Re: [openpgp] "OpenPGP Simple"
Gregory Maxwell <gmaxwell@gmail.com> Sun, 22 March 2015 15:06 UTC
Return-Path: <gmaxwell@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 540771AC39F for <openpgp@ietfa.amsl.com>; Sun, 22 Mar 2015 08:06:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gKrFPmUPUBk1 for <openpgp@ietfa.amsl.com>; Sun, 22 Mar 2015 08:06:36 -0700 (PDT)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B864D1AC39C for <openpgp@ietf.org>; Sun, 22 Mar 2015 08:06:36 -0700 (PDT)
Received: by ignm3 with SMTP id m3so18866718ign.0 for <openpgp@ietf.org>; Sun, 22 Mar 2015 08:06:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wvhcfIx3rDF7Evqx3cfeAqmmTUpQwSEGTrX85iGbS4A=; b=W+076uTdtXlsuGx1lIwHAWn2T4c2JyvdZVHy8nOFmXBhLScu4qGZ2PoCMoIFWWfFeb Eqc3Mtozm5+dIY/OkQxEWRixmfGGl1XGw/j+f3BkrMk1y5G9zWb0nF4A4qNlIZIqWYJb DMmFOADRoGwr0yavXhH2kiMhPFVWLLklZRdzdZiJm+hqnZPLZgn2Ucec7dGjFq9bgaM6 xfef+jgvtHxgR12I5D30R/nnubUkT5H1o7dUkR8FzDY98DcLmDo+M3i3Okq0u3M3F9OW 37nRg/ZaOm9M1FIfpHDKvsAXYzTxUlC/qU+SFuQZrk2kO9FRfQci/gZAnumurxhZmqY0 AzBA==
MIME-Version: 1.0
X-Received: by 10.43.70.10 with SMTP id ye10mr15251116icb.66.1427036796126; Sun, 22 Mar 2015 08:06:36 -0700 (PDT)
Received: by 10.107.6.133 with HTTP; Sun, 22 Mar 2015 08:06:35 -0700 (PDT)
In-Reply-To: <CAMm+LwjhCYUv_WmU1N4zU7RJogK0Zo5C3DBieaKcDrG4rxU8Gg@mail.gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB984B@uxcn10-5.UoA.auckland.ac.nz> <CAMm+LwhA4OFqT1HTzzJNjC2fiSQ7++NNu9ZnLZyteAe87KcXug@mail.gmail.com> <CAAS2fgSUTB4dq+OdgrFm2xdgzvjiLQG+VAcq2emEFFJ9n9FfRg@mail.gmail.com> <CAMm+LwjhCYUv_WmU1N4zU7RJogK0Zo5C3DBieaKcDrG4rxU8Gg@mail.gmail.com>
Date: Sun, 22 Mar 2015 15:06:35 +0000
Message-ID: <CAAS2fgQRM0-9U=NpyXnuugXiW+pxhP8x1J-hNsXpHB6H+M9dQQ@mail.gmail.com>
From: Gregory Maxwell <gmaxwell@gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/-wsSBvH02pLNcPkCUa4gee9mUQc>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [openpgp] "OpenPGP Simple"
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2015 15:06:38 -0000
On Sun, Mar 22, 2015 at 2:56 PM, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > People keep telling me that canonicalization is necessary for > security. In 25 years I have never once heard someone give a use case > where it did. Okay, sure I can fix that problem for you, here is a recent example; look at OpenSSL CVE CVE-2014-8275 (https://www.openssl.org/news/secadv_20150108.txt). A CA has signed an intermediate CA cert which is loaded in an interception appliance. You blacklist this certificate by ID. Your blacklisting is bypassed by simply changing the encoding of the when sending the cert chain and now your traffic can be intercepted again. (This isn't unique, but a recent example; if you're still thinking that you've still not had once usecase where it did I'd be glad to spend more time convincing you off-list)
- [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Werner Koch
- Re: [openpgp] "OpenPGP Simple" Wyllys Ingersoll
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Jon Callas
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Werner Koch
- Re: [openpgp] "OpenPGP Simple" David Leon Gil
- Re: [openpgp] "OpenPGP Simple" David Shaw
- Re: [openpgp] "OpenPGP Simple" David Leon Gil
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" David Shaw
- Re: [openpgp] "OpenPGP Simple" Christoph Anton Mitterer
- Re: [openpgp] "OpenPGP Simple" Jon Callas
- Re: [openpgp] "OpenPGP Simple" Jon Callas
- Re: [openpgp] "OpenPGP Simple" Tim Bray
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Werner Koch
- Re: [openpgp] "OpenPGP Simple" Wyllys Ingersoll
- Re: [openpgp] "OpenPGP Simple" Nicholas Cole
- Re: [openpgp] "OpenPGP Simple" Phill
- Re: [openpgp] "OpenPGP Simple" Derek Atkins
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Wyllys Ingersoll
- Re: [openpgp] "OpenPGP Simple" Derek Atkins
- Re: [openpgp] "OpenPGP Simple" David Shaw
- Re: [openpgp] "OpenPGP Simple" Derek Atkins
- Re: [openpgp] "OpenPGP Simple" Wyllys Ingersoll
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Werner Koch
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Werner Koch
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Christoph Anton Mitterer
- Re: [openpgp] "OpenPGP Simple" Christoph Anton Mitterer
- Re: [openpgp] "OpenPGP Simple" Derek Atkins
- Re: [openpgp] "OpenPGP Simple" Derek Atkins
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Stephan Somogyi
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Gregory Maxwell
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Gregory Maxwell
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Gregory Maxwell
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Christoph Anton Mitterer
- Re: [openpgp] "OpenPGP Simple" Christoph Anton Mitterer
- Re: [openpgp] "OpenPGP Simple" ianG
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" ianG
- Re: [openpgp] "OpenPGP Simple" ianG
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber