Infrastructure support for GnuPG post-quantum keys (Re: Betamax v. VHS, and the future of PQ-PGP)

have at anonymous.sex have at anonymous.sex
Fri Jan 3 19:29:20 CET 2025 

This is a followup on infrastructure support for PQ-PGP keys.

On Wed, 1 Jan 2025 23:57:25 +0000, have at anonymous.sex wrote:

>I attempted to upload a post-quantum key created with GnuPG v2.5.1 to 
>keys.openpgp.org.  [...]  I promptly reached out to support at keys.openpgp.org 
>to ask when the infrastructure will support distribution of these keys 
>to help users protect their long-term security.

The reply 13 hours later made it clear that rejection of my key was 
intentional, due to v5 packets being “nonstandard” and GnuPG being not 
“cooperative”.

I won’t ambush a volunteer answering support@ for a free keyserver, but 
I will publicly quote my own reply below.  There has been no further 
response in the past 25 hours.

In any discussion of this issue, *please* be cogent and courteous, and 
focus on user security.  I’m not married to GnuPG—but insofar as I can 
tell, GnuPG with its “nonstandard” v5 packets is currently the only free 
software option for post-quantum encrypted mail.  What’s really 
important?

###

Date: Thu, 2 Jan 2025 17:29:20 +0000
From: have at anonymous.sex
To: [REDACTED]
Subject: Re: GnuPG post-quantum key upload failed.
Message-ID: <69f5aa5e-0378-8956-bdcc-32c9949ed3e9 at anonymous.sex>

Thanks for your reply.

>>When will the keyserver support distribution of these keys to assist 
>>users in protecting their long-term security?
>
>[REDACTED]

If your org doesn’t want to distribute my v5 packet key with 
post-quantum subkey, would you please recommend a v6 packet 
implementation with not less than ky1024_cv448 security, which I can use 
*right now* and recommend to others?  (Does keys.openpgp.org support v6 
packet keys?)

I don’t know Werner Koch or any of the other involved personalities.  
I’ve sometimes casually read IETF WG mail.  I have not yet formally 
reviewed the differences between LibrePGP (packet v5) and IETF OpenPGP 
(packet v6), which is more difficult because the IETF committee rewrote 
the standard instead of revising it.  I presume that all parties on both 
sides are basically competent at the design of cryptographic protocols.

My perspective is that of an advanced user who practically has RFC 4880 
memorized, who has tutored individuals gratis in PGP/GnuPG usage for >25 
years, and who is very worried about the potential long-term security 
threat of quantum computing.  Now a very frustrated user, being pushed 
to one side by default:

2025-01-01: Betamax v. VHS, and the future of PQ-PGP
https://lists.gnupg.org/pipermail/gnupg-users/2025-January/067441.html

This is not a nice wishlist feature that can wait.  I sometimes try to 
remember what messages I sent with RSA4096 decades ago, and wonder if 
the keys will be factored by any QC attacker with covert interception 
and long-term data retention; you?

https://www.technologyreview.com/2021/11/03/1039171/hackers-quantum-computers-us-homeland-security-cryptography/

https://en.wikipedia.org/wiki/Massive_Data_Repository

https://microblog.cr.yp.to/1544456469038645248/index.html#1544469614133800960

Nor should it wait.  The NIST PQC process was so slow that when the 
final standard was published in August, everyone had had almost two 
years to get ready for what everyone pretty much knew would be Kyber.  I 
take it as “we care about user security” that GnuPG v2.5.1 release notes 
claimed final standard support exactly 30 days after NIST published the 
standard, based on draft standard code that was in active testing for 
months before this.  
https://lists.gnupg.org/pipermail/gnupg-announce/2024q3/000485.html  As 
it is, the NIST process was so tied up in red tape and personality 
conflicts that I’m *ashamed* that no one (including myself) was even 
less “cooperative” than WK; after all, “cypherpunks write code” and do 
not wait for interminable committees.

That is the perspective of a user who is resolved aggressively to stop 
using non-PQ encryption in 2025, but also does not want to cease 
communicating with other human beings.

With all due apologies for the long message:  This is too important an 
issue to continue being quiet about.

-- 
# Remember these on Wednesday, January 15, 2025:
https://web.archive.org/web/19971024171609/http://www.eff.org/blueribbon.html
https://web.archive.org/web/19971114041230/http://www.eff.org/pub/Legal/Cases/ACLU_v_Reno/19970626_eff_cda.announce
https://www.supremecourt.gov/search.aspx?filename=/docket/docketfiles/html/public/23-1122.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250103/aa6f8250/attachment.sig>

More information about the Gnupg-users mailing list