Re: [openpgp] Proposed Patch to RFC4880bis to reserve two public key numbers

"Derek Atkins" <> Thu, 07 July 2016 14:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3C69912D56E for <>; Thu, 7 Jul 2016 07:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UHMWp3qcGc7M for <>; Thu, 7 Jul 2016 07:09:41 -0700 (PDT)
Received: from (MAIL2.IHTFP.ORG []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4C55912D531 for <>; Thu, 7 Jul 2016 07:09:34 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 36104E2030; Thu, 7 Jul 2016 10:09:03 -0400 (EDT)
Received: from ([]) by localhost ( []) (amavisd-maia, port 10024) with ESMTP id 15775-05; Thu, 7 Jul 2016 10:09:00 -0400 (EDT)
Received: by (Postfix, from userid 48) id 73A61E2039; Thu, 7 Jul 2016 10:09:00 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1467900540; bh=l/Qhqwxr0y3mESHGPt2Jk7+zz2t3jQu/6YFlf8utcC4=; h=In-Reply-To:References:Date:Subject:From:To:Cc; b=eHdmavgu1jZgko7rrV1VIP2OLX+hoSP0g6ylTKzpCIVtN5w0I0+rlq3SV1usE4R31 a55dav/DtrQMvl3KrBgqhZKFc/p+HIjRapg/zY7VZVLonTLa41aFjBI2ZDaSRU76D6 5C5Nz7PFQl0qUa/xGmSLIwdwqOV0wJ2liGAP1igA=
Received: from (SquirrelMail authenticated user warlord) by with HTTP; Thu, 7 Jul 2016 10:09:00 -0400
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <>
Date: Thu, 07 Jul 2016 10:09:00 -0400
From: Derek Atkins <>
To: Stephen Farrell <>
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <>
Cc:, Derek Atkins <>
Subject: Re: [openpgp] Proposed Patch to RFC4880bis to reserve two public key numbers
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Jul 2016 14:09:43 -0000

On Thu, July 7, 2016 8:43 am, Stephen Farrell wrote:
> On 07/07/16 13:33, Derek Atkins wrote:
>> You brought up a paper showing a weak key/keyset and said there was no
>> response, I pointed out a response.  I wasn't trying to discuss relative
>> merits and agree this is not the place to do so.  But you started it ;)
> Well, no - 'twas you guys started proposing AE I think:-)

No, I just asked to reserve some code points.  I suppose I could have
called them "Fred" and "George" if that makes you feel any better?  But
back to the technical side of things:

I chose OpenPGP because I feel it is the better fit for our company use
cases.  I had a lot of pushback at the time about why not use X.509? 
Indeed, looking back X.509 would have certainly been an easier route to
take; we just need an OID (gee, that was easy to acquire) and plug it in
and we're done.  But the arguments against X.509 (data size, code size,
strictness, etc) outweighed what I believed to be the "battle" of
obtaining OpenPGP code points.

Frankly, given the history of OpenPGP I thought it would be pretty easy. 
There's historically been very little pushback -- someone wants to get a
code point for their use, okay, let's give it to them.  This way everyone
else, when they see a message, knows *what* it is (even if they can't
actually decode it).

So yeah, mea culpa for bringing in the AE baggage.  Let's call them Fred
and George and move on?  Or do you have something against the Fred and
George algorithms having code points?  ;-)  Seriously, though, let me ask
you the same question that was posed the other week:  what is the *harm*
in defining these code points in the registry?  There is no harm in
thinking someone might use it unknowingly, because that's technically not
feasible.  There's no harm in someone being able to decipher a packet and
know "oh, this is a Fred packet".  Now, what is the harm of NOT defining
these in the registry?  Well, there is the possibility that down the road
it might get re-defined and used by some other algorihtm and now there are
two different things in the wild.  (c.f. historical openness of accepting
code point requests).

So let's look at this from a protocol/registry standpoint and not a
cryptographic standpoint, since that's what this request is really about.


       Derek Atkins                 617-623-3745   
       Computer and Internet Security Consultant