Adding a nonce before hashing as covert channel

[Heiko Schäfer]

On 12/17/24 9:02 AM, Werner Koch via Gnupg-devel wrote:
> On Mon, 16 Dec 2024 15:22, Andrew Gallagher said:
>
> [..] We had a direct hashing in the rfc4880bis which was then removed
> from the draft for no good reason. [..]

You keep varyingly insinuating that stupid, inexplicable or even 
sinister things happened in the IETF OpenPGP working group. And every 
now and then, people chime in to correct your endlessly repeated 
assertions. I'll do one more round of this, here.

There is a very simple, coherent and non-sinister reason why the 
functionality you're referring to is not in RFC 9580:

The IETF process that led to RFC 9580 (working title "crypto refresh") 
had a clear and limited charter. Produce an update to RFC 4880 (which 
was published in 2007), with a narrow focus on updating the 
cryptographic mechanisms. Additional specification work was put off to a 
separate step.

The WG charter was defined this way to limit the work of producing a 
coherent and solid update for RFC 4880 to a manageable scope. Had the 
charter been more inclusive, I doubt if the process could ever have led 
to a result.

So the WG, consisting of a broad set of stakeholders, did finally 
produce an update to RFC 4880.
In a process that you opted to drop out of, at the very beginning, but 
are now complaining endlessly about. You endlessly repeat a small set of 
varyingly convincing arguments and complaints.

Frankly, I find your communication about these matters outrageous, at 
times baffling, and often disturbing.

Your life's work - GnuPG - is based on Phil Zimmermann's PGP, which he 
decided to specify as an open format under the name OpenPGP, so that a 
diverse group of implementers could collaborate on the further 
development of the technology.
Phil has weighed in, close to the end of the crypto refresh work in 
2022, saying in no uncertain terms that he considered the IETF draft 
(which has since become RFC 9580) compelling: 
https://mailarchive.ietf.org/arch/msg/openpgp/tX6anWN_QKy-FudFanZYLoy-oYk/ 
("[..] the only draft that incorporates ideas from a wide range of 
implementers, with strong modern cryptographic primitives in all 
categories, with mechanisms that respond to documented attacks.")

And yet you keep insinuating that the IETF process was flawed, 
illegitimate, sinister, and that truly the only reasonable path forward 
is for you to continue to evolve rfc4880bis (now under your new 
"LibrePGP" banner).

I understand that you've painted yourself into a corner, and I am truly 
sorry to see this state of affairs. However, pretty please, stop 
repeating your complaints about the IETF process. It's undignified and 
silly.

Heiko