Closed falko-strenzke closed 1 year ago
I strongly vote for adopting the same behaviour as in the crypto-refresh, as otherwise the user experience may may suffer in real world applications.
I also vote for allowing v3 PKESK and include the same padding (seven zero-octets) as in the crypto refresh.
Further, I think we should add a clarifying statement that for v6 PKESK no padding is applied and we do not add checksum bytes to the session key (for both v3/v6 PKESK).
Update: Currently, there is the discussion to revert the v3 PKESK padding, see https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/266 Update2: This will be discussed in IETF 116
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/266 is now merged and no padding is applied for X25519/X448. Instead, the algorithm identifier is not included as part of the session key in the AES Key Wrap and left unenecrypted.
I can make a MR to align our draft to the crypto refresh
Meeting 2023-06-05:
* v6 PQC KEM-Keys currently may not create v3 PKESK. This shall now be enabled.
* v4 PQC KEM-Keys are not currently not allowed. This shall now be enabled.
* Restricting PQC signatures to v6 keys and signatures remains as before.
* SK: v4 PQC KEM keys causes any wire format changes?
* AW: no
* AW: bind PQC KEM to AES as symm. algo ID as in the crypto refresh
* AW: for signatures there are differences regarding packet length fields, but not for encryption
* JRH will complete the PR above
I updated PR #42.
v4 PQC KEM-Keys are not currently not allowed. This shall now be enabled.
I think the current text does not disallow this (at least not at 5.3.2. Key Material Packets
, maybe I've missed it somewhere else)
Maybe we should write that it's allowed to use v4 kyber-ecdh keys, to make it explicit
Johannes pointed out that we have the following restriction:
This needs a decision.