Re: [openpgp] ways forward wrt IETF wg - please try answer by Apr 8th
Derek Atkins <derek@ihtfp.com> Fri, 10 April 2015 14:40 UTC
Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F7881A0371 for <openpgp@ietfa.amsl.com>; Fri, 10 Apr 2015 07:40:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A07XgDpBbxBP for <openpgp@ietfa.amsl.com>; Fri, 10 Apr 2015 07:40:50 -0700 (PDT)
Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:4830:143:1::3a11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52E401A0369 for <openpgp@ietf.org>; Fri, 10 Apr 2015 07:40:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id CCA54E2038; Fri, 10 Apr 2015 10:40:48 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 23796-07; Fri, 10 Apr 2015 10:40:45 -0400 (EDT)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id A39ECE2036; Fri, 10 Apr 2015 10:40:45 -0400 (EDT)
Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id t3AEegWm022098; Fri, 10 Apr 2015 10:40:42 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <551C3FAD.6040107@cs.tcd.ie>
Date: Fri, 10 Apr 2015 10:40:41 -0400
In-Reply-To: <551C3FAD.6040107@cs.tcd.ie> (Stephen Farrell's message of "Wed, 01 Apr 2015 19:57:49 +0100")
Message-ID: <sjmoamwf3me.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/yWZGzUvLETb8mrvjUcK1kcOrz9I>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
Subject: Re: [openpgp] ways forward wrt IETF wg - please try answer by Apr 8th
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 14:40:53 -0000
Hi, I realize you've already summed up your responses, but I want to respond for the record too. (Yes, I realize it's been 9 days since you sent this, so I missed your "please try to answer by the 8th" request). In terms of the options, I think option 2 is best and closest matches what can realistically be done. Some others might want 3 or 4. I doubt anyone wants 1. I think we should not do any of the 't' options -- I think 2440 and 4880 got it right by only specifying how to make signatures but not what they mean. I.e., it doesn't even define the 'web of trust'. Now, I do think it would be reasonable to have *separate* documents that explain, e.g., how to do web-of-trust in OpenPGP, how to do CA assertions in OpenPGP, etc. Indeed, I'd probably even be willing to author a draft on how to specify and implement "name constraints" in OpenPGP using assertion signature notifications. -derek Stephen Farrell <stephen.farrell@cs.tcd.ie> writes: > Hi all, > > So I think the volume and content of discussions over the > last few weeks clearly indicates a desire to do something > about openpgp, but that discussion doesn't seem to be closing > in on exactly what to do, in the IETF context. It'd help me > to try figure that out if folks would respond to this saying > which of the options below you think can make sense. Picking > more than one is fine, but if so, please say which you prefer. > Annotating/explaining your choice(s) is very welcome but > please try resist the temptation to change this into a chat > about a different set of options:-) > > It would also really help me (and I suspect others) evaluate > messages if you could say something about how you fit into > the openpgp universe (e.g. "I wrote the foo implementation" > or "I run a thing with N people using pgp" or whatever). An > essay on that is not useful here, but a line or two could > be really good. > > Please try respond to this if you can before Wed April 8th > and I'll try summarise whatever we get back to the list after > that, and we may or may not have a plan of action at that > point - we'll see I guess. > > And pretty please do change the message subject if you want > to follow up and discuss something from someone else's response. > That'll at least make my life a little easier when it comes > to trying to summarise back to the list but it'll also make it > easier for folks to check if I've mucked up in how I summarise > (and I muck up a lot, sadly:-). > > Anyway here's the options: > > option 1: do nothing - there's nothing much to do or at least > not in the IETF or not within the IETF for the next >6 months. > > option 2: do maintenance work on rfc4880 - produce a 4880bis > with better crypto options at least, and debate any further > detailed changes during chartering - the charter will contain > a list of specific things to do and other things will be out > of scope (for now) > > option 3: do a major revision to openpgp - take rfc4880 as a > starting point but question all design decisions in the process > of developing a successor version of openpgp and write a > charter that allows for all such design decisions to be > questioned > > option 4: move beyond openpgp (or smime) to develop a new > flavour of end-to-end security for interpersonal messaging, > possibly not that tightly coupled to email, but at least > supporting an email flavour > > For options 2-4 one could include more or less work related > to trust models or key hierarchies/key distribution. If you > would like to include that kind of work please pick one of > those below. If pursuing any of these, we'd need a separate > discussion about the scope of that work and whether or not > one specific approach ought be standardised, but please > let's not yet have that discussion until we see that one of > the "t" options below has a good bit of support. > > option 2t: option 2 + add some trust model/key management > option 3t: option 3 + add some trust model/key management > option 4t: option 4 + add some trust model/key management > > So that's for choices. Remember it's ok to pick more than > one with which you could live, but please be clear about > which you prefer. > > I'd also like to talk about how we might process some of > the above if we establish rough consensus for one of 'em. > > Option 1 is easy. The list can continue to debate stuff, > but there's no IETF process stuff needed and no new RFCs > on the horizon. I get off the hook:-) > > For option 2, or 2t we could start crafting a charter on > the list once we've gotten agreement that that's the goal. > I don't think a face-to-face BoF would be needed before > forming a working group unless the scope of the "t" part of > 2t was proving hard to pin down. (We could arrange some > virtual audio meetings if that'd help of course.) That > could mean a working group is formed quite soon, and that > working group might choose to meet face-to-face in Prague > in July, or might prefer to work on the list only, or > with some audio meetings. > > For options 3, 3t, 4 or 4t I do think we'd likely need to > have a face-to-face BoF meeting as there'd be a lot to > consider and pin down and higher bandwidth is much better > for that. In that case, the important date is June 5th > which is the next cutoff date for requesting such a meeting > for the Prague IETF to be held July 19-24. [1] (June 5th > might seem like a long way off, but it's not really so if > we needed such a meeting then starting to work towards that > soon would be much better than doing so late.) > > Also, some of this can be done sequentially. For example, > as an area director I'm very happy re-chartering existing > working groups to add more tasks where those groups have > demonstrated the ability to be productive. In my experience > that can work better than starting out with the hard/ambitious > stuff as the very first thing to do. That might argue for > starting with option 2 and then, if all goes well, discussing > whether or how to tackle option 3 or 4. (We could even charter > a group to do the maintenance work for option 2 and when that's > done to then discuss how to re-charter for one of the more > complicated choices.) I'd suggest however, we ignore such > sequential processing for now, see what folks prefer as a > goal, and then think about whether there's a way to get to > what people want via sequencing things cleverly. So, just > for now, please don't suggest "2, followed by 3" even if > that's something you like the sound of - I think folks' > initial responses will probably make it obvious if we need > a chat about that. > > And lastly, please let's not have an IETF process discussion > or a discussion about why the IETF is great or crap. If we > see that there's IETF stuff folks want to do and if those > folks are willing and able to implement/deploy the results > then that's enough to be going on with. > > Thanks, > S. > > [1] https://www.ietf.org/meeting/important-dates-2015.html#ietf93 > > > > > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp > > -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
- [openpgp] ways forward wrt IETF wg - please try a… Stephen Farrell
- Re: [openpgp] ways forward wrt IETF wg - please t… Nicholas Cole
- Re: [openpgp] ways forward wrt IETF wg - please t… Phillip Hallam-Baker
- Re: [openpgp] ways forward wrt IETF wg - please t… Daniel Kahn Gillmor
- Re: [openpgp] ways forward wrt IETF wg - please t… Wyllys Ingersoll
- Re: [openpgp] ways forward wrt IETF wg - please t… James Cloos
- Re: [openpgp] ways forward wrt IETF wg - please t… ianG
- Re: [openpgp] ways forward wrt IETF wg - please t… Tom Ritter
- Re: [openpgp] ways forward wrt IETF wg - please t… Ben McGinnes
- Re: [openpgp] ways forward wrt IETF wg - please t… Ryan Carboni
- Re: [openpgp] ways forward wrt IETF wg - please t… DataPacRat
- Re: [openpgp] ways forward wrt IETF wg - please t… Kristian Fiskerstrand
- Re: [openpgp] ways forward wrt IETF wg - please t… Brian Sniffen
- Re: [openpgp] ways forward wrt IETF wg - please t… Werner Koch
- Re: [openpgp] ways forward wrt IETF wg - please t… David Leon Gil
- Re: [openpgp] ways forward wrt IETF wg - please t… Tom Ritter
- Re: [openpgp] ways forward wrt IETF wg - please t… Benjamin Kaduk
- Re: [openpgp] ways forward wrt IETF wg - please t… Christoph Anton Mitterer
- Re: [openpgp] ways forward wrt IETF wg - please t… Dominik Schuermann
- [openpgp] it's option 2 (was: Re: ways forward wr… Stephen Farrell
- Re: [openpgp] ways forward wrt IETF wg - please t… Derek Atkins
- Re: [openpgp] it's option 2 (was: Re: ways forwar… Daniel Kahn Gillmor
- Re: [openpgp] it's option 2 (was: Re: ways forwar… Tom Ritter
- Re: [openpgp] it's option 2 Stephen Farrell