Re: [openpgp] "OpenPGP Simple"
Phillip Hallam-Baker <hallam@gmail.com> Sun, 22 March 2015 18:04 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48D851A0022 for <openpgp@ietfa.amsl.com>; Sun, 22 Mar 2015 11:04:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aiu6uUoKCll for <openpgp@ietfa.amsl.com>; Sun, 22 Mar 2015 11:04:35 -0700 (PDT)
Received: from mail-qc0-x230.google.com (mail-qc0-x230.google.com [IPv6:2607:f8b0:400d:c01::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63D311A0004 for <openpgp@ietf.org>; Sun, 22 Mar 2015 11:04:35 -0700 (PDT)
Received: by qcbjx9 with SMTP id jx9so90995507qcb.0 for <openpgp@ietf.org>; Sun, 22 Mar 2015 11:04:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=QeH7sz2+7ie0hrY8RqTLUxJnPEId35yhu0rC9jYwajY=; b=aotDHtABvSRhQRtyAYunvFu/c/Tb5sdPz/1IdiYBzq6TJ24ZiUpjvt5agaVebwHFA9 ZW6xnzYYcjH7VMlzEkjmNAzNEo3E+dv1twG69ZbxfqaKVS9RpkCM61WvCK9PRqkTEkve +h6e/vsvm+Ox8/DJUDnMH7Zu1IAvVNJ+b/bGzTLowUV4qMQLhI80pEgSnXAr9w+2TX8x eaKCLIcTFiT28sITf+sUmHem8fLWtMjOCis5ceQ8U/f2S6fjDA457veMNF8MovhWo0R1 5Hgzo8Z5dyxjD9RHZugTrO2gLbMiheb0K7kFAeklcL4i24wHxiYZuxcwWNtXEQcjT7xO rJZg==
X-Received: by 10.140.152.10 with SMTP id 10mr85945966qhy.40.1427047474712; Sun, 22 Mar 2015 11:04:34 -0700 (PDT)
Received: from [10.56.108.80] (mobile-107-107-61-60.mycingular.net. [107.107.61.60]) by mx.google.com with ESMTPSA id 10sm7488934qha.38.2015.03.22.11.04.32 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 22 Mar 2015 11:04:33 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: iPhone Mail (12B436)
In-Reply-To: <CAAS2fgSOU-CwQFXzpWaKAmztZM720JUgu4ObTM5Ebxv0rnDkVw@mail.gmail.com>
Date: Sun, 22 Mar 2015 14:04:31 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <C9A52BF4-DFDF-4B5E-ACE5-52AB2F72056A@gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB9A25@uxcn10-5.UoA.auckland.ac.nz> <CAAS2fgSOU-CwQFXzpWaKAmztZM720JUgu4ObTM5Ebxv0rnDkVw@mail.gmail.com>
To: Gregory Maxwell <gmaxwell@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/Jq6lADkykX1aggLkUGcl9Qx2mkM>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [openpgp] "OpenPGP Simple"
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2015 18:04:37 -0000
In this case the security problem was created by an unjustified assumption that the relying party would verify the canonical encoding So no, this is a problem the canonicalists caused. Sent from my difference engine > On Mar 22, 2015, at 12:17, Gregory Maxwell <gmaxwell@gmail.com> wrote: > > On Sun, Mar 22, 2015 at 3:48 PM, Peter Gutmann > <pgut001@cs.auckland.ac.nz> wrote: >> This issue has been known for a long, long time (well, I guess not by the > OpenSSL authors :-) > > Yes, it was known by me in advance of that CVE as well. > >> In other words the PKIX approach is to decide on a wrong solution >> (blacklists), and then to break other things (certificate IDs) in order to >> perpetuate the wrong solution. > > And yet, in the end of the day users who thought they were secure are > left insecure. > > How many years of compromises must people be subjected to before we, > in industry, become mature enough to develop systems which remain > secure _in practice_ in the face of design and implementation errors > by avoiding designs which have repeatedly resulted in breaks and > defending in depth? > > We cannot know in advance what procedures and protocols people will > build in the future. If our abstractions are less safe-- if they have > a large amount of surprising hidden behavior such as non-canonical > encodings-- then the review requirements for anyone attempting to > build on them becomes unreasonably large and the amount of failure > will increase. The true complexity of a modern application is beyond > what any one mind can fully grasp at one time, we all must manage > complexity by abstraction, and some designs lead to safer abstraction > than others. > > That an approach that was taken, like blacklisting, by a downstream > user of a cryptosystem design which stupid and wrong may also be true > and it's fine to also say that when it is so... But that fact does not > excuse specifying a protocol which is a footgun when it could have > been avoided with little cost (or, in the case of BER.. lower cost, > since a complete BER implementation is very complex). People will do > stupid things, from time to time, if our cryptosystems can only be > secure with completely perfect use then we might as well give up and > go home because perfect use will not happen and demanding it at all > times is an unreasonable cost which can easily outweighs the benefits > of the tools. > > Sometimes there is a trade-off where there is a exclusive choice > between a valuable feature and a footgun. In those cases, it often is > reasonable to accept the footgun. > > I have _never_ seen such an argument for overcomplete encodings; other > than for the sake of compatibility with legacy systems (for > cryptographic tools this compatibility is inevitably lost due to other > reasons, like the legacy systems being insecure). The overcomplete > encodings massively increase the review and testing burden (the usual > response is to just fail to test sufficiently) and as a result hide > bugs. They inherently increase the communication overhead (not that it > matters, the context where they come up are are usually very > inefficient to begin with) when they are possible, but subsetting them > out (like DER does to BER) hardly increases the overhead compared to > 'optimal' use. > > Sadly, it is infeasible to uncover in advance all the corner cases in > a spec that will surprise people and contribute to vulnerability; but > in cases where we've /seen/ problems in the wild we should not respond > by blaming the victims that misused the use fragile constructions, > once we know they're fragile we should avoid them where possible. > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp
- [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Werner Koch
- Re: [openpgp] "OpenPGP Simple" Wyllys Ingersoll
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Jon Callas
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Werner Koch
- Re: [openpgp] "OpenPGP Simple" David Leon Gil
- Re: [openpgp] "OpenPGP Simple" David Shaw
- Re: [openpgp] "OpenPGP Simple" David Leon Gil
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" David Shaw
- Re: [openpgp] "OpenPGP Simple" Christoph Anton Mitterer
- Re: [openpgp] "OpenPGP Simple" Jon Callas
- Re: [openpgp] "OpenPGP Simple" Jon Callas
- Re: [openpgp] "OpenPGP Simple" Tim Bray
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Werner Koch
- Re: [openpgp] "OpenPGP Simple" Wyllys Ingersoll
- Re: [openpgp] "OpenPGP Simple" Nicholas Cole
- Re: [openpgp] "OpenPGP Simple" Phill
- Re: [openpgp] "OpenPGP Simple" Derek Atkins
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Wyllys Ingersoll
- Re: [openpgp] "OpenPGP Simple" Derek Atkins
- Re: [openpgp] "OpenPGP Simple" David Shaw
- Re: [openpgp] "OpenPGP Simple" Derek Atkins
- Re: [openpgp] "OpenPGP Simple" Wyllys Ingersoll
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Werner Koch
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Werner Koch
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Christoph Anton Mitterer
- Re: [openpgp] "OpenPGP Simple" Christoph Anton Mitterer
- Re: [openpgp] "OpenPGP Simple" Derek Atkins
- Re: [openpgp] "OpenPGP Simple" Derek Atkins
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Stephan Somogyi
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Gregory Maxwell
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Gregory Maxwell
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Peter Gutmann
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Gregory Maxwell
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" Christoph Anton Mitterer
- Re: [openpgp] "OpenPGP Simple" Christoph Anton Mitterer
- Re: [openpgp] "OpenPGP Simple" ianG
- Re: [openpgp] "OpenPGP Simple" Phillip Hallam-Baker
- Re: [openpgp] "OpenPGP Simple" ianG
- Re: [openpgp] "OpenPGP Simple" ianG
- Re: [openpgp] "OpenPGP Simple" Stephen Paul Weber