Re: [openpgp] Stop dragging around old material, please!
"Neal H. Walfield" <neal@walfield.org> Thu, 17 November 2022 21:42 UTC
Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 538AFC14CEEA; Thu, 17 Nov 2022 13:42:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QxgxfiP9pE8Q; Thu, 17 Nov 2022 13:42:40 -0800 (PST)
Received: from mail.dasr.de (mail.dasr.de [202.61.250.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 617C9C14CEE9; Thu, 17 Nov 2022 13:42:39 -0800 (PST)
Received: from p5de92f23.dip0.t-ipconnect.de ([93.233.47.35] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1ovmeZ-0005Rd-5M; Thu, 17 Nov 2022 22:42:35 +0100
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <neal@walfield.org>) id 1ovmeY-00G3gt-7e; Thu, 17 Nov 2022 22:42:34 +0100
Date: Thu, 17 Nov 2022 22:42:34 +0100
Message-ID: <874juxfeb9.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>
Cc: Rick van Rein <rick@openfortress.nl>, openpgp@ietf.org
In-Reply-To: <fvPH4We_ezrhe8JowNy5giZ2RlJe9T2KO9N18iI2NarMEIOHikcsW8bU695b8ws2Rv7qFG6Su0v7_H8F-lin5zh5I9ahF-tCKAujbREM3uw=@protonmail.com>
References: <20221117020904.GA11610@openfortress.nl> <fvPH4We_ezrhe8JowNy5giZ2RlJe9T2KO9N18iI2NarMEIOHikcsW8bU695b8ws2Rv7qFG6Su0v7_H8F-lin5zh5I9ahF-tCKAujbREM3uw=@protonmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (Gojō) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/qBAuWhUNOU5rsta0C2upN5Jl1j0>
Subject: Re: [openpgp] Stop dragging around old material, please!
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2022 21:42:42 -0000
Hi Daniel, On Thu, 17 Nov 2022 16:30:42 +0100, Daniel Huigens wrote: > I just wanted to say that I didn't mean to dismiss your point of view, > and actually I agree with trying to get rid of legacy stuff. I'm not > sure if it's possible in this particular case but that doesn't mean > that it's not worth discussing, IMO. > > There are in fact some things in the spec that I think implementations > *can* get away with not implementing; V3 keys and signatures being one > of them (we haven't supported it for quite a while). A small comment: we just added support for v3 signatures to Sequoia due to their prevalence in the rpm world as discussed in https://bugzilla.redhat.com/show_bug.cgi?id=2141686. This comment by the maintainer of rpm summarizes the situation: So, basically everything signed by obs-signd is affected as it defaults to OpenPGP v3 signatures. And that being used by OBS and multiple other places for signing rpms, this affects at least - opensuse (and so presumably their enterprise offerings too but can't verify that) - copr - rpmfusion I don't know what RHEL is signed with, but packages in RHEL 7-9 (didn't bother with older) are signed using OpenPGP V3 signatures too. So there really is only one conclusion to make: this is a no-go until Sequoia adds support for verifying V3 signatures. Or the world catches up, which is going to be years before all relevant content signed with V3 has gone dropped out of relevance, even if everybody started just now. FWIW, Fedora itself and also Mageia appear to have V4 signatures, at least as of current versions. https://bugzilla.redhat.com/show_bug.cgi?id=2141686#c23 Neal
- [openpgp] Stop dragging around old material, plea… Rick van Rein
- Re: [openpgp] Stop dragging around old material, … Aron Wussler
- Re: [openpgp] Stop dragging around old material, … Daniel Huigens
- Re: [openpgp] Stop dragging around old material, … Rick van Rein
- Re: [openpgp] Stop dragging around old material, … Daniel Huigens
- Re: [openpgp] Stop dragging around old material, … Neal H. Walfield
- Re: [openpgp] Stop dragging around old material, … Rick van Rein
- Re: [openpgp] Stop dragging around old material, … Daniel Huigens