IETF Logo Mail Archive

Re: [openpgp] To bind or not to bind

Kai Engert <KaiE@kuix.de> Fri, 22 March 2024 20:57 UTC

Return-Path: <KaiE@kuix.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065BCC18DBB3 for <openpgp@ietfa.amsl.com>; Fri, 22 Mar 2024 13:57:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kuix.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jb-Jxxsfc2Xw for <openpgp@ietfa.amsl.com>; Fri, 22 Mar 2024 13:57:06 -0700 (PDT)
Received: from cloud.kuix.de (cloud.kuix.de [93.90.207.85]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB823C151551 for <openpgp@ietf.org>; Fri, 22 Mar 2024 13:57:06 -0700 (PDT)
Received: from [IPV6:2003:c8:af2a:a300:2b6a:161a:5cd:1ba] (p200300c8af2aa3002b6a161a05cd01ba.dip0.t-ipconnect.de [IPv6:2003:c8:af2a:a300:2b6a:161a:5cd:1ba]) by cloud.kuix.de (Postfix) with ESMTPSA id 681CF1944D9; Fri, 22 Mar 2024 20:57:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kuix.de; s=2018; t=1711141024; bh=bQmaiqwUWoAF6eyXQTzaEmAV/DTyNCUNrLIdvXuDViA=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=oVw/ssFOsDYYnp2IaShRXWZBe96zRwgS3rfYMeVmUbF3oUI8yif9/O4mubUoe3FTr Q+2bXYhI29PapLt0+TEE4jxMUg07IRtWNtudn/GFpYmx7JhxZ6Pmstxyg9pEHhLkQK MYfE/J1kmv8bZrW020oh9sljQN3mD58EY+dSOlOGiI5KT3pyeu/yOd5Lz4RTABMhWR 71ICLI1P99fbF0rcwNfnTV65WL1swL9A4r/ygSFT1x5uCv3wZd5F6ki7nAK2q8y7Mi MT2p3C38gSlCkfptYUxt6oN6qTQ+T5RF6fAMO3eEW8yG45Th3C5o/Q1I4xXJYYATlA phji9CsGmwzWw==
Message-ID: <06d0d603-cf99-4ed3-9353-d3e20c1db0a1@kuix.de>
Date: Fri, 22 Mar 2024 21:57:04 +0100
MIME-Version: 1.0
User-Agent: Thunderbird Daily
Content-Language: en-US
To: Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>, Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>, Falko Strenzke <falko.strenzke@mtg.de>
Cc: Justus Winter <justus@sequoia-pgp.org>, Aron Wussler <aron@wussler.it>, openpgp@ietf.org
References: <87a5mqi0xi.fsf@europ.lan> <23B46D65-EAF7-43D0-A5F1-04D28B698559@andrewg.com> <Oc3B14xagqpcToZdfQTIYHn_AolBg0i0_DTI4wPnXkFJntVv6A8hvmCMFUK9gjaK-gtfQLGnuQaTqqJzgz71IvhHutyn8Yd4UAErTOHXmzk=@protonmail.com>
From: Kai Engert <KaiE@kuix.de>
In-Reply-To: <Oc3B14xagqpcToZdfQTIYHn_AolBg0i0_DTI4wPnXkFJntVv6A8hvmCMFUK9gjaK-gtfQLGnuQaTqqJzgz71IvhHutyn8Yd4UAErTOHXmzk=@protonmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/30u2DPKdvEoTu8BJdIVivASi0n0>
Subject: Re: [openpgp] To bind or not to bind
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 20:57:11 -0000

On 22.03.24 21:17, Daniel Huigens wrote:
> Do applications using rnp (e.g. Thunderbird) use this flag, though?

I wonder whether we're talking about RNP_LOAD_SAVE_PERMISSIVE or 
something else I'm not aware of.

Thunderbird (TB) uses flag RNP_LOAD_SAVE_PERMISSIVE only optionally.

In the early days of TB's OpenPGP support, the users wanted to migrate 
as many public keys as possible into TB's storage.

At that time RNP was very strict by default, and rejected a lot of keys. 
Therefore it was decided to use RNP_LOAD_SAVE_PERMISSIVE.

However, in recent versions, RNP_LOAD_SAVE_PERMISSIVE wasn't used by 
default when importing public keys. The initial import was always 
attempted without this flag. When the operation failed, TB showed a 
warning that something went wrong, and offered the user to try importing 
again in a more permissive mode (which turned that flag on).

I don't know how frequently users used that. And in the recent past, I 
concluded it's probably no longer necessary, as RNP seemed to be able to 
handle all commonly used keys.

We're currently working to make this flag more difficult to find. My 
thinking was, we probably shouldn't import keys that RNP doesn't know 
how to handle. [1]

I'm happy to test whether this flag works with the kind of keys we're 
discussing here, and see if Thunderbird can successfully use it with the 
known encryption key. (I'd appreciate a link to a public key that I 
could test, on- or off-list.)

If we find that it works, and if it were decided that v4-pqc keys shall 
be supported, we could consider to enable the flag, in the hope that it 
doesn't introduce other side effects. However, it would be preferable to 
get an updated version of RNP that fixes the intolerance problem.

Thanks
Kai

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1829881

v2.23.0 | Report a Bug | By Email