Re: [openpgp] [FORGED] Re: Expiration impending: <draft-ietf-openpgp-rfc4880bis-01.txt>

Peter Gutmann <> Tue, 04 July 2017 09:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2A360131C36 for <>; Tue, 4 Jul 2017 02:06:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TNOknnh7GMDs for <>; Tue, 4 Jul 2017 02:06:13 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B170E131C33 for <>; Tue, 4 Jul 2017 02:06:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1499159172; x=1530695172; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=XG3aOOvb1yPskRVbZsMF/OnMjFDcipZlQWEmak5ifOk=; b=aJVnu3alrKFAAljHNb2MRwWQl/47NfO4OzNfE9z+1naGsqm9+GgIydVY tWEtDDGewEsx4O8kane9r6j91BwdOyRnn9K6VOKp0/S33EU99orHrnafG 8RJEmS1fwlWogQ8Wt9U/88uwpHeZ6lQKmukeuBCAWohm20fXFvRkrBnLf UwmvkuI3Y9vk5xe5wUlFXyJ6AJ7lrR+enifUcxDVTxs0cB2+fyjBy6LFH CN/senF507MGaH82H8j5FqfaWWwPLiodYnrUl10DqQwuBzyB3f5UfCWYS okHtCwbGR/Ubq+nPk5AI5kEQICu8LrueWU/EaS5DNiunB2oLvHc3ODDdu A==;
X-IronPort-AV: E=Sophos;i="5.40,307,1496059200"; d="scan'208";a="163163475"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 04 Jul 2017 21:06:10 +1200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 4 Jul 2017 21:06:10 +1200
Received: from ([fe80::6929:c5b:e4d6:fd92]) by ([fe80::6929:c5b:e4d6:fd92%14]) with mapi id 15.00.1263.000; Tue, 4 Jul 2017 21:06:10 +1200
From: Peter Gutmann <>
To: Kristian Fiskerstrand <>
CC: "" <>
Thread-Topic: [FORGED] Re: [openpgp] Expiration impending: <draft-ietf-openpgp-rfc4880bis-01.txt>
Date: Tue, 4 Jul 2017 09:06:09 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [openpgp] [FORGED] Re: Expiration impending: <draft-ietf-openpgp-rfc4880bis-01.txt>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Jul 2017 09:06:15 -0000

Kristian Fiskerstrand <> writes:

>The most common complaint I'm hearing about OpenPGP is that it is too
>complex, as such I'm beginning to change my mind as to whether protocol
>agility is only a good thing, maybe we should work more on getting to
>consensus and reduce implementation complexity in order to make it possible
>for better auditing of implementations etc.

The easiest way to do that would be through a profile of 4880.  So instead of
opening up giant can of worms and trying to redo 4880 itself, where everyone
will want their own favourite change applied, publish a profile of 4880 with a
standard feature set for file encryption, email encryption, signed data, and
maybe one or two other things.  

For example for file encryption you might have MUST AES, MUST MDC, MUST
Iterated and Salted S2K (why do the other options even exist?), MUST either
five-octet or partial lengths... I think that's about it.  Then you can do PGP
file encryption in a pretty minimal amount of code rather than having to
include an entire protocol suite to deal with every obscure option in the

The profile option, rather than rewrite-the-RFC, is fully compatible with
existing implementations while allowing us to move forward on best-practice
mechanisms and ciphers and, above all, simplify implementation and testing.