**Session Date/Time:** 19 Mar 2024 23:30

# openpgp

## Summary

This OpenPGP working group session focused on the status of the crypto refresh, the post-quantum cryptography (PQC) draft, and potential drafts for adoption regarding persistent symmetric keys and superseded keys. Discussions covered key encapsulation mechanisms (KEMs), key derivation functions (KDFs), and digital signatures in the context of PQC, as well as the implications of V4 and V6 keys. A poll was conducted to assess the working group's general direction for PQC adoption.

## Key Discussion Points

*   **Crypto Refresh Status:** Draft 13 is in the RFC editor's queue.
*   **Open PGP Badge:** A new badge is available for use by the community.
*   **PQC Draft - Key Encapsulation:**
    *   The initial proposal included multiple elliptic curves.
    *   Revised proposal: Implement X25519 and X448 as MUST, and X448 as SHOULD. NIST curves will be moved to a separate draft.
    *   Need volunteers to write a NIST curves draft.
*   **PQC Draft - Key Derivation:**
    *   The initial proposal involved a custom KDF and combiner.
    *   Revised proposal: Use ChaCha20-Poly1305 (Chafferty) and SHA3-256. Domain separation moved to fixed info. Include the public key in the combiner.
    *   Discussion on whether to use KMAC or SHA3-256. FIPS compliance considerations were raised.
    *   Agreement to proceed with the altered proposal for interoperability testing.
*   **PQC Draft - Signatures:**
    *   Option 1: Migration like ECC (add new code points).
    *   Option 2: Composable hybrid (bind signatures together). Rejected.
    *   Option 3: Composite hybrid (hybrid signatures containing both ECC and PQC components).
    *   Discussion on SLH-DSA.
    *   Revised proposal: Implement two hybrid algorithms with ML-DSA 65 and 87, and three variants of SLH-DSA.
*   **V4 vs. V6 Keys:**
    *   Current draft binds signatures to V6 keys.
    *   Discussion on whether to bind encryption subkeys to V6 as well.
    *   Question on what to do if someone creates a V4 key using PQC algorithms.
    *   Agreement that recipients should be able to be classical ECC and PQC
    *   Most people at the meeting agreed to define PQC mechanisms for V6 and higher.

## Decisions and Action Items

*   **Action Item:** Find volunteers to write a draft for NIST curves.
*   **Action Item:** Authors will try to separate the PQ drafts per the meeting discussions
*   **Action Item:** Start a thread on the mailing list to discuss binding PQC encryption to V6 keys, highlighting the known opposition to this approach.
*   **Decision:** Proceed with the altered proposal for KEMs, KDFs, and signatures for interoperability testing. The chosen combination may be altered later.

## Next Steps

*   Post meeting minutes to the mailing list.
*   Follow up with discussion on the mailing list regarding persistence of V4 and V6 keys and binding for post quantum key types.
*   Organize an interim meeting to further discuss the PQC draft, including transition issues, and adoption of other drafts.