IETF Logo Mail Archive

[openpgp] Re: I-D list for Open Specification for Pretty Good Privacy notification: Changes to draft-gallagher-openpgp-code-point-exhaustion

Andrew Gallagher <andrewg@andrewg.com> Wed, 19 March 2025 09:27 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 01588E9CE8A for <openpgp@mail2.ietf.org>; Wed, 19 Mar 2025 02:27:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p563fno5t4Bi for <openpgp@mail2.ietf.org>; Wed, 19 Mar 2025 02:26:59 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 05A61E9CE6A for <openpgp@ietf.org>; Wed, 19 Mar 2025 02:26:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1742376417; bh=ZrQp9tPA0StkdJhkKIO0lRh5OhnOHqlO7acjiJudBE0=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=DFsIjFBwlcszMM9EU0YEcBbCDnK/YXUIqVNXXmp/4Am7IP6X0Dhhi0RS/lsSP5g10 106fyHr3VeZjL2dCB3nzC01BGwdzOGM/gfxYS22fqf3YzWk5GKiKuZjKl2VU/ZouX1 OflQgkTXDJSTVgSJHZOUgltRHP5rellZWfkkjh8/nErr391paMIWJCCDQqxJT7ufx1 z9kWTGBRL4t9vN7fJUxKoTzoM0iikVPgTyVqoHnVrOwGm3hL/zW3aqdsubzmRun3dM Z0ugPcw4FSMGJlEi5RV80yMr651aMDwTNkkdRjrxBPxLIh2FJdqndyTRmkzqC6PEDn xcrlvH9j7Mg6A==
Received: from smtpclient.apple (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 7C7455DDA2; Wed, 19 Mar 2025 09:26:57 +0000 (UTC)
From: Andrew Gallagher <andrewg@andrewg.com>
Message-Id: <4270D0C7-B07A-421E-BA0C-A75E3877079C@andrewg.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_499B8333-636C-4716-8286-AA3A0C6FA809"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.9\))
Date: Wed, 19 Mar 2025 09:26:40 +0000
In-Reply-To: <XU29-lKEZD2yCjkCldPMDd1nEwqA9Qps5F1ctajuA_DiZtvYu9zQ3LKTRwCBTUKdA8XDPXMFTWbQCtnmHuYUZnr6NXBT04G-AfI-0AR34pA=@protonmail.com>
To: Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>
References: <174231559348.277.2581535826712330509@dt-celery-57d64c6895-fcmg2> <B321DC63-56E0-44C2-96AA-D60205C148B2@andrewg.com> <XU29-lKEZD2yCjkCldPMDd1nEwqA9Qps5F1ctajuA_DiZtvYu9zQ3LKTRwCBTUKdA8XDPXMFTWbQCtnmHuYUZnr6NXBT04G-AfI-0AR34pA=@protonmail.com>
X-Mailer: Apple Mail (2.3731.700.6.1.9)
Message-ID-Hash: JFUSLMJVLG2ZFFI3QSHAOJNDX4WVQVSM
X-Message-ID-Hash: JFUSLMJVLG2ZFFI3QSHAOJNDX4WVQVSM
X-MailFrom: andrewg@andrewg.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF OpenPGP <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: I-D list for Open Specification for Pretty Good Privacy notification: Changes to draft-gallagher-openpgp-code-point-exhaustion
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/8IhBT8sSRC2c25uBWFK-nOewnvM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

On 19 Mar 2025, at 04:15, Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org> wrote:
> 
> Hi Andrew,
> 
> Thanks for writing this up and raising this. I was planning to mint a last-minute new revision of the persistent symmetric keys draft but will hold off on it now. In our original implementation we actually used 64&65 instead of 128&129 so I'm happy to revert back to that if needed.

Thanks! To be clear, I have no objection in principle to reserving a special range for persistent symmetric keys - my only concern is future-proofing the namespace. :-)

> However, to be perfectly honest I'm a bit worried by the additional complexity proposed here and I'm not sure it's fully necessary in general.

I’m not convinced either - I doubt that the majority of the registries will ever reach 128, let alone 256. However, I wanted to be as complete as possible, so that there is some form of extension scheme available for each registry, just in case. And minimising the number of distinct extension schemes feels like the most conservative option.

> The most (potentially) constrained algorithm registry seems to be the public key algorithms (especially if folks want to add a lot more hybrid combinations and so on), but even there we have a lot of space. And it's not covered by a preferred algorithm subpacket so the self-synchronizing property is not needed, I think. So, we could do something much simpler, like saying 255 = see next two octets, or something like that.

I did think about that, however algorithm IDs are used in all sorts of potentially ambiguous places, not just preference packets, and self-synchronisation ensures that there can be no aliasing in any context. Remember also that this scheme would have to be robust against arbitrary future specifications, not just currently-existing ones.

> So, I would personally be tempted to say: let's figure this stuff out if we actually get anywhere close to running out of algorithms; I'm not sure we gain all that much from doing the work to support variable-length algorithm IDs for all registries before it's needed anywhere, and there might be many registries where it's never needed.

Absolutely do not implement any of this yet! This is far-future stuff - but I still believe it is worth publishing now, to remind ourselves that OpenPGP is a multi-decade project, and we should avoid painting the spec into a corner that future developers will not thank us for.

> In the worst case scenario where we're in 2050 and we need/want 250 new hash algorithms, perhaps to celebrate the joyous year, we could always define a "Preferred Hash Algorithms V2" subpacket which e.g. uses two octets per algorithm ID instead of one, so that parsing is still super simple (at the cost of a few extra bytes) and then in all other contexts we can also just use 255 = see next two octets.

We could do that - but then we’d need to support the v1 and v2 formats in parallel for some time while implementations catch up, and there would be potential for confusion if they were inconsistent. And this is just one registry...

A

v2.31.3 | Report a Bug | By Email | System Status