OpenPGP WG Interim 2025-02-10

Note takers:

- Stavros Kousidis ('till last agenda item)
- Andrew Gallagher, Stephen Farrell (for last agenda item)

Agenda:

• Administrivia
• Post-Quantum Cryptography
  https://datatracker.ietf.org/doc/draft-ietf-openpgp-pqc/
• Key Replacement
  https://datatracker.ietf.org/doc/draft-ietf-openpgp-replacementkey/
• Persistent Symmetric Keys
  https://datatracker.ietf.org/doc/draft-ietf-openpgp-persistent-symmetric-keys/
• AOB

Meeting Notes

PQC draft

• Seed key format: seems all APIs will still work for seed so we're ok
• Justus Winter questions "key selection strategies", i.e. section 8.1
  of the draft "if there is a pqc subkey prefer this over
  traditional": Selection strategies should be dropped and the text
  should rather summarize facts -> will open an issue/PR (dkg will
  create an issue in the repo)
• Stephen Farrell asks if eIf a replacement certificate has been
  validated, whether through key equivalence or other means,
  correspondents SHOULD assign it preference over the current
  certificate. When a correspondent of the key owner selects subkeys
  for encryption, the subkeys in the replacement certificate SHOULD
  therefore be considered first. If there are no usable subkeys in the
  replacement certificate, then:

If there is an equivalence binding, the subkeys in the first listed
original certificate SHOULD be considered next. If none of those are
usable, then the subkeys in the next original certificate (if any)
SHOULD be considered, and so forth.

If there is no equivalence binding, the subkeys in the current
certificate SHOULD be used.
When encrypting to herself, the key owner is not required to use the
same encryption subkey selection algorithm as her
correspondents.verybody is ok to start WGLC: we are ready to go WGLC

Key replacement draft

• Make fallback encryption optional?

  • Andrew: Nice to have, if you set a replacement key also
    set a designated revocer, more practical advice right now "store
    a revocation certificate"
  • Daniel: not really necessary
  • Andrew: Rather not specify revocation mechanisms in this draft
  • dkg: Want simple that works vor v4/v6 transition and pqc
    transition
  • Justus: Do not make a decision now, but first consider key
    selection
  • Question: Option 0 versus the others? (Yes for options 1,2,3,
    and No for option 0) Result 10 people voting, 3 yes, 4 no, 3 no
    opinion.
  • Result: More discussion required, take it to the list.
  • Justus prefers to discuss OpenPGP trust models before committing
    to a specific solution in this draft

• Discussion and "trust models" and "encryption subkey selection"

  • dkg: draft is a useful contribution that presents a building
    block in a more general discussion about trust models
  • Andrew asks Justus to take his comments to the issue tracker

Persistent symmetric keys

• Justus: consider alg ranges that are powers of 2 (wrt slide 3),
  Daniel: can do, might wanna do same elsewhere (where things still in
  play)
• Andrew: maybe expand private experimental range more generally?
  Daniel: will look
• Justus: is there an issue with managing key material where some
  public metadata is required, similar to ECC smartcard issue? dkg:
  given the public key material, can I reliably find the matching
  secret key material on e.g. a card? Daniel: best way is to store
  both the public and secret key material together in the hardware,
  unclear how widely supported this would be.
• Falko: you could encrypt a known block to see if it produces the
  correct result, but doesn't scale well.
• Daniel: but this could help an attacker find collisions, Similar
  to exposing a hash of the secret key,
• DKG: maybe do nothing and say why in sec cons?
• Authors may ask for WGLC after PQC thing WGLC'd

IETF 122

Both chairs will be remote for this one, but we'll have a session. If
you're going to attend in-person, please let the chairs know so we can
arrange someone to be at the front of the room in case some button needs
to be hit.