IETF
openpgp
openpgp@jabber.ietf.org
Thursday, March 11, 2021< ^ >
sftcd-pidgin has set the subject to: OpenPGP Interim - 20210226
Room Configuration
Room Occupants

GMT+0
[08:12:52] gniibe joins the room
[08:39:36] gniibe leaves the room
[10:09:06] gniibe joins the room
[14:17:25] Meetecho joins the room
[14:20:03] Paul Wouters_web_611 joins the room
[14:20:03] Quynh Dang_web_803 joins the room
[14:20:03] Phillip Hallam-Baker_web_501 joins the room
[14:20:03] Chris Lemmons_web_472 joins the room
[14:20:03] Daniel Gillmor_web_580 joins the room
[14:20:03] Stephen Farrell_web_102 joins the room
[14:20:03] Sylvain Besençon_web_609 joins the room
[14:20:03] Alessandro Toppi_web_938 joins the room
[14:21:20] Justus Winter_web_311 joins the room
[14:21:49] Stavros Kousidis_web_162 joins the room
[14:22:04] dkg joins the room
[14:22:29] dkg has set the subject to: OpenPGP @ IETF 110
[14:23:04] Natalie Ennis_web_876 joins the room
[14:23:18] Kenny Paterson_web_559 joins the room
[14:23:20] <Phillip Hallam-Baker_web_501> I can hear
[14:23:40] Daniel Gillmor_web_580 leaves the room
[14:23:41] <Justus Winter_web_311> :/
[14:23:43] <Justus Winter_web_311> i'm not
[14:23:43] Daniel Gillmor_web_713 joins the room
[14:23:52] Randy Bush_web_845 joins the room
[14:24:16] Justus Winter_web_311 leaves the room
[14:24:20] Justus Winter_web_645 joins the room
[14:24:40] Jonathan Hoyland_web_831 joins the room
[14:24:50] Meetecho leaves the room
[14:25:09] g新部 裕_web_749 joins the room
[14:25:14] Yoav Nir_web_352 joins the room
[14:25:18] <Justus Winter_web_645> nooo
[14:25:29] Stephen Farrell_web_102 leaves the room
[14:25:35] Stephen Farrell_web_228 joins the room
[14:25:48] Bernie joins the room
[14:25:49] <dkg> on the plus side, it'll make the presentation go really fast if there's no audio :P
[14:25:59] Yoav Nir_web_352 leaves the room
[14:26:04] Yoav Nir_web_637 joins the room
[14:26:26] Tom Harrison_web_407 joins the room
[14:26:41] Justus Winter_web_645 leaves the room
[14:26:45] Justus Winter_web_956 joins the room
[14:26:58] <sftcd> hi we're still looking for a note taker (and won't start'till we get one) - any volunteers?
[14:27:06] Daiki Ueno_web_417 joins the room
[14:27:08] Meetecho joins the room
[14:27:26] Justus Winter_web_956 leaves the room
[14:27:31] Justus Winter_web_806 joins the room
[14:27:42] <dkg> note-taking happens here: https://codimd.ietf.org/notes-ietf-110-openpgp
[14:27:55] <sftcd> it's very easy:-)
[14:28:01] Karen Staley_web_135 joins the room
[14:28:03] Wei Pan_web_451 joins the room
[14:28:05] Mike Boyle_web_260 joins the room
[14:28:06] <Yoav Nir_web_637> I guess I can do it
[14:28:06] Jonathan Hammell_web_165 joins the room
[14:28:11] Justus Winter_web_806 leaves the room
[14:28:14] Justus Winter_web_306 joins the room
[14:28:26] Adam Montville_web_971 joins the room
[14:28:28] Lara Bruseghini_web_776 joins the room
[14:28:29] Justus Winter_web_306 leaves the room
[14:28:46] <sftcd> thanks Yoav!
[14:28:46] Daniel Huigens_web_605 joins the room
[14:28:53] Justus Winter_web_173 joins the room
[14:29:03] Bernie Hoeneisen_web_655 joins the room
[14:29:28] Rebecca Guthrie_web_292 joins the room
[14:29:57] Tadahiko Ito_web_247 joins the room
[14:30:02] Steve Olshansky_web_907 joins the room
[14:30:24] Benjamin Kaduk_web_235 joins the room
[14:30:48] Peter Yee_web_585 joins the room
[14:30:49] kaduk@jabber.org/barnowl joins the room
[14:31:02] Kristina Yasuda_web_847 joins the room
[14:31:04] Robin Wilton_web_187 joins the room
[14:31:11] Kris Shrishak_web_703 joins the room
[14:31:24] Bill Munyan_web_845 joins the room
[14:31:44] <Paul Wouters_web_611> I am talking today? :)
[14:31:44] Anthony Faust_web_255 joins the room
[14:32:00] <sftcd> a bit:-)
[14:32:07] <Paul Wouters_web_611> ok :)
[14:32:08] Hernâni Marques_web_194 joins the room
[14:33:07] Alessandro Toppi_web_938 leaves the room
[14:33:12] Alessandro Toppi_web_735 joins the room
[14:33:46] ángel joins the room
[14:34:00] <Yoav Nir_web_637> I haven't followed this group in the past. It's weird that in 2021 we have a "crypto refresh" draft with a list of algorithms (at least the symmetric ones) that looks like IPsec in 2000.
[14:34:22] <kaduk@jabber.org/barnowl> Don't look at what they're replacing, then :)
[14:34:24] <sftcd> life's weird:-) it'll get more modern
[14:34:39] Valery Smyslov_web_548 joins the room
[14:34:43] <Yoav Nir_web_637> TripleDES is MUST
[14:35:16] Maximilian Nitsch_web_877 joins the room
[14:35:32] <Paul Wouters_web_611> rfcdiff is your friend to compare those 3 documents
[14:35:44] Ángel González_web_159 joins the room
[14:36:38] <Paul Wouters_web_611> yoav: perhaps in the future we can do the same as dnssec. make a difference between verifying/derypting and encrypting/signing algorithms
[14:37:26] Mallory Knodel_web_965 joins the room
[14:37:55] Carl Mehner_web_720 joins the room
[14:38:04] Kirsty Paine_web_566 joins the room
[14:38:12] Joseph Salowey_web_185 joins the room
[14:38:41] Anthony Faust_web_255 leaves the room
[14:39:00] Anthony Faust_web_233 joins the room
[14:39:09] <kaduk@jabber.org/barnowl> This talk makes me feel better about how we always passed around the
krbcore-security keys in unicast pgp-encrypted mail and did not rely
on just the passphrase on the key
[14:39:50] <dkg> kaduk@jabber.org/barnowl: belt *and* suspenders ++
[14:40:02] Maximilian Nitsch_web_877 leaves the room
[14:40:08] Maximilian Nitsch_web_913 joins the room
[14:42:21] Chris Lemmons_web_472 leaves the room
[14:42:24] Rebecca Guthrie_web_292 leaves the room
[14:42:27] Chris Lemmons_web_403 joins the room
[14:42:29] Rebecca Guthrie_web_417 joins the room
[14:46:09] <Phillip Hallam-Baker_web_501> I can see the attack on RSA, but Ed448 keys are inputs to a hash from which a private key is derived...
[14:46:16] <Phillip Hallam-Baker_web_501> What am I missing?
[14:46:30] <Robin Wilton_web_187> Does anyone here remember IBM's "control vectors" for symmetric keys?
[14:46:54] <dkg> Phillip Hallam-Baker_web_501: the private keys are not tampered with in this attack
[14:47:02] <dkg> the public keys are tampered with
[14:47:05] <kaduk@jabber.org/barnowl> How does the "expensive to validate" compare to the initial effort for
key generation?
[14:47:28] <Kenny Paterson_web_559> Significantly higher.
[14:47:36] <Phillip Hallam-Baker_web_501> @dkg, ah... I don't store those in my key format.
[14:47:52] <dkg> Phillip Hallam-Baker_web_501: how do you get them?
[14:48:08] <Kenny Paterson_web_559> You have to check there's no elements of small order, for some definition of small tuned to your security bound. Nasty.
[14:48:37] <dkg> Kenny Paterson_web_559: so if the private key is maintained, could you just derive the pubkey from the secret key and ignore the pubkey found on disk instead?
[14:49:07] <Kenny Paterson_web_559> Depends,it's scheme-specific.
[14:49:54] <kaduk@jabber.org/barnowl> Thanks Kenny!
[14:51:09] <Kenny Paterson_web_559> To expand on Lara's answer: we did responsible disclosure.
[14:51:47] <Phillip Hallam-Baker_web_501> @dkg, I use a KDF to derive the seeds for the signature, encryption and authentication keys from the device seed. Then threshold combine them with the keys generated from the activation record from the admin device. Then check the fingerprints match those in the connection record.
[14:52:08] <Paul Wouters_web_611> more volume would be nice
[14:52:13] Kenny Paterson_web_559 leaves the room
[14:52:32] <Paul Wouters_web_611> yes
[14:52:45] Kenny Paterson_web_656 joins the room
[14:55:07] <Robin Wilton_web_187> Thanks Lara - excellent work, really clearly explained!
[14:55:58] <Kenny Paterson_web_656> @dkg: you can recover public key from private key in the case of RSA, but not for ElGamal, etc, where there are "more parameters" than are determined by the private key alone, e.g. generator for group, prime p, etc.
[14:56:11] <dkg> Kenny Paterson_web_656: makes sense, thanks.
[14:56:33] <dkg> EdDSA and Ed448 seem like you could also do the derivation
[14:56:34] Mike Boyle_web_260 leaves the room
[14:57:10] <dkg> (though i wonder about changing the public identification of which algo the key actually is)
[14:57:16] <Stavros Kousidis_web_162> Can you recover e in RSA just from p,q,d? There are a lot of e's possible.
[14:57:39] <sftcd> e=65537 is a good guess:-)
[14:57:41] <Paul Wouters_web_611> isnt e usually 3 or 65535 ?
[14:57:47] <Paul Wouters_web_611> yeah that one :)
[14:57:55] <Stavros Kousidis_web_162> that's a choice, is it always fixed to this?
[14:58:11] <Lara Bruseghini_web_776> you can recover e uniquely with those parameters, yes
[14:58:30] <Kenny Paterson_web_656> Yes, for RSA you can reconstruct pub_key from priv_key. But we think an algorithm-agnostic approach to fixing the issues is better.
[14:58:41] <Stavros Kousidis_web_162> of course
[14:59:24] Jonathan Hammell_web_165 leaves the room
[14:59:28] Jonathan Hammell_web_966 joins the room
[14:59:44] <Kenny Paterson_web_656> @stavros, given d, p, q, e is uniquely determined as the solution to the equation de =1 mod (p-1)(q-1); the only exception is when d is not coprime to p-1 or q-1, but such keys are not valid RSA private keys anyway.
[15:00:00] <dkg> for the record, dkgpg is not my implementation -- it's "distributed key gnu privacy guard"
[15:00:10] <Kenny Paterson_web_656> Sorry, given d, p, q, the value of e is uniquely determined, etc.
[15:00:15] <Paul Wouters_web_611> i was wondering why you made your own :)
[15:00:24] <kaduk@jabber.org/barnowl> dkg: oops, I definitely made that assumption
[15:00:28] <dkg> and named it after myself?  i'm no linus :P
[15:00:46] Wei Pan_web_451 leaves the room
[15:00:46] <sftcd> worked for CBOR:-)
[15:01:49] <Robin Wilton_web_187> lol
[15:01:59] Kristina Yasuda_web_847 leaves the room
[15:03:13] <Tadahiko Ito_web_247> some implementation store only d and n as private key, some implementation store d, p, q, n.  I am wondering which would be better practice.
[15:03:49] Rebecca Guthrie_web_417 leaves the room
[15:03:52] Rebecca Guthrie_web_114 joins the room
[15:05:02] <Yoav Nir_web_637> Since you don't need p and q once you've generated d and n, it's better not to store them.  But that's just hygiene. If d leaks, it's as bad as p and q leaking.
[15:05:24] <Kenny Paterson_web_656> Indeed. And keeping p, q around allows you to use CRT tricks to speed up decryption/signing.
[15:05:34] <sftcd> Don't most store CRT values too?
[15:06:22] Tom Harrison_web_407 leaves the room
[15:06:23] <Yoav Nir_web_637> I think they're generated in memory rather than stored.
[15:06:29] Tom Harrison_web_349 joins the room
[15:06:48] <Yoav Nir_web_637> (at least, that's what we did)
[15:08:25] <sftcd> if people have questions/comments jump in the line now
[15:09:58] <sftcd> thanks justus - good work!
[15:10:07] <dkg> Justus Winter_web_173: thank you!  this is a huge ongoing contribution
[15:14:55] Geng-Da Tsai_web_210 joins the room
[15:15:11] Geng-Da Tsai_web_210 leaves the room
[15:15:16] Adam Montville_web_971 leaves the room
[15:15:21] Adam Montville_web_889 joins the room
[15:18:23] <kaduk@jabber.org/barnowl> I've become pretty convinced that (in general, going forward) when
representing keys we should just have a declared key length (possibly
determined by the algorithm, possibly variable) and otherwise treat
the key as a blob of the corresponding length, and not expose any
internal encoding of the blob in how we interact with the key outside
the actual cryptographic algorithm implementation.
[15:18:51] <sftcd> +1 (based on recent openssl experience:-)
[15:19:51] <kaduk@jabber.org/barnowl> sftcd: so you're signing up to convince NIST to take this path? ;)
[15:20:29] <sftcd> me and "convince NIST" aren't things often in proximity
[15:20:49] <dkg> kaduk@jabber.org/barnowl: i agree, and that's *almost* what gniibe is proposing here
[15:21:06] <kaduk@jabber.org/barnowl> Agreed
[15:21:22] <dkg> gniibe's slides offer an explanation of why he's not going quite that far, though (in the "alternatives" section at the end)
[15:21:24] <kaduk@jabber.org/barnowl> The last (?) slide [of the deck] has a pretty good summary of the
options
[15:21:58] <ángel> +1
[15:22:00] <ángel> I think there should always be an key length value, so that an implementation not supporting it could treat that as an opaque blob, although some algorithms MUST reject any key not of their fixed length
[15:23:37] <kaduk@jabber.org/barnowl> (note: not the last slide of the deck, now that I check)
[15:24:34] <Phillip Hallam-Baker_web_501> https://tools.ietf.org/id/draft-hallambaker-mesh-udf-12.html
[15:24:42] <Phillip Hallam-Baker_web_501> A different way to do this
[15:24:54] <kaduk@jabber.org/barnowl> Alternative 3 ("just an octet string") with new codepoints for
EdDSA-JOS and ECDH-JOS is pretty appealing in the abstract, but I
don't have a great sense for how much of a legacy headache the
existing implementations will be and how long of a tail we will have.
Though, I suspect we basically would not be able to actually get rid
of the existing stuff...
[15:25:21] <dkg> kaduk@jabber.org/barnowl: yeah, i don't think you could get rid of the legacy stuff, and it'd just be duplicative work :(
[15:25:53] Ángel González_web_159 leaves the room
[15:26:10] Ángel González_web_806 joins the room
[15:27:11] Kirsty Paine_web_566 leaves the room
[15:27:30] Kirsty Paine_web_950 joins the room
[15:27:34] Kirsty Paine_web_950 leaves the room
[15:27:40] <kaduk@jabber.org/barnowl> UDF seems like a nice thing you can use for new stuff, but has no
possibility of backwards compatibility with existing openpgp stuff
[15:27:47] Cigdem Sengul_web_823 joins the room
[15:27:53] Kirsty Paine_web_216 joins the room
[15:28:16] Daniel Gillmor_web_713 leaves the room
[15:28:24] Daniel Gillmor_web_538 joins the room
[15:28:26] Kirsty Paine_web_216 leaves the room
[15:28:55] <Phillip Hallam-Baker_web_501> @kaduk, that depends on how you are managing your OpenPGP keys:-)
[15:29:06] <sftcd> last topic we wanna touch on is how-many-interims so consider that if you'd take part
[15:29:28] <Phillip Hallam-Baker_web_501> @kaduk, if you are using the Mesh to manage your private keys across devices, this is just how the Mesh app is pushing private keys into the OpenPGP app
[15:29:41] <kaduk@jabber.org/barnowl> Phill: agreed
[15:30:17] Rebecca Guthrie_web_114 leaves the room
[15:30:19] maximilian.nitsch joins the room
[15:30:36] <Phillip Hallam-Baker_web_501> @kaduk, if your application wants to use per device keys that are threshold bound to the device, the Mesh is currently how you would do it
[15:31:14] Yoav Nir_web_637 leaves the room
[15:31:20] Yoav Nir_web_298 joins the room
[15:31:21] Mallory Knodel_web_965 leaves the room
[15:31:22] Kenny Paterson_web_656 leaves the room
[15:31:25] Peter Yee_web_585 leaves the room
[15:31:25] Jonathan Hammell_web_966 leaves the room
[15:31:26] Paul Wouters_web_611 leaves the room
[15:31:27] Chris Lemmons_web_403 leaves the room
[15:31:27] Adam Montville_web_889 leaves the room
[15:31:28] Randy Bush_web_845 leaves the room
[15:31:29] Tom Harrison_web_349 leaves the room
[15:31:32] <ángel> see you!
[15:31:33] Natalie Ennis_web_876 leaves the room
[15:31:34] Daniel Huigens_web_605 leaves the room
[15:31:34] Steve Olshansky_web_907 leaves the room
[15:31:34] Benjamin Kaduk_web_235 leaves the room
[15:31:35] Daiki Ueno_web_417 leaves the room
[15:31:35] g新部 裕_web_749 leaves the room
[15:31:36] Joseph Salowey_web_185 leaves the room
[15:31:37] Kris Shrishak_web_703 leaves the room
[15:31:38] Carl Mehner_web_720 leaves the room
[15:31:39] Stavros Kousidis_web_162 leaves the room
[15:31:41] <sftcd> thanks all
[15:31:43] Justus Winter_web_173 leaves the room
[15:31:44] Cigdem Sengul_web_823 leaves the room
[15:31:45] Bill Munyan_web_845 leaves the room
[15:31:46] Sylvain Besençon_web_609 leaves the room
[15:31:47] Hernâni Marques_web_194 leaves the room
[15:31:56] Lara Bruseghini_web_776 leaves the room
[15:32:03] Tadahiko Ito_web_247 leaves the room
[15:32:08] <gniibe> Thank you all.  Thanks to dkg for slides and many help.
[15:32:20] Quynh Dang_web_803 leaves the room
[15:32:20] Phillip Hallam-Baker_web_501 leaves the room
[15:32:20] Jonathan Hoyland_web_831 leaves the room
[15:32:20] Stephen Farrell_web_228 leaves the room
[15:32:20] Karen Staley_web_135 leaves the room
[15:32:20] Bernie Hoeneisen_web_655 leaves the room
[15:32:20] Robin Wilton_web_187 leaves the room
[15:32:20] Alessandro Toppi_web_735 leaves the room
[15:32:20] Valery Smyslov_web_548 leaves the room
[15:32:20] Anthony Faust_web_233 leaves the room
[15:32:20] Maximilian Nitsch_web_913 leaves the room
[15:32:20] Ángel González_web_806 leaves the room
[15:32:20] Daniel Gillmor_web_538 leaves the room
[15:32:20] Yoav Nir_web_298 leaves the room
[15:33:02] <sftcd> and thanks Yoav for notes
[15:36:15] maximilian.nitsch leaves the room
[15:37:39] Meetecho leaves the room
[16:02:41] kaduk@jabber.org/barnowl leaves the room
[16:08:09] Bernie leaves the room
[17:06:37] ángel leaves the room
[18:08:21] gniibe leaves the room
[19:55:14] dkg leaves the room
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!