IETF Logo Mail Archive

Re: [openpgp] New encryption formats for messaging

Christoph Anton Mitterer <calestyo@scientia.net> Mon, 23 March 2015 19:59 UTC

Return-Path: <calestyo@scientia.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F96D1A0439 for <openpgp@ietfa.amsl.com>; Mon, 23 Mar 2015 12:59:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjLF3_DS5h47 for <openpgp@ietfa.amsl.com>; Mon, 23 Mar 2015 12:59:54 -0700 (PDT)
Received: from mailgw01.dd24.net (mailgw-01.dd24.net [193.46.215.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C36B11A03E3 for <openpgp@ietf.org>; Mon, 23 Mar 2015 12:59:53 -0700 (PDT)
Received: from mailpolicy-01.live.igb.homer.key-systems.net (mailpolicy-02.live.igb.homer.key-systems.net [192.168.1.27]) by mailgw01.dd24.net (Postfix) with ESMTP id 9CD495FBB3 for <openpgp@ietf.org>; Mon, 23 Mar 2015 19:59:52 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at mailpolicy-02.live.igb.homer.key-systems.net
Received: from mailgw01.dd24.net ([192.168.1.35]) by mailpolicy-01.live.igb.homer.key-systems.net (mailpolicy-02.live.igb.homer.key-systems.net [192.168.1.25]) (amavisd-new, port 10235) with ESMTP id l1i2Q30M9suA for <openpgp@ietf.org>; Mon, 23 Mar 2015 19:59:50 +0000 (UTC)
Received: from heisenberg.fritz.box (ppp-93-104-121-105.dynamic.mnet-online.de [93.104.121.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailgw01.dd24.net (Postfix) with ESMTPSA for <openpgp@ietf.org>; Mon, 23 Mar 2015 19:59:50 +0000 (UTC)
Message-ID: <1427140788.10191.75.camel@scientia.net>
From: Christoph Anton Mitterer <calestyo@scientia.net>
To: openpgp@ietf.org
Date: Mon, 23 Mar 2015 20:59:48 +0100
In-Reply-To: <5510578A.80304@iang.org>
References: <CAA7UWsUz65C0GAQo8Yf7ZOeT9BYy+NLV5pbbPg+Ok0-72ca1eA@mail.gmail.com> <1426721882.4249.72.camel@scientia.net> <5510578A.80304@iang.org>
Content-Type: multipart/signed; micalg="sha-512"; protocol="application/x-pkcs7-signature"; boundary="=-sx0+1bna6HYIpDP0bExI"
X-Mailer: Evolution 3.12.9-1+b1
Mime-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/QUXqEJtKnZ5rjtw2J18YyAa91vk>
Subject: Re: [openpgp] New encryption formats for messaging
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 19:59:56 -0000

On Mon, 2015-03-23 at 18:12 +0000, ianG wrote: 
> On 18/03/2015 23:38 pm, Christoph Anton Mitterer wrote:
> > Looking at the context you come from (Yahoo) I must note, that the big
> > players seem to have discovered security recently ... o.O
> Hmmm... so our technique is to punish people for wanting to improve. 
> Grand...
Where did I "punish" someone and/or where is my observation wrong?


> New to some, but it has a long history:  Kerckhoffs' 6th principle:
> 
> "6. Finally, it is necessary, given the circumstances that command its 
> application, that the system be easy to use, requiring neither mental 
> strain nor the knowledge of a long series of rules to observe."
> 
> Writing about cryptography communications systems in 1883.
> 
> http://www.financialcryptography.com/mt/archives/000195.html


> I think this is simply wrong.  This is no principle.  TOFU has proved 
> itself.
Then we can probably abolish fingerprints verification in the next
versions of OpenPGP implementations altogether,... if TOFU works, why
should anyone bother to check their keys o.O


> If you don't want to use it, that's fine, but the notion that 
> it's "not secure" is simply rubbish because security is a relative risks 
> thing, not an absolute thing, and it is extremely unlikely
I kinda amused every time security based on such assumptions.
Some 5 years ago, the masses still thought that they're not victims of
mass surveillance and that their emails and data would be safe.
Nowadays people think that TOFU would provide high security and that NSA
and friends would never dare to abuse that...


> Empirically, I just today got my first 419 hit on Skype, which was set 
> up to let others see my name - their mistake on default install.  After 
> about a decade of usage?
Well, NSA and friends probably don't bother to attack systems like Skype
on the crypto level, one can be quite sure that they have other means
for these =)


> Even including the notion that Microsoft now copies it all to the NSA, 
> that's still only 4 parties with capability to connect to me:  Me, my 
> friends, Microsoft and NSA.
uhm... great? o.O


> > To be honest, Yahoo, doesn't have the best security record, and in
> > general I wouldn't trust any web-based crypto app regardless of who it
> > wrote.
> >
> > That being said, I agree that it shouldn't be easy to make a well
> > designed crypto system insecure by settings - but not if this means that
> > one takes away valid functionality from the more experienced users.
> 
> Why do you prioritise "experienced users" above the lesser experienced? 
>   Do they pay more money?  Is this the Church Of BOFHs?  Do they pay 
> their dues by helping others?  From your writings it seems unlikely...
Actually I don't. I just don't prioritise lesser experienced users over
experienced ones.
What I prioritise is the intention of crypto, which is security.



> > b) Why should there be only one?
> > I think its a wrong assumption that code will become more secure by
> > supporting less algos/systems.
> > If a project cannot develop/maintain more of them securely it's rather a
> > sign for lack of funding/manpower.
> Ah.  So you see that handling more algorithms is a cost for big 
> companies to meet and therefore a barrier to entry which makes for less 
> choice and eventual balkanisation.  What about opportunity cost - time 
> spent managing and debugging algorithms that are rarely if ever used - 
> could be better spent on getting more usability?
The biggest "usability" problem we likely have nowadays in crypto is
that people would need to understand what they do and mutually
authenticate each other.
Apart from that we have quite nice UIs at all levels, don't we?
gnupg is actually quite nice for people who want to use command line, we
have fine tools like enigmail.

I somehow have the feeling, that for many people "usability" means not
noticing crypto at all, but I guess that just won't work.


> That argument didn't work.  Basically when ever a problem was found, it 
> couldn't be solved by an algorithm switch, 9 times out of 10.  The one 
> time that a problem was found, it was solved by ... a switch *backwards* 
> to RC4.  Not exactly a happy result.
So problems in the alogs themselves don't count for you? I.e. we could
still use MD5 since problems in it aren't solved by e.g. SHA2?
Or we should still use DES, since an algorithm switch couldn't solve
it's problems?



> >> A3. Do not specify things which are infeasible to thoroughly test.
> >> This implies avoiding combinatorial complexity, which the OpenPGPv4
> >> spec doesn't.
> > As above, I doubt you can really check every combination, and I wouldn't
> > want to sacrifice too much, just for being able to do so - especially
> > not diversity of algorithms.
> When has diversity of algorithms ever bought user advantage?
Nothing in that his screen becomes more colourful or that his
"experience" would be more like 4K than just HD.

*If* someone does crypto, than probably because he wants to be secure.
So if diversity enhances security or at least allows one to switch more
easily in case it gets necessary (which of course you disputed above),
then it benefits the user by helping with his original goal (being
secure).


> I can think of (been told) one case:  the "Russians GOST" requirements. 
>   Frankly, I'm not that keen to let them do that.  If *every* government 
> did it, then we'd be in a pickle, and we'd not be talking to any of them 
> at all.  So why do we care about the Russians?
Agreed. But hopefully the whole crypto standardisation would go anyway
rather into community hands now.


> > Disagreeing with the "We only need two hash functions at most.".
> >
> > Diversity is good (of course we should only include secure algos),
> > especially when one expects that each algo sooner or later sees
> > weaknesses.
> Well, sure, on paper.  But if you had a process to switch then you could 
> also ... use that process to switch!  Why not just roll out v+1 ?
How long does it usually take us to roll out v+1? Take SSL/TLS, how many
years have SSL still been used while it should have not? The same for
MD5, the same for RC4, and so on.


Cheers,
Chris.

v2.23.0 | Report a Bug | By Email