Markdown Version | Session Recording

Session Date/Time: 26 Feb 2024 15:00

OPENPGP

Summary

This informal sync-up meeting primarily focused on preparing for the OPENPGP Working Group session at IETF 119. Key discussions revolved around the status of the post-quantum (PQ) draft, structuring the IETF 119 agenda, the potential for splitting the PQ document, the complex state of KEM combiner discussions, and the debate surrounding the binding of post-quantum algorithms to OpenPGP V4 versus V6 keys. Several action items were identified, including submitting a revised draft, preparing presentations, and initiating further mailing list discussions.

Key Discussion Points

• IETF 119 Session Planning:

  • The OPENPGP session at IETF 119 is scheduled for Wednesday, the first morning session (23:30 UTC).
  • The chairs will send out a call for agenda items to the mailing list, with the main focus being post-quantum work.
  • Stephen will be physically present, dkg will be remote, and Michael indicated physical presence. Remote presenters were asked to consider making slides more verbose in case of technical difficulties.
  • The session has a two-hour slot available. Presenters were requested to submit slides early, even if they are preliminary, to aid preparation and review.

• Post-Quantum Work - Agenda Structure:

  • The primary agenda item for IETF 119 will be the post-quantum draft.
  • A proposed structure for the discussion included: Key Encapsulation Mechanisms (KEMs), KEM combiners, and then signatures. This order aims to keep KEM-related topics together.
  • The group considered if there were other post-quantum subtopics requiring discussion.
  • The WG's milestones suggest considering a second topic for adoption around this time, which will also be an agenda item ("what next").

• Document Splitting Discussion:

  • A participant raised questions about splitting the post-quantum draft, potentially into a "core" document for widely implemented algorithms and separate documents for more niche or optional ones.
  • It was clarified that the "core" document would aim for Proposed Standard status. Optional algorithm documents, if processed by the WG, could also be Proposed Standards, as there's little benefit in making them Informational.
  • The need for a logical basis for any split was emphasized to avoid a "cascade" of documents. The expectation is that a "core" document would be complete, specifying "most implement" KEMs, combiners, and signatures.
  • The IANA registry designated experts are appointed by the ISG, but the WG can provide recommendations.
  • Concerns were noted regarding the limitations of one-octet code point registries if there were a very large number of requests.

• KEM Combiners Discussion:

  • Aron volunteered to lead the presentation on KEMs, combiners, and signatures at IETF 119.
  • Editors were encouraged to submit a new revision of the post-quantum draft before the IETF 119 cutoff (Monday). This revision should reflect the current state, including TBD code points and relevant mailing list discussions, but without attempting to split the document at this stage.
  • There was an extensive discussion about the chaotic and complex state of KEM combiner discussions within the CFRG (Crypto Forum Research Group).
  • A suggestion was made to postpone the definitive KEM combiner discussion in OPENPGP to allow the CFRG process more time to mature.
  • However, others argued against postponement, emphasizing the need to gain implementer feedback specific to the OpenPGP context. It was suggested that OpenPGP's requirements and implementer perspectives might differ from other protocols, and early engagement could potentially inform the broader CFRG discussion.
  • It was broadly agreed that KEM combiners should be generic and not tied to specific KEMs (e.g., ML-KEM). The current draft's KEM combiner was noted as cryptographically sound.

• V4/V6 Key Binding for Post-Quantum:

  • A discussion arose regarding the decision to allow post-quantum algorithms with V4 certificates, questioning its wisdom versus binding them exclusively to V6.
  • Arguments for V4 inclusion included providing an "opportunistic upgrade" path, facilitating interoperability with older implementations, and easing the transition for clients (e.g., Thunderbird) not yet ready for full V6 adoption, especially given the perceived urgency of encryption.
  • Arguments against V4 inclusion highlighted potential added complexity for V4 implementations and the lost opportunity to use PQ as a strong motivator for V6 adoption, as new V6 implementations would inherently be designed to handle PQ artifacts.
  • It was proposed that this "transition" or "binding" issue become a dedicated subtopic for discussion at IETF 119. Justice volunteered to prepare some slides to kick off this discussion, acknowledging it would be late for their time zone.
  • It was emphasized that clarity is needed in these discussions, distinguishing between the V6 key/signature mechanism and the encryption mechanism (e.g., SEIP V1/V2, C-AAD packet).

• Test Vectors:

  • A request was made to include a test vector in the revised draft or associated GitHub repository. This test vector should feature an ED25519 primary key (V4 or V6) combined with a post-quantum encryption subkey (e.g., ML-KEM) and an encrypted message.
  • The purpose is to provide a concrete example to drive implementer attention and early feedback.
  • Existing V4 ECC + PQ encryption test vectors are available, but V6 + ML-DSA is not yet feasible due to crypto library readiness.
  • Editors agreed to provide such a test vector, ideally in the draft text.

• Mailing List Engagement:

  • Participants were encouraged to keep the mailing list active with feedback on all topics, including signatures, to ensure comprehensive input for the draft's development.

Decisions and Action Items

• Decision: The IETF 119 agenda will primarily focus on post-quantum work, structured around KEMs, KEM combiners, and signatures. A separate "what next" item for the WG and a discussion on V4/V6 binding for PQ will also be included.
• Decision: The editors of the post-quantum draft are encouraged to submit a new draft revision before the IETF 119 cut-off (Monday, <date to be inserted as applicable, but the transcript doesn't specify so omitted>), reflecting current TBD code points and mailing list discussions, but without splitting the document into multiple parts at this stage.
• Action Item: Chairs to send out a formal call for agenda items to the OPENPGP mailing list.
• Action Item: Aron (in conjunction with other editors) to prepare slides for the IETF 119 session covering KEMs, KEM combiners, and signatures. Slides should be submitted early via the data tracker.
• Action Item: Aron to send out a mailing list thread to initiate discussion on KEM combiners soon.
• Action Item: Editors to include a test vector (e.g., a V4/V6 primary key with a PQ encryption subkey and an encrypted message) in the revised draft text or associated GitHub resources to facilitate implementer testing.
• Action Item: Justice to prepare slides for the IETF 119 session to drive discussion on the V4/V6 key binding issue for post-quantum algorithms.
• Action Item: A mailing list thread on V4/V6 key binding for post-quantum is to be initiated after the KEM combiners thread has had some initial discussion.
• Action Item: OPENPGP WG participants interested in serving as IANA Designated Experts for OpenPGP registries should email the chairs with their interest.

Next Steps

• Continued mailing list discussion on post-quantum KEMs, combiners, and signatures, as well as the V4/V6 binding issue.
• Preparation and submission of slides for the IETF 119 session by presenters.
• Submission of a revised post-quantum draft before the IETF 119 deadline.
• The IETF 119 session will aim to advance discussions on the post-quantum draft and define future work items for the working group.