people/wk/rfc4880bis.git
8 months agoAdd draft-ietf-openpgp-rfc4880bis-03.txt master draft-ietf-openpgp-rfc4880bis-03
Werner Koch [Fri, 29 Dec 2017 10:54:28 +0000 (11:54 +0100)]
Add draft-ietf-openpgp-rfc4880bis-03.txt

8 months agoPrepare publication of -03
Werner Koch [Fri, 29 Dec 2017 10:29:18 +0000 (11:29 +0100)]
Prepare publication of -03

8 months agoRemove description on how to extend the MDC system.
Werner Koch [Fri, 29 Dec 2017 10:28:38 +0000 (11:28 +0100)]
Remove description on how to extend the MDC system.

8 months agoAdd Preferred AEAD Algorithms signature subpacket.
Werner Koch [Fri, 29 Dec 2017 10:12:46 +0000 (11:12 +0100)]
Add Preferred AEAD Algorithms signature subpacket.

8 months agoAdd feature flag 0x04 to declare support for v5 keys
Werner Koch [Fri, 29 Dec 2017 09:51:26 +0000 (10:51 +0100)]
Add feature flag 0x04 to declare support for v5 keys

8 months agoProposed patch to add OCB to AEAD section
Ronald Tse [Thu, 26 Oct 2017 01:25:27 +0000 (01:25 +0000)]
Proposed patch to add OCB to AEAD section

Hi openpgp WGers,

This is the proposed patch to add OCB to 4880bis.

--

<wk>
There has been a heated debate over the inclusion of a patented
algorithm into OpenPGP.  As it stands now we do not have a rough
consensus on adding this to 4880bis.  Instead it was suggested to put
this into a separate document.

For ease of working on this *I-D* I decided to include the patch
*for now*.  It will likely be removed before we finish the document.
</>

10 months agoAdd a reminder to clarify v4 signatures,
Werner Koch [Thu, 26 Oct 2017 09:56:55 +0000 (11:56 +0200)]
Add a reminder to clarify v4 signatures,

10 months agoProposed patch to fix missing reference to RFC 7748
Ronald Tse [Thu, 26 Oct 2017 01:23:00 +0000 (01:23 +0000)]
Proposed patch to fix missing reference to RFC 7748

Hi Werner,

The current master of the rfc4880bis repository does not build due to missing reference files for RFC 7748.

The proposed patch can be seen at this link and also attached below:
- https://gitlab.com/openpgp-wg/rfc4880bis/merge_requests/7

commit b07f525d32fa22b282232a18699b062df1231460
Author: Ronald Tse <ronald.tse@ribose.com<mailto:ronald.tse@ribose.com>>
Date:   Wed Oct 25 16:42:26 2017 +0800

    Fix missing XML reference to RFC 7748

12 months agoAdd Literal Data Packet format octet 'm'.
Werner Koch [Thu, 14 Sep 2017 06:56:29 +0000 (08:56 +0200)]
Add Literal Data Packet format octet 'm'.

Being able to know thar the content is a a MIME message is useful for
parsers so that they do not need to use heuristics to decide this.

12 months agoAdd bit sizes for Curve25519 and specify the 0x40 format for ECDH.
Werner Koch [Thu, 14 Sep 2017 06:51:16 +0000 (08:51 +0200)]
Add bit sizes for Curve25519 and specify the 0x40 format for ECDH.

12 months agoMerge branch 'pu/ascii-armor-cleartext' into 'master'
Werner Koch [Tue, 12 Sep 2017 09:52:20 +0000 (09:52 +0000)]
Merge branch 'pu/ascii-armor-cleartext' into 'master'

Clarify ASCII Armoring and Cleartext formats

See merge request !6

12 months agoMerge branch 'curve25519' into 'master'
Werner Koch [Tue, 12 Sep 2017 09:44:47 +0000 (09:44 +0000)]
Merge branch 'curve25519' into 'master'

Make it slightly more clear that Curve25519 keys are treated as ECDH

See merge request !5

12 months agoUse all 32 octets of a V5 fingerprint.
Werner Koch [Wed, 23 Aug 2017 09:46:29 +0000 (11:46 +0200)]
Use all 32 octets of a V5 fingerprint.

13 months agoClarify ASCII Armoring and Cleartext formats
Guillem Jover [Mon, 19 Oct 2015 14:33:32 +0000 (16:33 +0200)]
Clarify ASCII Armoring and Cleartext formats

Describe explicitly what ASCII characters are considered whitespace.
Use "blank" instead of "empty" when referring to a blank line that can
be either zero-length or contain only whitespace, and describe what it
means. Mention that Section 7 follows the same format and restrictions
of Section 6.2. Add that trailing whitespace at the end of any line is
removed for both signature generation and verification.

13 months agoMake it slightly more clear that Curve25519 keys are treated as ECDH
Clint Adams [Fri, 11 Aug 2017 19:57:16 +0000 (15:57 -0400)]
Make it slightly more clear that Curve25519 keys are treated as ECDH

While Ed25519 gets its own packet tag, Curve25519 keys are treated
the same as ECDH (by design and by the GnuPG implementation).

13 months agoRemove old section number from new section.
Werner Koch [Tue, 25 Jul 2017 18:53:14 +0000 (20:53 +0200)]
Remove old section number from new section.

13 months agoAdd Feature subpacket flag for AEAD packets.
Werner Koch [Tue, 25 Jul 2017 18:52:11 +0000 (20:52 +0200)]
Add Feature subpacket flag for AEAD packets.

13 months agoAssign tag 20 for the AEAD Encrypted Data Packet
Werner Koch [Tue, 25 Jul 2017 18:34:03 +0000 (20:34 +0200)]
Assign tag 20 for the AEAD Encrypted Data Packet

Also a few other editorial changes.

13 months agoAdd AEAD mode for Secret Key Packets
brian m. carlson [Fri, 21 Jul 2017 22:27:18 +0000 (22:27 +0000)]
Add AEAD mode for Secret Key Packets

13 months agoDefine AEAD mode for SKESK Packets
brian m. carlson [Fri, 21 Jul 2017 22:27:17 +0000 (22:27 +0000)]
Define AEAD mode for SKESK Packets

13 months agoAdd AEAD Encrypted Data Packet with EAX
brian m. carlson [Fri, 21 Jul 2017 22:27:16 +0000 (22:27 +0000)]
Add AEAD Encrypted Data Packet with EAX

14 months agoFix markup of special characters used in regular expressions.
Werner Koch [Thu, 20 Jul 2017 15:42:52 +0000 (17:42 +0200)]
Fix markup of special characters used in regular expressions.

14 months agoPublished third IETF draft draft-ietf-openpgp-rfc4880bis-02.xml
Werner Koch [Fri, 30 Jun 2017 10:14:52 +0000 (12:14 +0200)]
Published third IETF draft

14 months agoSpecify OIDs from brainpool curves and Curve25519.
Werner Koch [Fri, 30 Jun 2017 10:11:54 +0000 (12:11 +0200)]
Specify OIDs from brainpool curves and Curve25519.

18 months agoAssign code points for SHA3 and update FIPS versions.
Werner Koch [Wed, 22 Mar 2017 08:00:06 +0000 (09:00 +0100)]
Assign code points for SHA3 and update FIPS versions.

18 months agoChange "Hash Algorithms Preferences" to note the new MUST algo.
Werner Koch [Tue, 21 Mar 2017 07:50:12 +0000 (08:50 +0100)]
Change "Hash Algorithms Preferences" to note the new MUST algo.

18 months agoChanged left-over term SHA1 to SHA-1
Werner Koch [Tue, 21 Mar 2017 07:39:51 +0000 (08:39 +0100)]
Changed left-over term SHA1 to SHA-1

The SHAx editorial changes were
Suggested-by: Mark D. Baushke
18 months agoConsistently use SHA2-xxx
Werner Koch [Tue, 21 Mar 2017 07:28:41 +0000 (08:28 +0100)]
Consistently use SHA2-xxx

18 months agoDeprecate legacy hash algorithms
Werner Koch [Fri, 17 Mar 2017 08:54:18 +0000 (09:54 +0100)]
Deprecate legacy hash algorithms

MD5 has been deprecated for a long time; clearly deprecating this
algorithm using "SHOULD NOT implement" is thus due.

SHA-1 is still required to verify existing signature and can't be
deprecated.  However it is not anymore a mandatory algorithm with the
exception of MDC packets which we need to support at least read-only
for the foreseeable future.

Upgrading SHA2-256 to a mandatory algorithm should be obvious.

Keeping SHA2-512 optional benefits implementations on low end
platforms.

18 months agoImprove wording for the new fingerprint scheme
Werner Koch [Fri, 17 Mar 2017 08:39:24 +0000 (09:39 +0100)]
Improve wording for the new fingerprint scheme

Fixes-commit: ba4f884c6d5483071d6adbc1e43978b60980440a

18 months agoMerge branch 'gitlab-master' into 'master'
Werner Koch [Tue, 7 Mar 2017 17:45:43 +0000 (17:45 +0000)]
Merge branch 'gitlab-master' into 'master'

Gitlab master

See merge request !3

18 months agoMerge branch 'v5-octets' into 'master'
Werner Koch [Tue, 7 Mar 2017 17:37:05 +0000 (17:37 +0000)]
Merge branch 'v5-octets' into 'master'

Specify eight-octet lengths for V5 signatures

See merge request !1

18 months agoSpecify a v5 key version and a new fingerprint scheme.
Werner Koch [Tue, 7 Mar 2017 16:48:15 +0000 (17:48 +0100)]
Specify a v5 key version and a new fingerprint scheme.

The v5 key version is introduced to
  a) to trigger the use of the new fingerprint scheme,
  b) to prepare for algorithms which need keys larger than 64k,
  c) to ease parsing of unknown algorithms.

The fingerprint algorithm uses SHA-256 because
  a) 32 octets are sufficient for a fingerprint
     (#include "640k-ram-will-always-be-enough.joke"),
  b) SHA-256 is well matured and widely available,
  c) SHA-256 is faster than SHA-512 on embedded platforms,
  d) implementations need to support SHA-256 anyway because it is
     the commonly used hash algorithms for signatures.

Although the fingerprint is specified at full length it is truncated
to 25 octets for purposes of the OpenPGP spec.  This is so that
signatures are not too much enlarged without a good reason.

A human readable representation of the fingerprint is not given
because that was never done in OpenPGP.  Implementations may for
example use

  1122334455 6677889900 aabbccddee ff00112233 4455667788
or
  11223 34455 66778 89900 aabbc cddee ff001 12233 44556 67788

to show fingerprints.

The Key ID is still defined because the 64 bits do not pose a problem
when used to selecting the decryption key.  The leftmost 64 bits of
the fingerprint are used (v4 uses the rightmost).

Aside from a few editorial changes the actual changes are:

* Revocation key and Issuer Fingerprint:

  - For a V5 key the 25 leftmost octets are used.

* Public key packet:

  - New four-octet count of the public key material.
    This is to ease parsing.

* Secret key packet

  - S2K Usage octet MUST NOT be 255.
    That is V5 keys require the SHA-1 checksum but
    we may want to drop this in favor of an AEAD mode.

  - New one-octet count of the S2K parameters.
    This is to ease parsing.

  - New four-octet count of the secret key material.
    This is to ease parsing.

* Key IDs and Fingerprint

  - The V5 fingerprint uses SHA-256

  - The magic header is changed from 0x99 + two-octets length header
    to 0x9a = four-octet length header.  The four-octet public key
    material count is inserted.

* EC DH Algorithm

  - For the 20 octets representing a recipient in the KDF parameters
    the v5 fingerprint truncated to 20 octets is used.

18 months agoFactor key algorithm specific parts out to a new section.
Werner Koch [Tue, 7 Mar 2017 10:52:27 +0000 (11:52 +0100)]
Factor key algorithm specific parts out to a new section.

Aside from having the public and secret key parameters now close
together, this editorial change will make it easier to add new a new
key packet format and prepares for algorithms which can't be described
by a list of MPIs (which is actually already the case for ECC keys).

19 months agoSpecify eight-octet lengths for V5 signatures
brian m. carlson [Mon, 13 Feb 2017 00:20:42 +0000 (00:20 +0000)]
Specify eight-octet lengths for V5 signatures

20 months agoPublished second ietf draft
Werner Koch [Mon, 2 Jan 2017 07:48:13 +0000 (08:48 +0100)]
Published second ietf draft

22 months agoAdd Issuer Fingerprint signature subpacket.
Werner Koch [Fri, 28 Oct 2016 18:35:01 +0000 (20:35 +0200)]
Add Issuer Fingerprint signature subpacket.

Gitlab-Issue: 3

2 years agoPublished first ietf draft draft-ietf-openpgp-rfc4880bis-00
Werner Koch [Wed, 6 Jul 2016 21:01:36 +0000 (23:01 +0200)]
Published first ietf draft

2 years agoChanged name to draft-ietf-openpgp-rfc4880bis
Werner Koch [Wed, 6 Jul 2016 20:53:43 +0000 (22:53 +0200)]
Changed name to draft-ietf-openpgp-rfc4880bis

2 years agogit should ignore output files and emacs backup files
Daniel Kahn Gillmor [Sat, 25 Jun 2016 14:53:56 +0000 (10:53 -0400)]
git should ignore output files and emacs backup files

2 years agoprepare a Makefile for ease of use
Daniel Kahn Gillmor [Sat, 25 Jun 2016 14:52:27 +0000 (10:52 -0400)]
prepare a Makefile for ease of use

2 years agoadded CONTRIBUTING.md to remind people how we aim to communicate about the draft
Daniel Kahn Gillmor [Sat, 25 Jun 2016 14:51:52 +0000 (10:51 -0400)]
added CONTRIBUTING.md to remind people how we aim to communicate about the draft

2 years agoUse CODE BEGINS/ENDS lines and reference 4880 in the abstract.
Werner Koch [Thu, 17 Mar 2016 17:39:52 +0000 (18:39 +0100)]
Use CODE BEGINS/ENDS lines and reference 4880 in the abstract.

2 years agoAdd published draft -02 draft-koch-openpgp-rfc4880bis-02
Werner Koch [Thu, 17 Mar 2016 17:26:08 +0000 (18:26 +0100)]
Add published draft -02

2 years agoAdd draft-koch-eddsa-for-openpgp-04
Werner Koch [Thu, 17 Mar 2016 17:02:56 +0000 (18:02 +0100)]
Add draft-koch-eddsa-for-openpgp-04

2 years agoAdd missing RFC reference and a README
Werner Koch [Thu, 18 Feb 2016 10:00:49 +0000 (11:00 +0100)]
Add missing RFC reference and a README

2 years agoIntegrate Device-Certificate Draft
Derek Atkins [Thu, 11 Feb 2016 21:35:20 +0000 (16:35 -0500)]
Integrate Device-Certificate Draft

Changes from Derek's original draft (wk):
 - Change two MUST to SHOULD as agreed upon on the ML.
 - Remove new section numbers.  The section numbers in curly braces
   are only used to refer the RFC-4880 section numbers.

2 years agoPrepare for -02 cycle
Werner Koch [Wed, 4 Nov 2015 10:29:34 +0000 (11:29 +0100)]
Prepare for -02 cycle

2 years agoMerge branch 'draft-publishing' into master
Werner Koch [Wed, 4 Nov 2015 10:19:36 +0000 (11:19 +0100)]
Merge branch 'draft-publishing' into master

2 years agoAdd published draft 01. draft-publishing draft-koch-openpgp-rfc4880bis-01
Werner Koch [Wed, 4 Nov 2015 09:55:58 +0000 (10:55 +0100)]
Add published draft 01.

2 years agoMerge with RFC-6637 (ECC for OpenPGP)
Werner Koch [Fri, 29 May 2015 19:23:26 +0000 (21:23 +0200)]
Merge with RFC-6637 (ECC for OpenPGP)

This patch adds the new algorithm numbers for ECDH and ECDSA and marks
them as MUST implement.  The bulk of RFC-6637 is added to the new
sections Elliptic Curve Cryptography and Compatibility Profiles.  The
remaining stuff goes into the Security Considerations.

2 years agoAdd published draft 00.
Werner Koch [Wed, 4 Nov 2015 07:31:00 +0000 (08:31 +0100)]
Add published draft 00.

There was some hiccup in the submission tool which accidentally posted
the I-D after having tried to go back and upload a fixed version.  My
address was latter added to the already published I-D.  This is the
actual published version.

2 years agorfc4880bis: Reformat to allow rendering of all lists.
Werner Koch [Fri, 29 May 2015 14:20:08 +0000 (16:20 +0200)]
rfc4880bis: Reformat to allow rendering of all lists.

2 years agorfc4880bis: Merge with RFC-5581 (Camellia).
Werner Koch [Thu, 28 May 2015 12:37:34 +0000 (14:37 +0200)]
rfc4880bis: Merge with RFC-5581 (Camellia).

Resolved conflicts:
back.mkd
template.xml

2 years agoPrepare publishing of draft-00
Werner Koch [Tue, 3 Nov 2015 11:42:43 +0000 (12:42 +0100)]
Prepare publishing of draft-00

2 years agoMove reference files to here.
Werner Koch [Tue, 3 Nov 2015 11:47:37 +0000 (12:47 +0100)]
Move reference files to here.

2 years agorfc4880bis: Merge with RFC-6637 (ECC for OpenPGP)
Werner Koch [Fri, 29 May 2015 19:23:26 +0000 (21:23 +0200)]
rfc4880bis: Merge with RFC-6637 (ECC for OpenPGP)

This patch adds the new algorithm numbers for ECDH and ECDSA and marks
them as MUST implement.  The bulk of RFC-6637 is added to the new
sections Elliptic Curve Cryptography and Compatibility Profiles.  The
remaining stuff goes into the Security Considerations.

2 years agorfc4880bis: Apply errata 2242
Werner Koch [Wed, 27 May 2015 15:54:04 +0000 (17:54 +0200)]
rfc4880bis: Apply errata 2242

--
Errata ID: 2242

Status: Verified
Type: Editorial

Reported By: Constantin Hagemeier
Date Reported: 2010-04-28
Verifier Name: Sean Turner
Date Verified: 2010-07-20

Section 13.1.3. says:

   mL = intended length in octets of the encoded message, at least tLen
        + 11, where tLen is the octet length of the DER encoding T of a
        certain value computed during the encoding operation

It should say:

   emLen = intended length in octets of the encoded message, at least
        tLen + 11, where tLen is the octet length of the DER encoding T
        of a certain value computed during the encoding operation

Notes:

In the following text it is called emLen.

Changed to editorial.

2 years agorfc4880bis: Reformat to allow rendering of all lists.
Werner Koch [Fri, 29 May 2015 14:20:08 +0000 (16:20 +0200)]
rfc4880bis: Reformat to allow rendering of all lists.

2 years agorfc4880bis: Apply errata 3298
Werner Koch [Wed, 27 May 2015 15:50:14 +0000 (17:50 +0200)]
rfc4880bis: Apply errata 3298

--
Errata ID: 3298

Status: Verified
Type: Technical

Reported By: Daniel Kahn Gillmor
Date Reported: 2012-07-27
Verifier Name: Stephen Farrell
Date Verified: 2013-03-16

Section 5.2.4 says:

Key revocation signatures (types 0x20 and 0x28) hash only the key
being revoked.

It should say:

Primary key revocation signatures (type 0x20) hash only the key being
revoked.  Subkey revocation signature (type 0x28) hash first the
primary key and then the subkey being revoked.

Notes:

This amendment to subkey revocation signatures is intended to align
the spec with existing implementations. (it also makes the subkey
revocation signatures more symmetric with the subkey binding
signatures).

GnuPG (all known versions with subkey support) hashes both keys, as
does PGP (tested at version 6.5.8). I'm unaware of any other OpenPGP
implementation that actually complies with the spec as written for
subkey revocations.

This was apparently noticed (but apparently ignored) back in 2000 (see
point 2 of [0]) and was recently discussed again on the IETF list [1].

[0]
  http://www.mhonarc.org/archive/html/ietf-openpgp/2000-12/msg00001.html
[1]
  http://www.mhonarc.org/archive/html/ietf-openpgp/2012-07/msg00003.html

2 years agorfc4880bis: Merge with RFC-5581 (Camellia).
Werner Koch [Thu, 28 May 2015 12:37:34 +0000 (14:37 +0200)]
rfc4880bis: Merge with RFC-5581 (Camellia).

2 years agorfc4880bis: Apply errata 2271
Werner Koch [Wed, 27 May 2015 15:45:19 +0000 (17:45 +0200)]
rfc4880bis: Apply errata 2271

--
Errata ID: 2271

Status: Verified
Type: Technical

Reported By: David Shaw
Date Reported: 2010-05-18
Verifier Name: Sean Turner
Date Verified: 2010-07-20

Section 6.5 says:

   Input data:  0x14FB9C03D97E
   Hex:     1   4    F   B    9   C     | 0   3    D   9    7   E
   8-bit:   00010100 11111011 10011100  | 00000011 11011001 11111110
   6-bit:   000101 001111 101110 011100 | 000000 111101 100111 111110
   Decimal: 5      15     46     28       0      61     37     62
   Output:  F      P      u      c        A      9      l      +

It should say:

   Input data:  0x14FB9C03D97E
   Hex:     1   4    F   B    9   C     | 0   3    D   9    7   E
   8-bit:   00010100 11111011 10011100  | 00000011 11011001 01111110
   6-bit:   000101 001111 101110 011100 | 000000 111101 100101 111110
   Decimal: 5      15     46     28       0      61     37     62
   Output:  F      P      u      c        A      9      l      +

Notes:

This example shows the conversion of 0x14FB9C03D97E into Radix-64. The
problem is in the last byte, where '7E' is shown in binary as
11111110. That of course should be 01111110. The error is carried
through in the 6-bit rendering of that data where the next-to-last
6-bit group 100111 should actually be 100101. The decimal rendering as
well as the output (character) line is correct.

2 years agorfc4880bis: Apply errata 2270
Werner Koch [Wed, 27 May 2015 15:41:15 +0000 (17:41 +0200)]
rfc4880bis: Apply errata 2270

--
Status: Verified
Type: Technical

Reported By: David Shaw
Date Reported: 2010-05-18
Verifier Name: Sean Turner
Date Verified: 2010-07-20

Section 5.2.2 says:

       SHA224:     0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
                   0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05,
                   0x00, 0x04, 0x1C

It should say:

       SHA224:     0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
                   0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05,
                   0x00, 0x04, 0x1C

Notes:

The second byte as published in 4880 is 0x31 but should be 0x2d.

Hal Finney noted this once, but I didn't see it entered in as an errata.

2 years agorfc4880bis: Convert rfc4880 to pandoc format.
Werner Koch [Wed, 27 May 2015 15:37:18 +0000 (17:37 +0200)]
rfc4880bis: Convert rfc4880 to pandoc format.

This is a first step towards RFC4880bis.  Running

   pandoc2rfc abstract.mkd middle.mkd back.mkd

creates a draft.txt with is mostly identical to RFC4880.  The biblio
entries for the normative section are a bit different and the those
from the informational section are missing.  Tables are used instead
of simple list to allow the use of references.  Some parts are copied
verbatim from the RFC without new pandoc markup.  Author addresses and
the boilerplate information may not be correct.