Re: [openpgp] [RFC4880bis PATCH] Drop "Compatibility Profiles" section.

Paul Wouters <paul@nohats.ca> Fri, 26 March 2021 03:27 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20BD23A0A1C for <openpgp@ietfa.amsl.com>; Thu, 25 Mar 2021 20:27:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mqr0J__izzOQ for <openpgp@ietfa.amsl.com>; Thu, 25 Mar 2021 20:27:21 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 364643A0A1E for <openpgp@ietf.org>; Thu, 25 Mar 2021 20:27:21 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4F66pt14fBz35r; Fri, 26 Mar 2021 04:27:18 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1616729238; bh=eR+/9bFXNN858xiW4XlgX2F3tKjyAyHrctASd7OHOF4=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=ChQ5YGSE6mWW0CLjpnA9lsSJy8aQstr0l11T1biU9NzkWYM2TTyoJodcClHmlsRxi T04PL4lghNK7TRbWnvRqWJIxhxPPpWNRVTB3E2gh8tLIPY5dnAw151txrhg7XzFlL0 tLXj3NXqdbMP8EYVqqNWThKPaYBeL3diz53g5G5k=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id hc_XmGRnTKyC; Fri, 26 Mar 2021 04:27:16 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 26 Mar 2021 04:27:16 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 1CF0660299AB; Thu, 25 Mar 2021 23:27:15 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 142AC6FD7F; Thu, 25 Mar 2021 23:27:15 -0400 (EDT)
Date: Thu, 25 Mar 2021 23:27:15 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: =?ISO-8859-15?Q?=C1ngel?= <angel@16bits.net>
cc: openpgp@ietf.org
In-Reply-To: <029c60b6a313d33cf5cc7e15791be8c0c582370c.camel@16bits.net>
Message-ID: <ba29e6e3-7fe8-4ed6-819c-b0d0a22ec24@nohats.ca>
References: <87wnu86mep.fsf@fifthhorseman.net> <20210324021213.333485-1-dkg@fifthhorseman.net> <87pmzp2taf.fsf@fifthhorseman.net> <26945b02701cdbcf7af0ebd3adaa325b91021be7.camel@16bits.net> <87blb72yto.fsf@fifthhorseman.net> <029c60b6a313d33cf5cc7e15791be8c0c582370c.camel@16bits.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Ym5J-1SQd-AwFLT0ypqyDCqUU18>
Subject: Re: [openpgp] [RFC4880bis PATCH] Drop "Compatibility Profiles" section.
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 03:27:26 -0000

On Fri, 26 Mar 2021, Ángel wrote:

>> I'm attaching the
>> proposed patch below so that people following the list can see it.
>
> Hi Daniel
>
> Yep. I wanted it to appear on top of merge_requests/41 but did not find
> how to do that. Happy to learn how to do that.
>
> Now that Paul has merged your branch, I have rebased it and opened a
> direct MR against the main repository:
> https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/44

I had a look at it. While some text indeed is weird because of the move
from an ECC only document into the generic bis document, I think some
of the text you suggest removing might still make sense, such as the
recommendations of hash algorithms for these curves. And that the place
within the document might be right too?

> I considered it. That (and folllowing) paragraphs look mostly fine. The
> problem there is the part about "use the strongest algorithms specified
> in this document". On 6637 that refers to the algorithm strength it is
> defining (i.e. the previous paragraphs that get removed). I considered
> whether it could be amended. That could end up as "use the strongest
> algorithms as defined by local policy", "as defined by the implementer"
> or some similarly vague description which wasn't really satisfactory.
> Also note that "specified in this document" changes meanings when put
> in 4880-refresh than in 6637 which was just about ECC.

I agree that needs fixing. The question is how/when to do this. If we
cut the entire section as you propose, we need to a file a tracking bug
to re-evaluate what to bring back, revised or verbatim later on in the
process when we are pulled up all the existing non-controversial work.

> I think we're better clearing it and seeing what is importable. I may
> have missed some sentence, but I doubt you could keep most of it as
> such.*

I think that could work, but let's get the opinion of a few others ?

> (*) A phrase that got removed but should be recovered is «MDC MUST be
> used when a symmetric encryption key is protected by ECDH.». I pondered
> where to move it, but I concluded that should better go at its own
> changeset stating that new algorithms cannot be used without MDC i.e.
> they cannot be used with the "Symmetrically Encrypted Data Packet"
> (still somewhat redundant, as that one MUST NOT be created).

If others agree, we need a tracking item for this too?

> Additionally, the phrase "A compliant application MUST only use
> iterated and salted S2K"... is also mostly fine, but I had already
> covered a proposal for that one in the previous
> https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/42

I would need to hear from more people about this change to see if there
is consensus for this.

speaking with no roles others than an individual:

You suggest:

 	- Implementations SHOULD use salted or iterated-and-salted S2K specifiers,
 	- as simple S2K specifiers are more vulnerable to dictionary attacks.
 	+ Simple S2K and Salted S2K specifiers are not particularly secure when used
         + with a low-entropy secret, such as those typically provided by users, and
         + implementations SHOULD avoid using these methods on encryption of both keys and messages.
 	[...]
 	- A compliant application MUST only use iterated and salted S2K to protect private keys,
         - as defined in {{iterated-and-salted-s2k}}, "Iterated and Salted S2K".

I think merging these two as you done is fine. I would try to use "SHOULD NOT use"
instead of "SHOULD avoid".

I don't think the phrasing of "not particularly secure".  Can it not just say "weak" or
"vulnerable to low cost attacks" ?

Also, if it is this bad, why is this a SHOULD and not a MUST ? That is,
when would be a valid reason for an implementation to ignore the SHOULD?

> If you find other phrases being removed that you think should have been
> kept, I would be happy discuss them in more detail. But for now, and
> after carefully reviewing the change itself, I stand by the proposal I
> did.

Note I only looked at the diff, I did not go looking for other phrases.

Paul