Minutes for OPENPGP at IETF-94
minutes-94-openpgp-1

WG:                     Open Specification for Pretty Good Privacy (openpgp)
Meeting:                IETF 93, Yokohama
Location:               Pacifico Yokohama Rooms 411/412
Date:                   3 November 2015
Time:                   17:10-18:40 JST
Chairs:                 Daniel Kahn Gillmor
                        Christopher LILJENSTOLPE
Minutes:                Rich Salz

- Agenda Bashing, Blue Sheets, etc (10 min)
No changes.

  - Call for an editor for 4880bis
Werner Koch volunteer (GPG lead developer)
Plan is to use git, markdown
Poll: email vs gitlab, evenly split; will take to the list.
Timing? Not yet considered; -00 and -01 that incorporate errata and ECC within
a week or two. Maybe a year? Sense of the room?  No consensus. Need to complete
before CEASAR completes, will update if necessary.

  - SEIPD -> SED attack : followup?
Magazinius pointed out you can convert symmetrically-encrypted
integrity-protected data (SEIPD) to symmetrically-encrypted data (SED) without
decrypting.  How to deprecate SED? We can say MUST NOT generate, but what about
decrypting old stored SED data?  Bryan: do we know of any ciphers that were
only ever used with SEIPD? Will follow-up on the mailing list.

- General issue of deprecration for stored data?  Possibilities (? Marks
possibly-controversial)
        MD5; SHA1?; RIPE-MD
        IDEA; 3DES?; CAST5?; Blowfish?  Twofish?
        DSA? Size limits on RSA? NIST ECC? ElGamal?
What does deprecation mean?  Perhaps just encryption? Also decrypt if the
content is known/believed to be not old Is signature verification different?
There are several usability issues around this; we need to be careful.
Consensus is not to create new content with deprecated algorithms. Perhaps
address general issue of "what to do with old stuff"? And maybe answer is "lose
it" Stephen Farrell: Suggest reframe question as "everything deprecated unless
shown that need to generate ones using old mechanism" Discussion of how
appropriate to put UI items in a protocol/data-format spec. Strong consensus to
start with everything removed, and then add the ones we want.

  - Fingerprint conclusion
        One format, or multiple
        Choice of digest?
        Truncation allowed?
        What is digested (creation, expiration times)?
        Distinguish v5 from v4?
        UI/UX guidance for implementers?
Hum on formats;
 * only one fingerprint format for a given key
It's possible that we might want distinct formats for different key types.
 Bryan Ford suggests that we might want stronger fingerprints for stronger key
 formats (e.g. Ed448 keys might have stronger hashes than Ed25519 keys?)
 Christian Huitema suggests that we might be able to make stronger fingerprint
 formats in the future, for example with proof of work or
   Please come to list with concrete suggestions; no opinions on room.
   Having a concrete strawman proposal would be useful to get conclusions.

 - Symmetric crypto (Bryan Ford), draft-ford-openpgp-format  See slides in the
 proceedings.
Consensus to use a new packet type for AEAD-protected
FYI: Rogaway agrees to waive OCB patent for PGP (perhaps might not be
sufficient) Lots of information exposed by plaintext metadata
        Magic number -- this is an openpgp file, so its suspicious
        Cipher -- is it worth trying to crack (e.g., is it rc4 :)
        Passphrase: worth trying a password cracker
        Recipient key-id's: where to point the rubber hose?
        # of recipients: aha, it's *that* group of dissidents?
 Should we aim to protect it all (at cost of "trial" encryptions)?
Consider some padding mechanisms.

  - S2K (key derivation)
    - from https://password-hashing.net/ use Argon2i (constant time)
  Proposal by dkg: ask for early allocation; Stephen says wait for Simon's
  draft to appear to shake out any possible IPR issues.

 - Registry policies
To be mentioned on list