[Sam Hartman] Openpgp comments

Derek Atkins <derek@ihtfp.com> Mon, 18 September 2006 15:32 UTC

Received: from [] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPL78-0007Fz-4C for openpgp-archive@lists.ietf.org; Mon, 18 Sep 2006 11:32:54 -0400
Received: from balder-227.proper.com ([]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GPL76-0004ov-Mo for openpgp-archive@lists.ietf.org; Mon, 18 Sep 2006 11:32:54 -0400
Received: from balder-227.proper.com (localhost []) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IF2mMa043007; Mon, 18 Sep 2006 08:02:48 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k8IF2mXm043006; Mon, 18 Sep 2006 08:02:48 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.ihtfp.org (MAIL.IHTFP.ORG []) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k8IF2k62043000 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 08:02:47 -0700 (MST) (envelope-from warlord@MIT.EDU)
Received: from cliodev.pgp.com (CLIODEV.IHTFP.ORG []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail.ihtfp.org (Postfix) with ESMTP id D3F11BD8548 for <ietf-openpgp@imc.org>; Mon, 18 Sep 2006 11:02:46 -0400 (EDT)
Received: (from warlord@localhost) by cliodev.pgp.com (8.13.7/8.13.1/Submit) id k8IF2ifi003340; Mon, 18 Sep 2006 11:02:44 -0400
From: Derek Atkins <derek@ihtfp.com>
To: ietf-openpgp@imc.org
Subject: [Sam Hartman] Openpgp comments
Date: Mon, 18 Sep 2006 11:02:44 -0400
Message-ID: <sjmd59txlnv.fsf@cliodev.pgp.com>
User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: d8ae4fd88fcaf47c1a71c804d04f413d

Forwarded with permission.

It looks like we still have some work to do on rfc2440bis.
Do we need a meeting in San Diego?  If so, I need to
request it today.


--- Begin Message ---
 Hi.  I'm sorry it has taken so long but I needed to spin up to speed
 on openpgp standards, read the old 2440, read the new doc, understand
 some of the political history and then talk to Russ.

I'm Basically done with the new doc.  I want to work through the
description of PGP CFB mode, but that's all I have left.

However Russ and I have two large issues that we need fixed before I can bring the document to the IESG.

The first is the lack of IANA registries.  I understand this is left
over from 2440.  Back then, the IESG was much more willing to approve
documents without IANA registries.  Even in recent times the IESG has
done this--for example, RFC 4120 doesn't have IANA registries created.
It's actually my negative experience with RFC 4120 as well as changes
in IESG membership that cause me to be quite certain that PGP needs
IANA registries for all its parameters.  This is doubly true if we're
closing down the working group.  You can use standards action as the
registration policy if you are concerned about interactions with the
rest of the spec.  Take a look at RFC 2434.  The one caution I'd
suggest is that if you use the IESG approval registration policy,
please give the IESG clear guidelines on what we should look for.
"Evaluate using the same criteria as standards actions" is a fine
criteria as is something like "avoid security and interoperability

The second issue is the encryption with integrity packet.  Today this
is hard-wired to use SHA-1.  That's not OK.  We need an upgrade path
for that and I think we need to support SHA-256 now.

I realize both of these issues are large.

I'd be happy to get together with you and the authors on a conference
call if that would be useful.

--- End Message ---

       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant