[openpgp] Re: I-D list for Open Specification for Pretty Good Privacy notification: Changes to draft-gallagher-openpgp-code-point-exhaustion
Justus Winter <justus@sequoia-pgp.org> Wed, 19 March 2025 10:20 UTC
Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 789DEEA812A for <openpgp@mail2.ietf.org>; Wed, 19 Mar 2025 03:20:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (4096-bit key) header.d=sequoia-pgp.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7drcRLZCVqWr for <openpgp@mail2.ietf.org>; Wed, 19 Mar 2025 03:20:43 -0700 (PDT)
Received: from mailgate02.uberspace.is (mailgate02.uberspace.is [185.26.156.114]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8BD35EA810B for <openpgp@ietf.org>; Wed, 19 Mar 2025 03:20:43 -0700 (PDT)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) by mailgate02.uberspace.is (Postfix) with ESMTPS id DE681180019 for <openpgp@ietf.org>; Wed, 19 Mar 2025 11:20:42 +0100 (CET)
Received: (qmail 4834 invoked by uid 500); 19 Mar 2025 10:20:42 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Wed, 19 Mar 2025 11:20:42 +0100
From: Justus Winter <justus@sequoia-pgp.org>
To: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <D4D840C5-CD2F-47D8-8101-DF3F950B3ECB@andrewg.com>
References: <174231559348.277.2581535826712330509@dt-celery-57d64c6895-fcmg2> <B321DC63-56E0-44C2-96AA-D60205C148B2@andrewg.com> <87tt7p8n9d.fsf@europ.lan> <D4D840C5-CD2F-47D8-8101-DF3F950B3ECB@andrewg.com>
Date: Wed, 19 Mar 2025 11:20:41 +0100
Message-ID: <87msdh8gp2.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: --
X-Rspamd-Report: BAYES_HAM(-0.220132) SIGNED_PGP(-2) MIME_GOOD(-0.2)
X-Rspamd-Score: -2.420132
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from:to:cc:subject:date; bh=quCKfMYBRk12ahKCkVWkaUR35dyh+lXDckkoVGPIXGQ=; b=lGzrKBQCvVTqR7Ezk55Ee5oid50VOODvd5jJJ2kz2PpG5RkdmobiJoZ2PGUdhtqdDT4iVIXJ3X HpgqJNG2LZu81z9a5hvmls/e34fq2BIOMuGu3gAehlllVluIbGDUusrdToFk0aHa52eL9h5WUKw/ 9ZDeiPreoAxVW/2c+h4Q3qqRsOBbCP4hld8VxSCx3nvBzmKumdht5DbycTeQmr/mJSHb+mQLfh6p zq1ljWoIEogeNuopDTZE9o0CTpfFbcXJ1n+w2ZuEsU3uOkC7VL9XZUw3aKxd/4ouBaZAyRSgkLZA W+QXnmBjGYMKOolGam3EQ/QvjVR7AFyEAMh730hpWiuq6mpwUvU2+dFv27GmeVUygzMZPVWQ+53P Cl1v3gRJY7Y9ns5jz4rASja6fupfbl3mOc84Vf9zjw1vu4445TzawuacWwk17eCdYRV/4mr5fJTN Os/JY5AA6IoFYdrWbhkEGCkv8TG1uJ0ArJlnPzijvD+/7REP5vl9MxSNJt5U13LLaoyCFLRedKnY yDJrptV1CRf9E1AhlLml60nOvCivB/EHGBa5V/WjatRZh89VdS5risO/+b/jD2JFrQkKTU06zCU2 ueWj385f1PU42XVARtMnXrFpkke4KD3TlvRGByqxIrPfAsZtD6Sg6x3O42rk0U9tqDoyqaTYk/+i A=
Message-ID-Hash: E7BFSQTZRVPHTSGLV4FHB6IICD5NUWNF
X-Message-ID-Hash: E7BFSQTZRVPHTSGLV4FHB6IICD5NUWNF
X-MailFrom: justus@sequoia-pgp.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF OpenPGP <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: I-D list for Open Specification for Pretty Good Privacy notification: Changes to draft-gallagher-openpgp-code-point-exhaustion
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/0KdSdCN9w6w_yizgf6OBb34J2rM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Andrew Gallagher <andrewg@andrewg.com> writes: >> Then, you couldn't use multi-byte code points in any existing packet >> version, because that would turn what every software on this planet >> expects to be a fixed-size field into a variable-sized field, and >> failing to understand the scheme leads to catastrophic loss of parser >> synchronization (maybe with security implications). > > The use of octets >=128 for the extension scheme ensures that parser > desynchronisation always results in the emission of an unallocated > code point. In most cases the remainder of the packet is not parseable > even in principle if the code point is unknown, and in the rest the > errors are minor, with no security implications. In Sequoia, we explicitly model unknown values, and parse and roundtrip artifacts with unknown values just fine. I strongly believe that this principle has resulted in a very robust and forward-compatible implementation. And, I have identified aspects of RFC4880 where it was impossible to parse (parts) of packets unless you knew the algorithms used in the artifact. Notably, it is not possible to compute the fingerprint of secret key packets unless you know the key packet's asymmetric algorithm. I made an effort to avoid this and similar problems in RFC9580. > I checked the wire format of every packet and subpacket that contains > a code point, and the results are listed in section 5 of the > document. If I have missed anything, please let me know! Your proposal breaks computing the fingerprint of secret key packets again unless the implementation understands your multi-byte encoding. I consider that a regression. I'm going to strongly push back on anything that makes parsing OpenPGP artifacts impossible unless you know some as of yet unknown algorithm or encoding scheme. That is a nightmare for forward-compatibility. I don't believe in the argument "well if you don't understand this part here, you cannot use the packet anyway, so you might as well model the rest as opaque bytes". Best, Justus
- [openpgp] Fwd: I-D list for Open Specification fo… Andrew Gallagher
- [openpgp] Re: Fwd: I-D list for Open Specificatio… Daniel Huigens
- [openpgp] Re: I-D list for Open Specification for… Andrew Gallagher
- [openpgp] Re: Fwd: I-D list for Open Specificatio… Justus Winter
- [openpgp] Re: I-D list for Open Specification for… Andrew Gallagher
- [openpgp] Re: I-D list for Open Specification for… Justus Winter
- [openpgp] Re: I-D list for Open Specification for… Andrew Gallagher
- [openpgp] Re: Fwd: I-D list for Open Specificatio… Heiko Schäfer
- [openpgp] Re: Fwd: I-D list for Open Specificatio… Justus Winter
- [openpgp] Re: Fwd: I-D list for Open Specificatio… Heiko Schäfer
- [openpgp] Re: Fwd: I-D list for Open Specificatio… Justus Winter
- [openpgp] Re: Fwd: I-D list for Open Specificatio… Daniel Huigens
- [openpgp] Re: I-D list for Open Specification for… Andrew Gallagher
- [openpgp] Re: I-D list for Open Specification for… Daniel Huigens