Re: [openpgp] Intent to deprecate: Insecure primitives

[Tom Ritter <tom@ritter.vg>]

On 8 April 2015 at 13:36, Christoph Anton Mitterer
<calestyo@scientia.net> wrote:
> On Wed, 2015-04-08 at 15:32 +0000, David Leon Gil wrote:
>> Brief update on plans for deprecation: The tracking issue is at
>> https://github.com/yahoo/end-to-end/issues/31
>>
>> Please feel free to open another issue if you have specific
>> objections. I will either be convinced by your arguments, and change
>> the plan, or explain why I don't.
>
> Look, as I've pointed out previously, I personally think that crypto,
> done as a web app is inherently untrustworthy.
>
> Maybe I just got something wrong, but AFAIU the idea of "e2e" projects
> like your's is to add e2e crypto into your webapps, e.g. via javascript.
> Thus the software doing crypto is each time downloaded again from the
> server by the client, right?

No. Most (and by most I mean the more high-profile ones that try to do
it as correct as possible[0]) have moved virtually all operations into
a browser extension.  It is downloaded and installed once, updated
based on how the browser updates extensions, and (for better or worse)
mediates through a third party (the browser's add store) to prevent
individual targeting of users by the plugin author.


> So ultimately control is again fully at the vendor (at any time he could
> send other code and no one would notice), and fully dependent on a
> working https (which is as we should all know by now inherently insecure
> due to the issues of the CA system).

No, as above, and regarding the CA system - Which itself is addressed
by some projects and services using HPKP.



On 10 April 2015 at 11:46, ianG <iang@iang.org> wrote:
>> Look, as I've pointed out previously, I personally think that crypto,
>> done as a web app is inherently untrustworthy.
>
> Which is out of scope for this list, right?

Agreed. But I feel compelled to correct factual inaccuracies.

> I saw no such implication.  I personally appreciate it when vendors actually
> do tell us what they are doing when that effects the way many users are
> going to be using the product.  In our fishbowl, we sometimes lack the
> context of what happens out in the field, so news of that nature - hopefully
> concise and clear - is welcome.  To me at least.

Double agreed.  I wouldn't want a working group to be an -announce
list of product releases, but since I literally found a completely new
OpenPGP plugin yesterday (gpg4o), I'm happy to read concise reports on
how different plugins/tools operate at the standard layer, and that
nebulous 'above-standard' layer like PGP/MIME quirks.  One day one of
them may help me figure out how my Outlook server is broken wrt to
mac's gpgtools and some-but-not-all other PGP clients.

-tom

[0] Yahoo and Google's E2E, CryptoCat, Mailvelope