IETF Logo Mail Archive

Re: [openpgp] Intent to deprecate: Insecure primitives

David Leon Gil <coruus@gmail.com> Wed, 08 April 2015 15:32 UTC

Return-Path: <coruus@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A4A71B3230 for <openpgp@ietfa.amsl.com>; Wed, 8 Apr 2015 08:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pAYFBSDfUTlp for <openpgp@ietfa.amsl.com>; Wed, 8 Apr 2015 08:32:08 -0700 (PDT)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30FC21A1B0D for <openpgp@ietf.org>; Wed, 8 Apr 2015 08:32:08 -0700 (PDT)
Received: by igblo3 with SMTP id lo3so41561284igb.0 for <openpgp@ietf.org>; Wed, 08 Apr 2015 08:32:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=LrPPXoUZ4QPE+WYNChK5yd4vpX36eYu1Kk5vKrssdFc=; b=z5B0GRD6OkOyRa0PJGzi9WW+tILOP/4eI7U4Mi3pgxkliMs8uMk6m4sHGVJBbzPQLK hyBLt5k4vnFBHPcQeNttDDlZ/qEU+Uv1YCdNVzmO2c/f7kAQjAzGmw6EAC5d1W36mEvK 1uJhw3UvFo3sR03vRGRyAHMBxIgtrwav8G+8NzwDglpCFWvCUH3fvLRU0eslbPFcdQJz LAU/tdi+Y9UiaLWKnO4gAFUm5DVUhVz2gjN8tSOIu8yRXkx2+E/3vxxvu64ezngJ/DLw 6zOA3aPO1wbidq586d+ullYKWdduNLoHROyDosYg46HG49aoN3XergHlDecqReyUt5cl IO8g==
X-Received: by 10.50.97.41 with SMTP id dx9mr12661393igb.1.1428507127741; Wed, 08 Apr 2015 08:32:07 -0700 (PDT)
MIME-Version: 1.0
References: <r422Ps-1075i-0DF0A0ED5D364ECAABA63F541D9C6A16@Williams-MacBook-Pro.local> <sjmmw3bk6lt.fsf@securerf.ihtfp.org> <1427138741.10191.48.camel@scientia.net>
In-Reply-To: <1427138741.10191.48.camel@scientia.net>
From: David Leon Gil <coruus@gmail.com>
Date: Wed, 08 Apr 2015 15:32:07 +0000
Message-ID: <CAA7UWsWNWoj_5tv=TKnQaFXvpGqJgX+jcZyT1EAdJ=tAM10qGg@mail.gmail.com>
To: Christoph Anton Mitterer <calestyo@scientia.net>, openpgp@ietf.org
Content-Type: multipart/alternative; boundary="047d7b10cd53e886070513383b7a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/JrLP7is6yvKgFPa93aK1SAqPEbE>
Subject: Re: [openpgp] Intent to deprecate: Insecure primitives
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 15:32:13 -0000

Brief update on plans for deprecation: The tracking issue is at
https://github.com/yahoo/end-to-end/issues/31

Please feel free to open another issue if you have specific objections. I
will either be convinced by your arguments, and change the plan, or explain
why I don't.

On Mon, Mar 23, 2015 at 12:25 PM Christoph Anton Mitterer <
calestyo@scientia.net> wrote:

> On Tue, 2015-03-17 at 11:04 -0400, Derek Atkins wrote:
> > Show me an MUA that does this, please?  None of the OpenPGP-aware MUAs
> > I've ever used have this feature, as far as I know.  I suppose I could
> > go out of my way to replace the encrypted email with a
> > re-encrypted/plaintext email.
> >
> > But frankly I'd like my encryption software to just maintain the ability
> > to decrypt it later.
>
> While I don't think that implementations should throw away old algos
> (even if insecure) - the should just no longer use it for creating new
> content, and should only decrypt/verify signatures with appropriate
> warnings, I'd say that the question of long term storage of
> encrypted/signed content (e.g. mails) is (and should be) beyond the
> scope of OpenPGP.
> That being said, the WG shouldn't alter the decisions it makes based on
> that question, but rather only on security considerations.
>
>
> As for e.g. long term email storage:
> - if you just store them as received over the wire (i.e.
> encrypted/signed) they may very well become insecure over time, so the
> original purpose of confidentiality and authenticity is no longer
> guaranteed (by leaving them with the old encryption/signature).
>
> - constantly re-encrypting them seems to be not feasible, and you cannot
> re-sign mails from someone else.
>
> - IMHO the appropriate way would be for a MUA to record that the mail
> was sent encrypted to you and by whom of your contacts it was signed (if
> any of that was the case) - for later reference.
> And any further protection of the content should be handled by disk
> encryption.
>
>
> Cheers,
> Chris.
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
>

v2.23.0 | Report a Bug | By Email