IETF Logo Mail Archive

Re: [openpgp] Intent to deprecate: Insecure primitives

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 16 March 2015 10:46 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBA451A86F2 for <openpgp@ietfa.amsl.com>; Mon, 16 Mar 2015 03:46:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQXqzRft62Jc for <openpgp@ietfa.amsl.com>; Mon, 16 Mar 2015 03:46:49 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D8F81A86F0 for <openpgp@ietf.org>; Mon, 16 Mar 2015 03:46:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E2C65BE4C; Mon, 16 Mar 2015 10:46:45 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eJ_bUM5JKlOa; Mon, 16 Mar 2015 10:46:44 +0000 (GMT)
Received: from [10.87.48.73] (unknown [86.46.20.71]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8D237BE47; Mon, 16 Mar 2015 10:46:44 +0000 (GMT)
Message-ID: <5506B493.5050209@cs.tcd.ie>
Date: Mon, 16 Mar 2015 10:46:43 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, David Leon Gil <coruus@gmail.com>, "openpgp@ietf.org" <openpgp@ietf.org>, "dgil@yahoo-inc.com" <dgil@yahoo-inc.com>
References: <CAA7UWsWBoXpZ2q=Lv151R593v3u=SPNif39ySX_-8=fqMniiVg@mail.gmail.com> <87sid5si30.fsf@alice.fifthhorseman.net>
In-Reply-To: <87sid5si30.fsf@alice.fifthhorseman.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/hUF13ADNoM8P3SLz2zvUPPwneHM>
Subject: Re: [openpgp] Intent to deprecate: Insecure primitives
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 10:46:52 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


(with no hats)

On 16/03/15 04:05, Daniel Kahn Gillmor wrote:
> I'm happy to see a high bar personally, but this is likely to
> invalidate many 2048-bit keys

My experience is that it's far far easier to deprecate
things that only have an effect in-line compared to wanting
to invalidate long term things like key values, esp.
public key values that are distributed around the Internet.

So even if one would like to do the latter then I think
it'd be a really good plan to separate that part of the
argument as it's likely to be much trickier. We had a
similar set of issues as we transitioned from DomainKeys
to DKIM - in that case the proponents of DomainKeys
were (correctly) extremely reluctant to break the few
deployments that were then-current. And I think we got
that right in that the WG changed the wire-formats and
signature algorithm requirements but in such a way that
already-deployed public keys continued to work.

I'd also note that we ought be cognizant that the fall
back here is e2e plaintext. If one considers RFC7435
then I think there's an argument to be considered for
allowing crypto that is perhaps approaching it's
sell-by date but that is clearly not yet past it's
use-by date. (And of course one can have fine arguments
about both dates;-) And if we wanted to invalidate
current keys, then I think that also puts an onus on
us to consider how to figure out the migration path
from working->broken->working-again.

Lastly, I'd note that e2e email security is a thing
where we (IETF and the broader tech community) have
failed pretty consistently because we made it too hard.

By failed, I mean e2e security is not something that is
commonly used by billions of folks. Part of that is UI,
but some of it is IMO also because we chose to try to
gold-plate security which made usability even worse. I
think the classic example with smime was requiring a
certificate before anything works - while such decisions
may have made sense for the 1990's enterprise, they
do not make sense in today's environment. So I think we
should be very wary of failing again through attempting
to gold-plate by mandating less commonly supported (by
dev. environments) algorithms or keys.

If there's a real need to invalidate old keys then let's
see that technically justified and if we must, then try
do that in a way that brings along the few million current
users rather than in a way that locks those out.

But I'm not yet convinced that there really is such a
need.

S.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVBrSTAAoJEC88hzaAX42i7+AH/ilxL3Yc9qnNRMEejGaAva+l
JXBuR9yig1xipFeN3nB+5tI6MOjGkgsfv0HC6OmdaACfF3PZIlLQT9B2B0DUCALD
EkmVUWCNGpiwduv3qMVnNb11Ryf/vr8KJMkAzAOqGwGHd1LjBOuMpIoOtDgcLnqq
iWOXBwkCl+RIuGp3afXQKtcb6K329WnwewaC6rEA1rueVx25bbfQLAVpN8o92eGH
sbroL7Ih4Wp3EM6oqoJTRvAUiKNEQ1mN/YaH0vRsmccbu1ekN+qvR13PW2GpOFj/
8H4tWF52MxXxF7pOIP9nfZicBgPcrUwQ3MD4fxu7Rih3UbR8SDJM4p+xC5rge6s=
=IDUt
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email