[openpgp] Minor comments on current draft
"Neal H. Walfield" <neal@walfield.org> Fri, 02 December 2022 14:40 UTC
Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEF3FC14F6E5 for <openpgp@ietfa.amsl.com>; Fri, 2 Dec 2022 06:40:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.196
X-Spam-Level:
X-Spam-Status: No, score=-4.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5DBemqHe_y16 for <openpgp@ietfa.amsl.com>; Fri, 2 Dec 2022 06:40:09 -0800 (PST)
Received: from mail.dasr.de (mail.dasr.de [202.61.250.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4F6EC14F728 for <openpgp@ietf.org>; Fri, 2 Dec 2022 06:40:09 -0800 (PST)
Received: from p5de92f23.dip0.t-ipconnect.de ([93.233.47.35] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1p17Cw-0001zb-Nx for openpgp@ietf.org; Fri, 02 Dec 2022 15:40:06 +0100
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <neal@walfield.org>) id 1p17Cv-001N8S-Mo for openpgp@ietf.org; Fri, 02 Dec 2022 15:40:06 +0100
Date: Fri, 02 Dec 2022 15:40:05 +0100
Message-ID: <87edth50oq.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: IETF OpenPGP WG <openpgp@ietf.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (Gojō) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/oeKvGt6nBWpK_eX5AyuZfZK2BL4>
Subject: [openpgp] Minor comments on current draft
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 14:40:13 -0000
Hi all, First of all, thank you to the design team for coming up with the excellent draft! I've already posted a few bigger questions. Here are some minor points that I collected. I also created an MR for some (I think) trivial copy editing issues that I found: https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/221 Overall, I'm quite happy with the result. Neal General comment =============== Some of the tables are quite functional whereas some are rather pretty. For instance, there are two tables in Section 6.3. The first one uses 7-bit ASCII characters to create the table's frame whereas the second one uses the extended ASCII box drawing characters. I think the document ought to standardize on one convention, preferably the latter one. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-6.3 Minor Issues ============ > 4.3. Packet Tags > > | 20 | yes | Reserved (formerly AEAD | > | | | Encrypted Data Packet) | https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-4.3 "formerly" implies to me that the packet was specified, but the AEAD packet was never actually specified by an RFC. Perhaps s/formerly/unspecified/ would be a bit better. > 5.2. Signature Packet (Tag 2) > > Implementations MUST NOT create version 3 signatures; they MAY > accept version 3 signatures. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-5.2 Perhaps: they MAY accept version 3 signatures *made by v4 keys, but MUST NOT accept v3 signatures made by v5 keys*. Further, perhaps also add, as has been done in other places like Section 14.7: if it is known to be dealing with historic archived legacy data, and the user is aware of the risks. > 5.2.3.11. Preferred Symmetric Ciphers for v1 SEIPD> > > It is assumed that only algorithms listed are supported by the > recipient's software. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-5.2.3.11 The Preferred AEAD Ciphersuites subsection (the next subsection) says that AES-128-OCB is implicitly included in that preference. No default is not mentioned here, but it is mentioned in Section 13.2 Symmetric Algorithm Preferences. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-13.2 I think it would be good to mention the default here for consistency purposes, and also because this is a change in behavior. For instance, at least GnuPG assumes 3DES is the default, since, I think, it is the mandatory-to-implement algorithm in 4880: https://gitlab.com/sequoia-pgp/sequoia/-/issues/522 > 5.2.5. Malformed and Unknown Signatures > > In some cases, a signature packet (or its corresponding One-Pass > Signature Packet, see Section 5.4) may be malformed or unknown. For > example, it might encounter any of the following problems (this is ^^ > not an exhaustive list): https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-5.2.5 The antecedent of "it" appears to be signature packet, but I don't think the signature packet encounters a problem; the OpenPGP implementation does. > 5.4. One-Pass Signature Packets (Tag 4) > > An application that encounters a v5 One-Pass Signature packet > where the key version number is not 5 MUST treat the signature as > invalid (see Section 5.2.5). https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-5.4 Section 5.2.5 talks mostly about Malformed and Unknown Signatures. (It does mention "invalid" signatures once, but it doesn't really define that term.) Perhaps it makes sense to tighten up the wording and say that the OPS packet is malformed. > 5.5.2. Public-Key Packet Formats > > V3 keys are deprecated; an implementation MUST > NOT generate a v3 key, but MAY accept it. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-5.5.2 There are several places in the standard where an implementation MAY do something IF it is dealing with archived data, e.g.: An implementation that encounters malleable ciphertext MAY choose to release cleartext to the user if it is not encrypted using AEAD, and it is known to be dealing with historic archived legacy data, and the user is aware of the risks. I think it would be good to add the same qualifier to the use of v3 keys here. > 13.2. Symmetric Algorithm Preferences > > The symmetric algorithm preference is an ordered list of algorithms > that the keyholder accepts. Since it is found on a self-signature, > it is possible that a keyholder may have multiple, different > preferences. For example, Alice may have AES-128 only specified for > "alice@work.com" but Camellia-256, Twofish, and AES-128 specified for > "alice@home.org". https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-13.2 Can we please change "alice@work.com" and "alice@home.org" to "<alice@work.com>" and "<alice@home.org>"? Section 5.11 says that by convention User IDs are an [RFC2822] mail name-addr, but as-is, these are not valid name-addrs. Further, the common regular expression used in trust signatures: <[^>]+[@.]example\.com>$ wouldn't match the above User IDs. That said, these are already better than the User IDs used in the example in Section 5.2.3.7, which was carried over from 4880: > 5.2.3.7. Notes on Self-Signatures > > For example, suppose a key has two user names, Alice and Bob https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-5.2.3.7 Could we update those names, too? > 13.9. OpenPGP CFB Mode > > When using a version 1 Symmetrically Encrypted Integrity Protected > Data packet (Section 5.13.1) or --- for historic data --- a > Symmetrically Encrypted Data packet (Section 5.7), OpenPGP does > symmetric encryption using a variant of Cipher Feedback mode (CFB > mode). This section describes the procedure it uses in detail. This > mode is what is used for Symmetrically Encrypted Integrity Protected > Data Packets (and the dangerously malleable --- and deprecated --- > Symmetrically Encrypted Data Packets). https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-13.9 The first (When using...) and third (This mode...) sentences seem redundant to me and ought to be combined. > 14. Security Considerations > > * The DSA algorithm will work with any hash, but is sensitive to the > quality of the hash algorithm. Verifiers should be aware that > even if the signer used a strong hash, an attacker could have > modified the signature to use a weak one. Only signatures using > acceptably strong hash algorithms should be accepted as valid. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-14 This seems unnecessary given that Section 13.5 says: > An implementation MUST NOT sign or verify using DSA keys. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-13.5 > 14. Security Considerations > > +=====================+===========+====================+ > | Asymmetric key size | Hash size | Symmetric key size | > +=====================+===========+====================+ > | 1024 | 160 | 80 | https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-14 This only applies to RSA, Elgamal, and DSA, but those are partially (RSA) or completely (DSA, Elgamal) deprecated. Perhaps it make sense to talk about ECC curve sizes instead. > 14. Security Considerations > > For example, although CAST5 is presently considered strong, https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-14 but, Section 9.3 says: > Implementations MUST NOT encrypt data with IDEA, TripleDES, or > CAST5. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-9.3 This should be made consistent. I think section 14 should be changed. 4880 lints ========== Minor issues that I caught that are also in 4880: > 3.2. Multiprecision Integers > > ... > > The length field of an MPI describes the length starting from its > most significant non-zero bit. Thus, the MPI [00 02 01] is not > formed correctly. It should be [00 01 01]. > > ... > > Unused bits of an MPI MUST be zero. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-3.2 Reading the rules, it seems like the following MPI is valid and has the value "1": [00 01 02]. I don't think this is intended. Probably the section should say that any zero padding must occur on the left. > 5.2.3.5. Signature Subpacket Specification > > ... > > An implementation SHOULD ignore any subpacket of a type that it does > not recognize. > > Bit 7 of the subpacket type is the "critical" bit. If set, it > denotes that the subpacket is one that is critical for the evaluator > of the signature to recognize. If a subpacket is encountered that is > marked critical but is unknown to the evaluating software, the > evaluator SHOULD consider the signature to be in error. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-5.2.3.5 I feel like these two paragraphs should be reversed and the first paragraph changed to indicate that this only applies to subpackets that don't have the critical bit set. > 5.2.3.5. Signature Subpacket Specification > > ... > > if an implementation > chooses not to implement some of the preferences, it is required to > behave in a polite manner to respect the wishes of those users who do > implement these preferences. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-5.2.3.5 I don't understand what is meant here. What does "polite manner" mean? (I'm not being picky here: I really don't understand.) > 5.2.3.7. Notes on Self-Signatures > > For certification self-signatures, each User ID may have a self- > signature https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-5.2.3.7 perhaps each User ID and each User Attribute? > 5.2.3.7. Notes on Self-Signatures > > Subpackets that appear in a certification self-signature > apply to the user name https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-5.2.3.7 user name seems to be a new term. Why not User ID? (In which case, why not also User Attribute?) > 5.2.3.28. Reason for Revocation > > Such a revocation SHOULD include a 0x20 code. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-5.2.3.28 The table uses decimal, but the text uses hexadecimal. I think it would be better to use one format or the other.
- [openpgp] Minor comments on current draft Neal H. Walfield
- [openpgp] User ID addr-spec (was: Minor comments … Ángel
- Re: [openpgp] User ID addr-spec (was: Minor comme… Neal H. Walfield