-ID: X-Spam-Status: No, hits=-40.1 required=5.0 tests=AWL,BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT,X_AUTH_WARNING autolearn=ham version=2.53 X-OriginalArrivalTime: 06 May 2003 21:39:57.0260 (UTC) FILETIME=[09CB60C0:01C31418] Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 01, 2003 at 01:24:11PM -0400, Derek Atkins wrote: > As was announced yesterday, I'm the new chair of OpenPGP. My goals > (as somewhat explained to me by the ADs) are to finish up the existing > work and try to ramp down the WG. This means finishing up all the > open issues, getting 2440bis out the door, and either shutting down > or rechartering based on what else is left to do. I'm curious what shutting down actually entails. Once 2440bis is complete, what happens when/if something needs to happen in the OpenPGP space? Is the WG officially reconvened, or are things not that formal? Even if the WG is shut down, I think it would be useful if this mailing list would continue to exist. It is a good forum, with an excellent signal to noise ratio, and it reaches nearly all of the people working on OpenPGP today. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+uAsH4mZch0nhy8kRAvRRAJ9Dx8AqvjG+D2XWAuOZWtrCOA2kSACgpE5K ca/Jqaw2PIZKqtaFPXhB28c= =fdjl -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46LjQi2003972 for ; Tue, 6 May 2003 14:45:26 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h46LjQSB003971 for ietf-openpgp-bks; Tue, 6 May 2003 14:45:26 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46LjOi2003962 for ; Tue, 6 May 2003 14:45:24 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h46LgPZs012807; Tue, 6 May 2003 17:42:25 -0400 Received: from berkshire.research.att.com (sigaba.research.att.com [135.207.23.169]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h46LjLV11266; Tue, 6 May 2003 17:45:21 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id DEC3D7B4D; Tue, 6 May 2003 17:45:20 -0400 (EDT) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 From: "Steven M. Bellovin" To: David Shaw Cc: ietf-openpgp@imc.org Subject: Re: OpenPGP Administrivia In-Reply-To: Your message of "Tue, 06 May 2003 15:20:40 EDT." <20030506192040.GB4805@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 06 May 2003 17:45:20 -0400 Message-Id: <20030506214520.DEC3D7B4D@berkshire.research.att.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: In message <20030506192040.GB4805@jabberwocky.com>, David Shaw writes: > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Thu, May 01, 2003 at 01:24:11PM -0400, Derek Atkins wrote: > >> As was announced yesterday, I'm the new chair of OpenPGP. My goals >> (as somewhat explained to me by the ADs) are to finish up the existing >> work and try to ramp down the WG. This means finishing up all the >> open issues, getting 2440bis out the door, and either shutting down >> or rechartering based on what else is left to do. > >I'm curious what shutting down actually entails. Once 2440bis is >complete, what happens when/if something needs to happen in the >OpenPGP space? Is the WG officially reconvened, or are things not >that formal? Even if the WG is shut down, I think it would be useful >if this mailing list would continue to exist. It is a good forum, >with an excellent signal to noise ratio, and it reaches nearly all of >the people working on OpenPGP today. > Mailing lists can (and often do) continue indefinitely. As for the WG -- it can go dormant, or it can be disbanded. If there's a need for a new WG in that space, one can be spun up -- the issue would be the charter, since any new WG would be doing something different. Minor changes could be done by individual submissions. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46L6ki2002648 for ; Tue, 6 May 2003 14:06:46 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h46L6kSP002646 for ietf-openpgp-bks; Tue, 6 May 2003 14:06:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h46L6ji2002639 for ; Tue, 6 May 2003 14:06:45 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h46JKeS05203 for ietf-openpgp@imc.org; Tue, 6 May 2003 15:20:40 -0400 Date: Tue, 6 May 2003 15:20:40 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: OpenPGP Administrivia Message-ID: <20030506192040.GB4805@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (23% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 01, 2003 at 01:24:11PM -0400, Derek Atkins wrote: > As was announced yesterday, I'm the new chair of OpenPGP. My goals > (as somewhat explained to me by the ADs) are to finish up the existing > work and try to ramp down the WG. This means finishing up all the > open issues, getting 2440bis out the door, and either shutting down > or rechartering based on what else is left to do. I'm curious what shutting down actually entails. Once 2440bis is complete, what happens when/if something needs to happen in the OpenPGP space? Is the WG officially reconvened, or are things not that formal? Even if the WG is shut down, I think it would be useful if this mailing list would continue to exist. It is a good forum, with an excellent signal to noise ratio, and it reaches nearly all of the people working on OpenPGP today. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+uAsH4mZch0nhy8kRAvRRAJ9Dx8AqvjG+D2XWAuOZWtrCOA2kSACgpE5K ca/Jqaw2PIZKqtaFPXhB28c= =fdjl -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h43JYSi2048724 for ; Sat, 3 May 2003 12:34:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h43JYSvw048723 for ietf-openpgp-bks; Sat, 3 May 2003 12:34:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h43JYQi2048718 for ; Sat, 3 May 2003 12:34:27 -0700 (PDT) (envelope-from A.Back@exeter.ac.uk) Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.14) id 19C2m5-00OmOD-Rz; Sat, 03 May 2003 20:34:21 +0100 Date: Sat, 3 May 2003 20:34:10 +0100 From: Adam Back To: Peter Gutmann Cc: hal@finney.org, ietf-openpgp@imc.org, john.dlugosz@kodak.com Subject: CFB vs CBC (Re: Low-level question about OpenPGP - why CFB mode?) Message-ID: <20030503203410.A8238090@exeter.ac.uk> References: <200305010715.h417FdB08293@medusa01.cs.auckland.ac.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: <200305010715.h417FdB08293@medusa01.cs.auckland.ac.nz>; from pgut001@cs.auckland.ac.nz on Thu, May 01, 2003 at 07:15:39PM +1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: PKCS#5 padding is simple to code, however: - having to pad at all is an inconvenience for some applications where space is tight - having to pad is inconvenent for streaming (need to know ahead when the last block is) - there are people who have used non-PKCS#5 padding, and instead made up their own (clueless people, etc; but it's one more thing) - the PKCS#5 padding end tag offers tends to encourage programmers to make their implementations into decryption oracles which can be used as an attack point (viz the interactive attack against block ciphers using the misformed padding error) - the psuedo-IV handling (requirement not repeat IV for same key) is a non-issue in most contexts where the key changes everytime anyway (symmetric key transport already covers cases in PGP where the symmetric key is derived from a password) Adam On Thu, May 01, 2003 at 07:15:39PM +1200, Peter Gutmann wrote: > Adam Back writes: > > >On use of CFB instead of CBC, I think this is actually goos because it avoids > >the whole padding issue which people frequently get wrong with bad security > >implications. Plus it's simpler to not have to pad. Error recovery is a > >phantom property, as in no mode is it secure. > > PKCS #5 padding is trivial to get right, any minor gains are more than made up > for by the painful and clunky pseudo-IV handling, particularly since most > crypto implementations have an "IV, data, go"-type interface which requires > error-prone manual handling of the pseudo-IV. > > Peter. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41MlFi2083255 for ; Thu, 1 May 2003 15:47:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41MlF3r083254 for ietf-openpgp-bks; Thu, 1 May 2003 15:47:15 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41MlEi2083248 for ; Thu, 1 May 2003 15:47:14 -0700 (PDT) (envelope-from jon@callas.org) Received: from [192.168.1.41] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Thu, 1 May 2003 15:47:12 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Thu, 01 May 2003 15:47:22 -0700 Subject: Re: OpenPGP Administrivia From: Jon Callas To: Derek Atkins , David Shaw CC: OpenPGP Message-ID: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 5/1/03 3:16 PM, "Derek Atkins" wrote: > > This is indeed part of what I was looking for. Jon, what's the > current status of the work on -08? I have a number of changes done. What I have pending is some work deprecating old stuff as we've discussed. We also need to break up the references into normative and non-normative. Those are the big ones. I am looking forward to having a place where issues can be stored. Jon Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41MGNi2082169 for ; Thu, 1 May 2003 15:16:23 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41MGNJh082167 for ietf-openpgp-bks; Thu, 1 May 2003 15:16:23 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41MGMi2082162 for ; Thu, 1 May 2003 15:16:22 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h41MGOd3011326; Thu, 1 May 2003 18:16:24 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by central-city-carrier-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41MGNA2028024; Thu, 1 May 2003 18:16:23 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h41MGNFJ026346; Thu, 1 May 2003 18:16:23 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id SAA22677; Thu, 1 May 2003 18:16:23 -0400 (EDT) To: David Shaw Cc: ietf-openpgp@imc.org From: Derek Atkins Subject: Re: OpenPGP Administrivia References: <20030501215043.GB3020@jabberwocky.com> Date: 01 May 2003 18:16:23 -0400 In-Reply-To: <20030501215043.GB3020@jabberwocky.com> Message-ID: Lines: 28 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is indeed part of what I was looking for. Jon, what's the current status of the work on -08? -derek David Shaw writes: > On Thu, May 01, 2003 at 01:24:11PM -0400, Derek Atkins wrote: > > > However, one thing I am lacking is a list of open issues in the > > existing work. I'm hoping that John or Jon has a list so we can > > seed the RT queue. If all else fails I can go re-read the last > > year's worth of email and try to glom out the open issues (but I > > suspect many of the issues are older than that). You can send > > issues to the list, to me directly, or add them to the RT queue. > > One thing that would be useful would be to know exactly where we stand > now in 2440bis. The last draft was bis-07 from March, but there have > been a number of issues discussed since then, and it is not clear > which were incorporated (or earmarked for later incorporation) into > the draft. A diff (or an 08) would be extremely helpful. > > David -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41Lopi2081467 for ; Thu, 1 May 2003 14:50:51 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41LopYT081466 for ietf-openpgp-bks; Thu, 1 May 2003 14:50:51 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41Loli2081456 for ; Thu, 1 May 2003 14:50:50 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h41Loiq28455 for ietf-openpgp@imc.org; Thu, 1 May 2003 17:50:44 -0400 Date: Thu, 1 May 2003 17:50:44 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: OpenPGP Administrivia Message-ID: <20030501215043.GB3020@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is New User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 01, 2003 at 01:24:11PM -0400, Derek Atkins wrote: > However, one thing I am lacking is a list of open issues in the > existing work. I'm hoping that John or Jon has a list so we can > seed the RT queue. If all else fails I can go re-read the last > year's worth of email and try to glom out the open issues (but I > suspect many of the issues are older than that). You can send > issues to the list, to me directly, or add them to the RT queue. One thing that would be useful would be to know exactly where we stand now in 2440bis. The last draft was bis-07 from March, but there have been a number of issues discussed since then, and it is not clear which were incorporated (or earmarked for later incorporation) into the draft. A diff (or an 08) would be extremely helpful. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+sZaz4mZch0nhy8kRAmAgAJ40ujuPgmaZ9NVXJu/uxyI5va1xpACfVNCm Ig4T0ReP2r2otj4ER3vhJaI= =5dlq -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41IWFi2074697 for ; Thu, 1 May 2003 11:32:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41IWFfY074695 for ietf-openpgp-bks; Thu, 1 May 2003 11:32:15 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailman.research.att.com (H-135-207-24-32.research.att.com [135.207.24.32]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41IWDi2074675 for ; Thu, 1 May 2003 11:32:13 -0700 (PDT) (envelope-from smb@research.att.com) Received: from bigmail.research.att.com (bigmail.research.att.com [135.207.30.101]) by mailman.research.att.com (8.12.8/8.12.8) with ESMTP id h41ITDZZ027959 for ; Thu, 1 May 2003 14:29:23 -0400 Received: from berkshire.research.att.com (guard.research.att.com [135.207.1.20]) by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h41IVnV03810 for ; Thu, 1 May 2003 14:31:49 -0400 (EDT) Received: from research.att.com (localhost [127.0.0.1]) by berkshire.research.att.com (Postfix) with ESMTP id D7EAC7B4D for ; Thu, 1 May 2003 14:31:47 -0400 (EDT) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 From: "Steven M. Bellovin" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Administrivia In-Reply-To: Your message of "01 May 2003 13:53:05 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 01 May 2003 14:31:47 -0400 Message-Id: <20030501183148.D7EAC7B4D@berkshire.research.att.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: In message , Derek Atkins writes: > >A clueful member of the WG asked: > >> What is the username and password for the RT? > >Unfortunately I was just informed that the RT Queue is not completely >set up for public access, yet. I'm sorry for jumping the gun on >publishing the URL. I'll let you know the guest username/password >when I find it out. I'm an RT newbie myself and have never used it >before, so I was unaware of the lack of prominent guest account. > >I'll be sure to mail out the info as soon as I find it. To amplify what Derek said -- this is intended to be very open, but we're just not there yet. The server was set up (literally) yesterday; we haven't finished configuring it yet. My goal as AD is to make simple-to-use management tools available to all WG chairs. We need to learn what functions are needed, and how best to use common tools. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41HtGi2072544 for ; Thu, 1 May 2003 10:55:16 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41HtGPh072543 for ietf-openpgp-bks; Thu, 1 May 2003 10:55:16 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41HtEi2072537 for ; Thu, 1 May 2003 10:55:15 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41HtFjf021528; Thu, 1 May 2003 13:55:15 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41Hr5J8023220; Thu, 1 May 2003 13:53:05 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h41Hr5FJ014452; Thu, 1 May 2003 13:53:05 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id NAA22182; Thu, 1 May 2003 13:53:05 -0400 (EDT) To: ietf-openpgp@imc.org Cc: Derek Atkins Subject: Re: OpenPGP Administrivia References: From: Derek Atkins Date: 01 May 2003 13:53:05 -0400 In-Reply-To: Message-ID: Lines: 58 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: A clueful member of the WG asked: > What is the username and password for the RT? Unfortunately I was just informed that the RT Queue is not completely set up for public access, yet. I'm sorry for jumping the gun on publishing the URL. I'll let you know the guest username/password when I find it out. I'm an RT newbie myself and have never used it before, so I was unaware of the lack of prominent guest account. I'll be sure to mail out the info as soon as I find it. -derek > Derek Atkins writes: > > > Hi, > > > > As was announced yesterday, I'm the new chair of OpenPGP. My goals > > (as somewhat explained to me by the ADs) are to finish up the existing > > work and try to ramp down the WG. This means finishing up all the > > open issues, getting 2440bis out the door, and either shutting down > > or rechartering based on what else is left to do. > > > > Another task that I've been asked is to use an online system to keep > > track of all the open issues. To further this end we've had an RT > > Queue created at https://rt.psg.com/ to keep track of all the open > > issues. I'd like to try to use this system to make sure we don't lose > > anything through the cracks. However, I'm as new to this as you are, > > so this is going to be a learning experience for all of us. The ADs > > have asked for me to write up the issues with using RT. > > > > However, one thing I am lacking is a list of open issues in the > > existing work. I'm hoping that John or Jon has a list so we can seed > > the RT queue. If all else fails I can go re-read the last year's > > worth of email and try to glom out the open issues (but I suspect many > > of the issues are older than that). You can send issues to the list, > > to me directly, or add them to the RT queue. > > > > Lastly, Vienna is coming up soon (well, soonish)... If we're going to > > meet I need to know if we have topics to discuss, and if so what they > > are and how long it will take. We still have plenty of time to request > > a slot, but as always the early-bird gets the good slots ;) > > > > That's all for now, from your friendly neighborhood working-group chair. > > > > -derek > > > > -- > > Derek Atkins > > Computer and Internet Security Consultant > > derek@ihtfp.com www.ihtfp.com > -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41HOCi2071697 for ; Thu, 1 May 2003 10:24:12 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41HOC4Y071696 for ietf-openpgp-bks; Thu, 1 May 2003 10:24:12 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41HOBi2071691 for ; Thu, 1 May 2003 10:24:11 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41HOCm1006449 for ; Thu, 1 May 2003 13:24:12 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41HOCmI017969 for ; Thu, 1 May 2003 13:24:12 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h41HOBFJ013134 for ; Thu, 1 May 2003 13:24:11 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id NAA22112; Thu, 1 May 2003 13:24:11 -0400 (EDT) To: ietf-openpgp@imc.org From: Derek Atkins Subject: OpenPGP Administrivia Date: 01 May 2003 13:24:11 -0400 Message-ID: Lines: 36 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, As was announced yesterday, I'm the new chair of OpenPGP. My goals (as somewhat explained to me by the ADs) are to finish up the existing work and try to ramp down the WG. This means finishing up all the open issues, getting 2440bis out the door, and either shutting down or rechartering based on what else is left to do. Another task that I've been asked is to use an online system to keep track of all the open issues. To further this end we've had an RT Queue created at https://rt.psg.com/ to keep track of all the open issues. I'd like to try to use this system to make sure we don't lose anything through the cracks. However, I'm as new to this as you are, so this is going to be a learning experience for all of us. The ADs have asked for me to write up the issues with using RT. However, one thing I am lacking is a list of open issues in the existing work. I'm hoping that John or Jon has a list so we can seed the RT queue. If all else fails I can go re-read the last year's worth of email and try to glom out the open issues (but I suspect many of the issues are older than that). You can send issues to the list, to me directly, or add them to the RT queue. Lastly, Vienna is coming up soon (well, soonish)... If we're going to meet I need to know if we have topics to discuss, and if so what they are and how long it will take. We still have plenty of time to request a slot, but as always the early-bird gets the good slots ;) That's all for now, from your friendly neighborhood working-group chair. -derek -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41GWji2070119 for ; Thu, 1 May 2003 09:32:45 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41GWjlc070118 for ietf-openpgp-bks; Thu, 1 May 2003 09:32:45 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41GWii2070112 for ; Thu, 1 May 2003 09:32:44 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41GWjm1012552; Thu, 1 May 2003 12:32:45 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h41GWimI010324; Thu, 1 May 2003 12:32:44 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h41GWiFJ010910; Thu, 1 May 2003 12:32:44 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id MAA22001; Thu, 1 May 2003 12:32:44 -0400 (EDT) To: iang@systemics.com Cc: ietf-openpgp@imc.org From: Derek Atkins Subject: Re: Low-level question about OpenPGP - why CFB mode? References: <200305010418.h414IlM07649@medusa01.cs.auckland.ac.nz> <3EB14346.1A3AF846@systemics.com> Date: 01 May 2003 12:32:44 -0400 In-Reply-To: <3EB14346.1A3AF846@systemics.com> Message-ID: Lines: 29 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ian Grigg writes: > In the spirit of improving the codability of > OpenPGP, I'd suggest it be replaced with a > standard textbook or FIPS mode. In the interest of finishing the OpenPGP work, I claim it is too late in the process to make such a major change to the protocol in terms of losing compatibility with all prior versions. Having implemented this non-FIPS mode, it is NOT that complicated, and the text we have that describes it (indeed, the text in RFC 1991 that described it!) has never been a hinderance to implementation. The only questions have been "why do you do it this way?" which is not IMHO a reasonable reason to force a change at this late date. It may be a reasonable reason to add text explaining why we do it this way, or comparing it to the FIPS CFB mode, but that could go in an appendix just as easily as it could go into the text. -derek -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41FuEi2069286 for ; Thu, 1 May 2003 08:56:14 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h41FuE2W069285 for ietf-openpgp-bks; Thu, 1 May 2003 08:56:14 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h41FuDi2069280 for ; Thu, 1 May 2003 08:56:13 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (guderian.cryptohill.net [24.244.145.14]) by mx1.cryptohill.net (Postfix) with ESMTP id 337321C890; Thu, 1 May 2003 11:56:14 -0400 (EDT) Message-ID: <3EB14346.1A3AF846@systemics.com> Date: Thu, 01 May 2003 11:54:46 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: Low-level question about OpenPGP - why CFB mode? References: <200305010418.h414IlM07649@medusa01.cs.auckland.ac.nz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Peter Gutmann wrote: > > "Hal Finney" writes: > > >I think this may have been the reason that Phil chose CFB. As for the non- > >standard "sync" operation, I don't remember why he did that. Probably it just > >seemed to be a natural way of handling CFB given his understanding of its > >rationale in terms of the way it interfaced with the underlying cipher. > > I believe it was an implementation bug/quirk, not a deliberate design > decision. I had heard that it was an attempt to make it "more secure", like the salting of the Unix password (DES) :-) Either way, their appears to be no justification for continuing its use, and a good reason for deprecating it: it is rather complex to document and program up, this conversation about the munged CFB mode has been had many times in the past (here and elsewhere) and will be had many times in the future. In the spirit of improving the codability of OpenPGP, I'd suggest it be replaced with a standard textbook or FIPS mode. (Not in the current version of course, but at the next convenient moment.) -- iang Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h417G7i2023207 for ; Thu, 1 May 2003 00:16:07 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.8p1/8.12.9/Submit) id h417G7Cx023206 for ietf-openpgp-bks; Thu, 1 May 2003 00:16:07 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from hermes.cs.auckland.ac.nz (hermes.cs.auckland.ac.nz [130.216.35.151]) by above.proper.com (8.12.8p1/8.12.8) with ESMTP id h417G5i2023174 for ; Thu, 1 May 2003 00:16:06 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by hermes.cs.auckland.ac.nz (8.12.9/8.12.9) with ESMTP id h417FdMB029828; Thu, 1 May 2003 19:15:39 +1200 Received: (from pgut001@localhost) by medusa01.cs.auckland.ac.nz (8.11.6/8.11.6) id h417FdB08293; Thu, 1 May 2003 19:15:39 +1200 Date: Thu, 1 May 2003 19:15:39 +1200 Message-Id: <200305010715.h417FdB08293@medusa01.cs.auckland.ac.nz> From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: adam@cypherspace.org, pgut001@cs.auckland.ac.nz Subject: Re: Low-level question about OpenPGP - why CFB mode? Cc: hal@finney.org, ietf-openpgp@imc.org, john.dlugosz@kodak.com Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Adam Back writes: >On use of CFB instead of CBC, I think this is actually goos because it avoids >the whole padding issue which people frequently get wrong with bad security >implications. Plus it's simpler to not have to pad. Error recovery is a >phantom property, as in no mode is it secure. PKCS #5 padding is trivial to get right, any minor gains are more than made up for by the painful and clunky pseudo-IV handling, particularly since most crypto implementations have an "IV, data, go"-type interface which requires error-prone manual handling of the pseudo-IV. Peter.