Re: [openpgp] Manifesto - who is the new OpenPGP for?

Wyllys Ingersoll <wyllys@gmail.com> Wed, 25 March 2015 13:41 UTC

Return-Path: <wyllys@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D25761AD065 for <openpgp@ietfa.amsl.com>; Wed, 25 Mar 2015 06:41:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PMcFFIPEqy4H for <openpgp@ietfa.amsl.com>; Wed, 25 Mar 2015 06:41:32 -0700 (PDT)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93DF21AD05B for <openpgp@ietf.org>; Wed, 25 Mar 2015 06:41:32 -0700 (PDT)
Received: by oiag65 with SMTP id g65so21372312oia.2 for <openpgp@ietf.org>; Wed, 25 Mar 2015 06:41:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=BE4gcEkc9JdvN9BeurIoi1mjeSNfumjbTvdubI3YBrg=; b=lItytVJWRgNNzkw8Xx1Eg85J6Y2yXzPi6VOQorKgjXhdMXrgx0U1o8XRK+EFheAbzB 6tTR3NJAJv71ZZLy3G4DL4tYvnlIrbYqLnBwCJOS29E0R1Efra3673p9aLKySOTglUL7 ZX8TzDyuNUmQ8rMFgxUMYfFsWmfYLztQw6llCTQc35izWtlSFYo+K5Hh1W78Sz6SrLOg UZXyDHny/hZDZ79g72foMFDliZ6IEdywbPCegl7jLrQdyaShBnJoOBG7lAkiwwCONdZu F1UCXYPNhj3D+p02Qf4vOBNR8Z4FOuj2RDjGPPzV7lIifN3mwOBFFKJ2Uvemwk2HGiRg SUFQ==
X-Received: by 10.202.202.82 with SMTP id a79mr7099874oig.5.1427290892141; Wed, 25 Mar 2015 06:41:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAA7UWsUz65C0GAQo8Yf7ZOeT9BYy+NLV5pbbPg+Ok0-72ca1eA@mail.gmail.com> <1426721882.4249.72.camel@scientia.net> <5510578A.80304@iang.org> <1427140788.10191.75.camel@scientia.net> <5510B7CF.8060308@iang.org> <1427168189.10191.241.camel@scientia.net> <5511FE82.6010807@iang.org> <87wq25iiv8.fsf@vigenere.g10code.de> <20150325130253.GC3160@singpolyma-liberty>
In-Reply-To: <20150325130253.GC3160@singpolyma-liberty>
From: Wyllys Ingersoll <wyllys@gmail.com>
Date: Wed, 25 Mar 2015 13:41:30 +0000
Message-ID: <CAHRa8=WzcwRuEGrd9ccKWfsPu--nY2z-gFsFy4Fh+hFVW4yLPw@mail.gmail.com>
To: Stephen Paul Weber <singpolyma@singpolyma.net>, Werner Koch <wk@gnupg.org>
Content-Type: multipart/alternative; boundary="001a1135293c9e0ba805121d0e3a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/VptzMMFRK1xI53ETMDSGv3JszjM>
Cc: openpgp@ietf.org, ianG <iang@iang.org>
Subject: Re: [openpgp] Manifesto - who is the new OpenPGP for?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 13:41:35 -0000

Compatibility with existing implementations should be a consideration when
making any updates to the spec.  Creating a "V5" key format is certainly
within scope.  Radically changing the packet structure or data encoding
scheme in a way that breaks all existing implementations or forces the
implementors to have 2 very different code bases to support old vs "new"
formats should be strongly discouraged.

One of the (many) problems with todays OpenPGP is that it is impossible to
update older keys to a newer format, which leads to many users continuing
to rely on old keys and implementors end up having to support the older
formats.  We could encourage users to "modernize" their keys if new formats
were designed with some thought to having an upgrade path from V4.
Revoking old keys and re-issuing your public key to your "circle of trust"
is tedious and semi complicated and most people just give up and create new
keys or stop using PGP altogether.  Certainly, weak keys should be revoked
and replaced, but "reasonable" keys that are just in an older format should
be easily updated to newer formats if possible.

IMO, the goals of an OpenPGP update should be:
1. Remove any outdated and/or insecure ciphers and hashes
2. Specify profiles for new ciphers, modes, and hashes with an eye towards
simplification.  Keep the "MUST" list short and the optional list brief but
extensible.
3. Upgrade path from V4 keys to V5 and beyond.
4. Don't fix what ain't broke.  ASCII Armor, for example.


If whatever results from this effort requires a complete rewrite of
existing OpenPGP parsing engines and reengineering existing apps from the
ground up, then it will be a complete failure and should be renamed
something else and taken to a new WG.

-Wyllys
@ipgmail



On Wed, Mar 25, 2015 at 9:03 AM Stephen Paul Weber <
singpolyma@singpolyma.net> wrote:

> >FWIW: When I kicked of this thread I was not thinking of a "new OpenPGP"
> >but of long planned extensions and updates to an existing protocol.
> >Throwing everything over board and start from scratch should not be done
> >under the label of OpenPGP;
>
> I very much agree.  To be "OpenPGP" is to be at least *able* to be
> backwards
> compatible with the current OpenPGP.  Otherwise you are something new and
> other.
>
> --
> Stephen Paul Weber, @singpolyma
> See <http://singpolyma.net> for how I prefer to be contacted
> edition right joseph
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
>