IETF Logo Mail Archive

Re: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages

iang <iang@iang.org> Wed, 24 May 2023 22:00 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ADCDC1524DB for <openpgp@ietfa.amsl.com>; Wed, 24 May 2023 15:00:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.69
X-Spam-Level:
X-Spam-Status: No, score=-0.69 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iang.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gBZIBQ384Qdo for <openpgp@ietfa.amsl.com>; Wed, 24 May 2023 15:00:20 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77658C151B28 for <openpgp@ietf.org>; Wed, 24 May 2023 15:00:18 -0700 (PDT)
Received: from virulha.pair.com (localhost [127.0.0.1]) by virulha.pair.com (Postfix) with ESMTP id B83946D733; Wed, 24 May 2023 18:00:17 -0400 (EDT)
Received: from [127.0.0.1] (iang.org [209.197.106.187]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by virulha.pair.com (Postfix) with ESMTPSA id 163296D73E; Wed, 24 May 2023 18:00:16 -0400 (EDT)
Content-Type: multipart/alternative; boundary="------------pW7XzNTTjEG1rbrTh3ORnLSn"
Message-ID: <5b63d24a-143d-d93c-a88c-2205bdad50d3@iang.org>
Date: Thu, 25 May 2023 00:00:26 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.10.1
To: openpgp@ietf.org
References: <86C7B915-B0CE-4947-91E2-694D2EFD0E07@andrewg.com> <7D09F9E2-621A-4E38-BF6F-C8541CE9C55D@andrewg.com>
From: iang <iang@iang.org>
In-Reply-To: <7D09F9E2-621A-4E38-BF6F-C8541CE9C55D@andrewg.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iang.org; h=content-type:message-id:date:mime-version:subject:to:references:from:in-reply-to; s=pair-202304291445; bh=GI3t6fzXce7lKESWy8C6MnFXdDfQWZb2YKhRZK5oJes=; b=CpTF6bmPX57GvwccsPydbixQHjvuPocGb8dRYE55AosQSnT+fEL23n/0ZTpBGheCvTrZcSETQZObSN5KZQRLMlgXLR2GGK8eAC0i/31Fa/WstnUGmXp6y36vrLiZ8tpkDyry4RrfhURK0r1JxY4sUK4R2pKtuP+YDxghS+UJRU95a4id2z/Rv88eTBGDXXp4TOgoOZ3z7kdGXSCYcLfjki9nd1GfBnAmP1QWc1DSFX+JfFX8lxsEEoUvRmKDdzND5TYh/yf/6GCbfYsPRnn41ixovMqGSbwNU7vmAuypU1VXAX6FvmK/L53+SOSASFt0sfKkuI8DughiWqns9SoZxQ==
X-Scanned-By: mailmunge 3.11 on 209.68.5.166
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/h1iBjO1Jbn8TnSyYKjU-8pFJvtw>
Subject: Re: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2023 22:00:24 -0000

lol...

jokes aside, cleartext signing was useful back in the old days - PGP was 
mostly used for email, and email didn't have binary or attachment 
capabilities until "much later".

Sometime in the early 2000s this question came up, and I was the only 
strong defender of cleartext signing which was used for a thing called 
Ricardian contracts.  There didn't seem to be too many other fans or 
users at the time.

But, since then, around 2011, I abandoned OpenPGP bc maintaining it was 
just too hard, and did my own stack for Ricardians and all the other 
stuff.  Never looked back, maintaining own stack is like a fifth of the 
work and arguably more secure bc so much more focus and tightness and 
clear lines of responsibility.

Point being, why not ask who's using it?  If nobody, then maybe it can 
be deprecated in new forms?

iang

On 24/05/2023 21:10, Andrew Gallagher wrote:

> On 24 May 2023, at 14:36, Andrew Gallagher 
> <andrewg=40andrewg.com@dmarc.ietf.org> wrote:
>>
>> I’d suggest that the reason CSF is popular is because it allows 
>> people to bypass cryptographic verification by eyeballing the source 
>> format,
>
> And of course there’s an XKCD for that: 
> https://imgs.xkcd.com/comics/pgp.pngimage
>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email