Re: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages

Andrew Gallagher <andrewg@andrewg.com> Wed, 24 May 2023 13:36 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59B7BC13AE32 for <openpgp@ietfa.amsl.com>; Wed, 24 May 2023 06:36:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7XrMxilihnxF for <openpgp@ietfa.amsl.com>; Wed, 24 May 2023 06:36:14 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 165D2C13AE2D for <openpgp@ietf.org>; Wed, 24 May 2023 06:36:13 -0700 (PDT)
Received: from smtpclient.apple (unknown [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by fum.andrewg.com (Postfix) with ESMTPSA id 191E65F763; Wed, 24 May 2023 13:36:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1684935371; bh=tSIk4Im3wmBhiTkM31XV4rTtjY4U+uONlzWm5tDDm18=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=PmfRPXItPrD9FbP4OUwrs3H0pQSnj5ulFQwSjaxWRTI/97Uevng8lf/SDRyE5VZtJ 2bjHlyqwXYenxUBYcqBKzuuDnSQcOBb7jpXwgym6ud+8OCSoPV8px1k6+o/K5tvQKg vI+PE4vKhAbvLgvr6LHHRmf/NLeJT/fQsUZD9svA0o9XuXrBhtKrTYyE0RoIBI+iMc YnEsg4nVck2Y9qB6mw8hUCdLUjNX2r/n6GTrSVGgf4K8xtCJ0YvJ+UnsFOCm1qRLM1 Md562X8OINduBCKolDPRh1Pd+gQTIlulc9CYdIIsL3LjV7B/Pu1N/7BPK5DLRmOeZK tN6ry4ObpCYfQ==
From: Andrew Gallagher <andrewg@andrewg.com>
Message-Id: <86C7B915-B0CE-4947-91E2-694D2EFD0E07@andrewg.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_40FA34E7-2D97-4710-9F46-64C55B94756C"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Wed, 24 May 2023 14:35:53 +0100
In-Reply-To: <87o7m99952.fsf@europ.lan>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Daniel Huigens <d.huigens@protonmail.com>, IETF OpenPGP WG <openpgp@ietf.org>
To: Justus Winter <justus@sequoia-pgp.org>
References: <LaSdaOASqnixctT3XuZHNIeldK2IPqJvHbqo_qkFjdrMBOQ4SKhiWl_76xq2P6l2Wts9rJ6MTTRLfpj9sqyG4_F4etjNcgEt6pmmtuyfsBY=@protonmail.com> <87h6s2hezc.fsf@fifthhorseman.net> <87o7m99952.fsf@europ.lan>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/UP8fLk0x6e8md4eNUnC2IS1BVg8>
Subject: Re: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2023 13:36:18 -0000

On 24 May 2023, at 14:00, Justus Winter <justus@sequoia-pgp.org> wrote:
> 
>> # Forbid CSF for v6 Signatures
> 
> Not keen on that.  Even though I think the CSF should be avoided, it
> seems popular.

I would much prefer this option.

Clearsigning is a UX can of worms. If a message is partially signed, it is just as important to cryptographically verify the boundary of the signed message as it is to verify its content. A UI that relies on a human-readable boundary that is wide open to charset mangling and other formatting abuse is just asking for trouble.

I’d suggest that the reason CSF is popular is because it allows people to bypass cryptographic verification by eyeballing the source format, which defeats the entire purpose. If efail taught us anything, surely it is: if it doesn’t verify, don’t display it at all.

A