IETF Logo Mail Archive

Re: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages

Vincent Breitmoser <look@my.amazin.horse> Wed, 24 May 2023 13:40 UTC

Return-Path: <look@my.amazin.horse>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 974FAC13AE35 for <openpgp@ietfa.amsl.com>; Wed, 24 May 2023 06:40:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=my.amazin.horse
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gZHoWWsamfM for <openpgp@ietfa.amsl.com>; Wed, 24 May 2023 06:40:14 -0700 (PDT)
Received: from my.amazin.horse (my.amazin.horse [IPv6:2a03:4000:3f:29c::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0747C13AE40 for <openpgp@ietf.org>; Wed, 24 May 2023 06:40:14 -0700 (PDT)
Received: from [172.27.30.198] (unknown [87.130.56.210]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by my.amazin.horse (Postfix) with ESMTPSA id E1C2467318 for <openpgp@ietf.org>; Wed, 24 May 2023 15:40:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=my.amazin.horse; s=2020; t=1684935611; bh=Hm+cC94DN6KFlm9kmcNFVFxs+TK275Rh3coUZNbhX1E=; h=Date:To:References:From:Subject:In-Reply-To; b=Y9+XlpQR7zirkD4Ym0+0VX69PocCFJDdgbf8Qe0fN3J5yCMDVLrkGXa2VeDl75mf7 V9YLIdiIEvD5HCz7OAcPHB0cS0LWwcog79yOsx6y/5D6sRSucsgTKt/RodAiGjTWLL +Y317dapuE5HD1U125C9H5b5HTwiqf+cgvFvtKI8=
Message-ID: <7c9f97df-f06b-6f87-3776-8f351289cb31@my.amazin.horse>
Date: Wed, 24 May 2023 15:40:11 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
To: openpgp@ietf.org
References: <LaSdaOASqnixctT3XuZHNIeldK2IPqJvHbqo_qkFjdrMBOQ4SKhiWl_76xq2P6l2Wts9rJ6MTTRLfpj9sqyG4_F4etjNcgEt6pmmtuyfsBY=@protonmail.com> <87h6s2hezc.fsf@fifthhorseman.net>
Content-Language: en-US
From: Vincent Breitmoser <look@my.amazin.horse>
In-Reply-To: <87h6s2hezc.fsf@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/vjBoQVRE-PFgmsqwMBTSdc2bDkA>
Subject: Re: [openpgp] Backwards compatibility vs streaming verification of v6 clearsigned messages
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2023 13:40:18 -0000

Hey list,

> Does anyone want to propose a fifth option that the WG should consider?
> Anyone want to voice a preference for any of the above four options?

I got one:

# Drop CSF headers altogether

CSF headers are pointless to the user at best, confusing or misleading 
at worst. They are easily mangled along transports in ways that break 
the signed message. We are also now in a situation where implementations 
say "there must be exactly this one header, or we won't process the 
message altogether".

That's three bits of being problematic, so we better have a 
justification for having it in the first place: That justification is 
efficient processing. Similar to one-pass signatures, we can hash the 
message right away and therefore verify the signature in a single pass.

While that is for sure a nice technical property to have, I find it 
questionable that CSF signed messages need any kind of "efficient" 
processing by today's computing standards - they are meant to be easy 
for humans to inspect and pass around, so will typically be a few 
kilobytes in size or maybe a megabyte at most. It will routinely be 
loaded into RAM in its entirety to display to users.

Getting rid of the whole header discussion altogether, at the expense of 
less efficient processing, sounds like a good deal to me. Maybe slap on 
a notice that implementations should warn the user not to use it for 
500kb+ messages or so.

That said, I'm not sure whether such a change is in scope for a 
crypto-refresh. But I thought I'd put it on the table, if just for 
completeness' sake.

Cheers

  - V

v2.23.0 | Report a Bug | By Email