Re: [openpgp] [RFC4880bis PATCH] Drop "Compatibility Profiles" section.

Paul Wouters <paul@nohats.ca> Thu, 29 April 2021 03:59 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 264903A2DB4 for <openpgp@ietfa.amsl.com>; Wed, 28 Apr 2021 20:59:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNWwE-CbqqI0 for <openpgp@ietfa.amsl.com>; Wed, 28 Apr 2021 20:58:56 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83F0A3A2DB0 for <openpgp@ietf.org>; Wed, 28 Apr 2021 20:58:55 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4FW1vb3Ltsz1K7; Thu, 29 Apr 2021 05:58:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1619668731; bh=KKVZPrRlLRrENHAcPBMj5RVu8r/NCN5WRLkFsGDCTuA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Mbsj3Kt2dx08MrSJlBDZwFQdqHNRZnBpi0uXXRXOh5HvLpoJNVyujCoZsR134y/Cb AtGoDBGHyJrK4kRAS20JzZfAxJxZ3jidUz5hDDkUx7Uqf0wLeo7vqp7mPBnfiCGQw8 8ycCHe1QMFeAabi0fa/8VSDjmMZ3yLvD/bgP34Jg=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 8b7AyuFh4bRa; Thu, 29 Apr 2021 05:58:50 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 29 Apr 2021 05:58:50 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id DFE856029A70; Wed, 28 Apr 2021 23:58:48 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id DE91966B7C; Wed, 28 Apr 2021 23:58:48 -0400 (EDT)
Date: Wed, 28 Apr 2021 23:58:48 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: =?ISO-8859-15?Q?=C1ngel?= <angel@16bits.net>
cc: openpgp@ietf.org
In-Reply-To: <b4c6cb0b929dff027b28df546e4d90560dbba94f.camel@16bits.net>
Message-ID: <dba9a771-a2b5-640-a9ba-7883b174ddd4@nohats.ca>
References: <87wnu86mep.fsf@fifthhorseman.net> <20210324021213.333485-1-dkg@fifthhorseman.net> <87pmzp2taf.fsf@fifthhorseman.net> <26945b02701cdbcf7af0ebd3adaa325b91021be7.camel@16bits.net> <87blb72yto.fsf@fifthhorseman.net> <029c60b6a313d33cf5cc7e15791be8c0c582370c.camel@16bits.net> <ba29e6e3-7fe8-4ed6-819c-b0d0a22ec24@nohats.ca> <b4c6cb0b929dff027b28df546e4d90560dbba94f.camel@16bits.net>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=ISO-8859-15
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/dC5pozD5pDKTOwqhgvC1R8hq1W4>
Subject: Re: [openpgp] [RFC4880bis PATCH] Drop "Compatibility Profiles" section.
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2021 03:59:01 -0000

On Sat, 27 Mar 2021, Ángel wrote:

>> And that the place within the document might be right too?
>
> That's an editorial matter, but I don't think so. I find the security
> section to contain many things without a clear script, just a mixture
> of things related to security. The problem is that most of the rfc has
> some relation to security :-)
> There are rfcs with only a few security points to note. Having a
> section listing all of them is good. But I don't think that's suitable
> for OpenPGP.
>
> I would prefer to see as little as possible on the Security
> Considerations, with the points within the most relevant section to the
> topic. See for example how I positioned the line about you MUST use
> Iterated and salted s2k at the part discussing rather than in that
> generic section. IMHO that makes more sense, instead of having a S2K
> requisite in a complete separate part of the document.

> Nevertheless, the Security Considerations need an overhaul. There are

This is a good point and I've added this as an issue:

https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/29

>>> (*) A phrase that got removed but should be recovered is «MDC MUST be
>>> used when a symmetric encryption key is protected by ECDH.». I pondered
>>> where to move it, but I concluded that should better go at its own
>>> changeset stating that new algorithms cannot be used without MDC i.e.
>>> they cannot be used with the "Symmetrically Encrypted Data Packet"
>>> (still somewhat redundant, as that one MUST NOT be created).
>>
>> If others agree, we need a tracking item for this too?
>
> Yes, probably. Unless we get a quick consensus on this topic.

We did not, so I opened a tracking item for this too:

https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/30

>>> Additionally, the phrase "A compliant application MUST only use
>>> iterated and salted S2K"... is also mostly fine, but I had already
>>> covered a proposal for that one in the previous
>>> https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/42
>>
>> I would need to hear from more people about this change to see if
>> there is consensus for this.
>>
>> speaking with no roles others than an individual:
>
> This part was proposed in February on a different thread. I am moving
> your comment there and replying in that one:
>
> https://mailarchive.ietf.org/arch/msg/openpgp/ml5gzuQtSY6ANBejs8Xk66x_abQ

I've merged in this change in a seperate commit, please review as part
of the next draft update. (commit 464ac8232f9)

Paul