IETF Logo Mail Archive

Re: [openpgp] "OpenPGP Simple"

Christoph Anton Mitterer <calestyo@scientia.net> Tue, 17 March 2015 04:08 UTC

Return-Path: <calestyo@scientia.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2583B1A0018 for <openpgp@ietfa.amsl.com>; Mon, 16 Mar 2015 21:08:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aea-WuQm2Mfe for <openpgp@ietfa.amsl.com>; Mon, 16 Mar 2015 21:08:44 -0700 (PDT)
Received: from mailgw02.dd24.net (mailgw-02.dd24.net [193.46.215.43]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 802941A000E for <openpgp@ietf.org>; Mon, 16 Mar 2015 21:08:44 -0700 (PDT)
Received: from mailpolicy-01.live.igb.homer.key-systems.net (mailpolicy-01.live.igb.homer.key-systems.net [192.168.1.26]) by mailgw02.dd24.net (Postfix) with ESMTP id 5E3F25FB8B for <openpgp@ietf.org>; Tue, 17 Mar 2015 04:08:43 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at mailpolicy-01.live.igb.homer.key-systems.net
Received: from mailgw02.dd24.net ([192.168.1.36]) by mailpolicy-01.live.igb.homer.key-systems.net (mailpolicy-01.live.igb.homer.key-systems.net [192.168.1.25]) (amavisd-new, port 10236) with ESMTP id Y00oxLthRiKC for <openpgp@ietf.org>; Tue, 17 Mar 2015 04:08:41 +0000 (UTC)
Received: from heisenberg.fritz.box (ppp-93-104-121-105.dynamic.mnet-online.de [93.104.121.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailgw02.dd24.net (Postfix) with ESMTPSA for <openpgp@ietf.org>; Tue, 17 Mar 2015 04:08:41 +0000 (UTC)
Message-ID: <1426565320.18487.45.camel@scientia.net>
From: Christoph Anton Mitterer <calestyo@scientia.net>
To: openpgp@ietf.org
Date: Tue, 17 Mar 2015 05:08:40 +0100
In-Reply-To: <20150315175744.GG2978@singpolyma-liberty>
References: <20150315175744.GG2978@singpolyma-liberty>
Content-Type: multipart/signed; micalg="sha-512"; protocol="application/x-pkcs7-signature"; boundary="=-heDZ34uL9OPGp1+QOS2k"
X-Mailer: Evolution 3.12.9-1+b1
Mime-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/Bgq1CUMe3uadEU5QZDn8z2Dta18>
Subject: Re: [openpgp] "OpenPGP Simple"
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 04:08:46 -0000

On Sun, 2015-03-15 at 12:57 -0500, Stephen Paul Weber wrote: 
> One of the big obstacles to OpenPGP deployments that I've faced over time is 
> the perception that it's "too complicated", mostly based on the sheer size 
> of the current RFC.
Uhm? Compared to other standards it seems to be rather simple.

Apart from that, not everyone needs to (neither should one) re-invent
the wheel.
I don't say that there should be no more than one implementation of
OpenPGP, but having too many is just bad for security.
That being said - we already have a number of implementations which
cover the standard quite well - what's wrong with [contributing to|
using] them?


> 1) Sections of the RFC define what you might call "extras", such as the 
> ASCII Armor (including a checksum unused elsewhere in the spec)
As some others already said, using e.g. MIME would be better - but ASCII
armors aren't just used when sending mail (people use it e.g. to post
their raw key on a website or things like that).
So if ASCII Armors are dropped, the standard should refer to something
else that is used instead - just to prevent that people are using all
different froms of base64 encoding, uuencode, etc.


> 2) There are a lot of backwards-compatibility things (old-style lengths, 
> lots of different algorithms)
Agree with that.


> Is there any prior art on IETF specs having a "full" and "simple" form where 
> full implementations can read any output of simple ones, but not always 
> vice-versa?
I'd say that this is rather a bad idea.
For many standards where this was done it caused more troubles than
good.
It's also security-wise a problem:
Who decides what's not critical enough for the base standard? Is it
guaranteed that implementations that don't implement the "full" standard
are still secure?

And often it just means that simply no one ever implements the
extensions to the base standard (think of the dozens of JPEG2000
profiles). If something is so special that it wouldn't be needed in the
base standard, one should perhaps question whether it's needed at all.


Cheers,
Chris.

v2.23.0 | Report a Bug | By Email