IETF Logo Mail Archive

Re: [openpgp] How to re-launch the OpenPGP WG

Christoph Anton Mitterer <calestyo@scientia.net> Tue, 17 March 2015 03:59 UTC

Return-Path: <calestyo@scientia.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25CE41ACE01 for <openpgp@ietfa.amsl.com>; Mon, 16 Mar 2015 20:59:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJJKeBqPYX7S for <openpgp@ietfa.amsl.com>; Mon, 16 Mar 2015 20:59:17 -0700 (PDT)
Received: from mailgw02.dd24.net (mailgw-02.dd24.net [193.46.215.43]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A8091ACDFF for <openpgp@ietf.org>; Mon, 16 Mar 2015 20:59:17 -0700 (PDT)
Received: from mailpolicy-01.live.igb.homer.key-systems.net (mailpolicy-02.live.igb.homer.key-systems.net [192.168.1.27]) by mailgw02.dd24.net (Postfix) with ESMTP id 8FE805FB8A; Tue, 17 Mar 2015 03:59:15 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at mailpolicy-02.live.igb.homer.key-systems.net
Received: from mailgw02.dd24.net ([192.168.1.36]) by mailpolicy-01.live.igb.homer.key-systems.net (mailpolicy-02.live.igb.homer.key-systems.net [192.168.1.25]) (amavisd-new, port 10236) with ESMTP id l5V_h14sz4hc; Tue, 17 Mar 2015 03:59:13 +0000 (UTC)
Received: from heisenberg.fritz.box (ppp-93-104-121-105.dynamic.mnet-online.de [93.104.121.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailgw02.dd24.net (Postfix) with ESMTPSA; Tue, 17 Mar 2015 03:59:13 +0000 (UTC)
Message-ID: <1426564752.18487.35.camel@scientia.net>
From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Derek Atkins <warlord@MIT.EDU>
Date: Tue, 17 Mar 2015 04:59:12 +0100
In-Reply-To: <sjm3859nhe1.fsf@securerf.ihtfp.org>
References: <878uf2iehi.fsf@vigenere.g10code.de> <1426218768.22326.80.camel@scientia.net> <874mppgyez.fsf@vigenere.g10code.de> <sjm3859nhe1.fsf@securerf.ihtfp.org>
Content-Type: multipart/signed; micalg="sha-512"; protocol="application/x-pkcs7-signature"; boundary="=-jVemCJWGxu7dFFr3x9Sc"
X-Mailer: Evolution 3.12.9-1+b1
Mime-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/cNVYJz-2rlILm_wnUN5JiJYbJc8>
Cc: Werner Koch <wk@gnupg.org>, openpgp@ietf.org
Subject: Re: [openpgp] How to re-launch the OpenPGP WG
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 03:59:19 -0000

Also to answer Werner's comment ("OpenPGP does not define the Web of
Trust.  There is no standard for it.")

On Fri, 2015-03-13 at 09:42 -0400, Derek Atkins wrote: 
> This was explicitly out of scope from the former OpenPGP WG.  I think
> that was a GOOD THING, and I believe it should remain out of scope.
I was probably a bit unclear in what I wrote. I've mainly meant:
The functionality of OpenPGP shouldn't be limited in such a way that
what we can do now with it (e.g. the web of trust, or trust hierarchies
via the trust signatures) would no longer be possible.

Apart from that I basically agree that OpenPGP itself (i.e. the RFC for
the message format) shouldn't define a trust system (e.g. the web of
trust), BUT:
a) it might(!) make sense for another RFC to do this on an informal
basis
b) currently we have several things (well at least the different levels
of user signatures 0x10-0x13) which are pretty much undefined, useless,
ambiguous and therefore even dangerous.
0x10 and 0x11 have at least some "proper" definition, but they don't
tell how implementations should react on them (=> dangerous).
0x12 and 0x13 are quite vague and ambiguous.


> IMHO we shouldn't define how OpenPGP is used, only what it inputs and
> outputs.
Phew... well... perhaps not how it's used, but it should be always clear
how a message is to be interpreted - I think I've mentioned some
examples where this is not really the case, and these obviously also
affect the trust and usage model.


> For the record, draft-atkins-openpgp-device-certificates already extends
> the Attribute Subpacket with a String ID (similar to the UserID).
*If* attributes are to be extended (e.g. in ways as I've proposed in my
previous mail) than I think this is really something that needs
considerable effort to be spent upon.
Properties should be well defined, there shouldn't be too many
properties for actually same things but OTOH one shouldn't be to
reluctant to add new ones when it makes sense. Stuffing everything in a
few generic attributes would be quite bad.


Cheers,
Chris.

v2.23.0 | Report a Bug | By Email