IETF Logo Mail Archive

Re: [openpgp] Padding packets

Daniel Huigens <d.huigens@protonmail.com> Tue, 21 June 2022 10:02 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BAD5C136084 for <openpgp@ietfa.amsl.com>; Tue, 21 Jun 2022 03:02:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UPXY_9dYAcow for <openpgp@ietfa.amsl.com>; Tue, 21 Jun 2022 03:02:21 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FF64C136082 for <openpgp@ietf.org>; Tue, 21 Jun 2022 03:02:21 -0700 (PDT)
Date: Tue, 21 Jun 2022 10:02:14 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1655805739; x=1656064939; bh=e9LeAc7O2LMGklyLcukwdSMR5mG2YqvzBumSsi6w6do=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=Pzkf39wdNaJnla7vmK309/HhsRFziftmoxbnc8iIZM/KPCD5NNDeUhNZdMIRTRUWS W74uOlC6C5TDXptzXXVvWdmnbImZxpRtxUc5rJ4Z9IfnzOAm7Hqv3rgYEQZgXdMZXR /zFT0Nsxq4seB4k9S6DkizJVmy9Ew4CJ7jFYgmp8XUOGXdK9LRvPbYSJp7hQpITGv2 cCDLq+4FQwRpMkJtKHJWvLKtGVLnbgbCraW25CVBX+ax6grXf34rmxLgX2uBEQdxl3 j7sCfpSBQrjcwY9ghmfJNiASG79dypq42PyrE3jpKn0qaMwSJLkpHqKrWFKaHU8KXG UX2OtmJT+CbmA==
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <uD26D3k2l-7O9su7otzxmVOfZSOGK4FGCoSr1YRUuRhp7vUpaSDCv1qrI7ieaWz5SEz9APsTob-AUtTP-VQ07AECoLtVlbc9m8pHtQZLz9I=@protonmail.com>
In-Reply-To: <87czf36uwi.fsf@fifthhorseman.net>
References: <87wndi88ri.fsf@wheatstone.g10code.de> <83cce07c67f67c19b06c0c4239b6f335512a9a6f.camel@16bits.net> <o17TAfJTeOZkYp5X-XwNQwnTrCaiKEGnn1ZAL1qLB5CTGKntjwv6dpCIah44pAdH8nHXa4ivte_MMtqXuKP3uhobW5kJk9E6rAEWneD11yA=@protonmail.com> <87czf36uwi.fsf@fifthhorseman.net>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/EF0GBvy-is5j1RWOAYjKraWpdWE>
Subject: Re: [openpgp] Padding packets
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2022 10:02:25 -0000

On Monday, June 20th, 2022 at 20:40, Daniel Kahn Gillmor wrote:

> - [...] a padding packet might cause a rejection if both
> implementations don't agree on how it was calculated, and

I somewhat agree. However, I think the proposed calculation is quite
simple (and in fact constant, so it can essentially be tested by a
single test case) so the risk of this is not very high. Having to hash
the previous packet does complicate it a lot though, imo.

> - risk multiple padding-packets being visible in the case of a
> compression routine wrapping the data (whether at the OpenPGP layer
> or outside of it.

To be perfectly honest, I think the protection against compression is
somewhat dubious, in general. If I pad a message and *then* compress,
there may still be length differences due to differences in the
message, so the protection the padding is meant to offer is reduced,
or even removed.

So - personally, I would also not be entirely opposed to setting the
padding to all zeros, and saying that if length protection is desired,
compression must not be used. In an encrypted message, the OpenPGP
implementation obviously has control over this itself; and in the case
of WKD the server also has control over this.

Best,
Daniel

v2.23.0 | Report a Bug | By Email