Re: [openpgp] Intent to deprecate: Insecure primitives

[Ben McGinnes <ben@adversary.org>]

On 9/04/2015 4:36 am, Christoph Anton Mitterer wrote:
> On Wed, 2015-04-08 at 15:32 +0000, David Leon Gil wrote:
>> Brief update on plans for deprecation: The tracking issue is at
>> https://github.com/yahoo/end-to-end/issues/31
>>
>> Please feel free to open another issue if you have specific
>> objections. I will either be convinced by your arguments, and change
>> the plan, or explain why I don't.
> 
> Look, as I've pointed out previously, I personally think that crypto,
> done as a web app is inherently untrustworthy.
> 
> Maybe I just got something wrong, but AFAIU the idea of "e2e" projects
> like your's is to add e2e crypto into your webapps, e.g. via javascript.
> Thus the software doing crypto is each time downloaded again from the
> server by the client, right?
> So ultimately control is again fully at the vendor (at any time he could
> send other code and no one would notice), and fully dependent on a
> working https (which is as we should all know by now inherently insecure
> due to the issues of the CA system).

Yes, that's precisely the case and in the OpenPGP world we've already
seen precisely this situation occur with Hushmail.  IIRC it was at the
insistence of the FBI that they replaced bits of their code in order
to harvest passphrases and access messages.

Even with private keys on the user's system it still wouldn't take too
much more to compromise the system given enough pressure from a third
party (i.e. government) source.

> And even more important, none of the big companies which add that IMHO
> at best questionable web-based e2e crypto to their services, should
> expect that this would make them represent the majority of OpenPGP users
> and thus would give them a strong voice in decisions.
> Just because e.g. google would automatically enable questionable e2e
> crypto for millions of their gmail users, doesn't mean that one as a
> real "legitimate" OpenPGP user base there.

Damn straight.  I note, for example, that my key would be arbitrarily
not supported by the proposed model simply for including an ELG-E
subkey with the RSA master key for no apparent reason.  Well,
presumably the reason is Yahoo! doesn't want to pay people to write a
solid enough implementation that they can actually use without
breaking some kind of license.  I suspect the same is true with
regards to TWOFISH since, even though THREEFISH exists, there's been
no indication that it is broken or ought to be deprecated.

> For all the above reasons, I personally feel, that it's not appropriate
> here at the OpenPGP WG list, to discuss single unilateral decisions made
> by an OpenPGP implementation[1].
> 
> If one says "hey, let's discuss whether we should deprecate twofish in
> OpenPGP" that's totally fine,... but informing the standardisation body
> "hey we drop now support for x, y and z" with an implicit "and since we
> represent n users, you better follow our decision" is not appropriate.

Absolutely.


Regards,
Ben