Re: [openpgp] respecting key flags for decryption
Vincent Breitmoser <look@my.amazin.horse> Thu, 08 November 2018 11:25 UTC
Return-Path: <look@my.amazin.horse>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B048C130EB2 for <openpgp@ietfa.amsl.com>; Thu, 8 Nov 2018 03:25:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=my.amazin.horse
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0tTdZXKurJrM for <openpgp@ietfa.amsl.com>; Thu, 8 Nov 2018 03:24:59 -0800 (PST)
Received: from mail.mugenguild.com (mugenguild.com [5.135.189.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 335BB130E6C for <openpgp@ietf.org>; Thu, 8 Nov 2018 03:24:59 -0800 (PST)
Received: from localhost (gate.ibr.cs.tu-bs.de [134.169.34.1]) by mail.mugenguild.com (Postfix) with ESMTPSA id 6FF755FA99; Thu, 8 Nov 2018 12:24:57 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=my.amazin.horse; s=mail; t=1541676297; bh=ZhQJZLUSy2lCiocKHE1prIG3Gv9HQ3iHFpvNS7TSW2A=; h=Date:From:To:Subject:Autocrypt:From; b=ZwaB9YwjBUQ2NPqTuLJV0h2iJlglhBOQusHBTJYGNKlpUQXYZVsqodkTCthLqaqnS mjOCkgnyYpiWIgxHfBRLxgA3hgZJS4jbis2ZHVykGZZZN/PnkZcJ9QazpbEGkJjjOa lxf3vZ+YUb1N2ECTM/3b33PwsUbczqShiGRz1keA=
Message-Id: <F6H5ZXC03G.2SFRGQ14E5LZK@my.amazin.horse>
In-Reply-To: <75BF6022-6C87-45A7-9FE9-678EA022C39A@icloud.com>
References: <75BF6022-6C87-45A7-9FE9-678EA022C39A@icloud.com> <F6G9P4PUTM.2GANNJVZZYB8G@my.amazin.horse>
Date: Thu, 08 Nov 2018 12:24:54 +0100
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Vincent Breitmoser <look@my.amazin.horse>
To: Jon Callas <joncallas@icloud.com>
Cc: openpgp@ietf.org
Autocrypt: addr=look@my.amazin.horse; keydata=mQINBFAB3UABEADCyB/vbIBA3m1Bwc yjTieEMLySwYgt54EQ2hglOocdtIhqC+b05t6sLSkwx2ukxrU2cegnCBkdyF/FZ/+Et638CUEBbf 4bjplwpt2IPLazQgjkwjMuhz0OcYDpMhwimTvh3mIl+0wzpOts6mEmMw0QZdl3RXvIW+NSynOn7q mz/fAv4Htt6lv2Ka0s6R2voyi+5U7CcIqizPad5qZVn2uxmovcFreTzFt6nk37ZbbTfvA3e5F0bR RQeH3viT5XxpJF4Y76v/Ua+5N3Kd18K0sX85rD1G7cmxR2CZ5gW1X24sDqdYZdDbf10N39UIwjJH PTeuVMQqry792Ap0Etyj135YFCE0loDnZYKvy2Y1i0RuEdTUIonIHrLhe2J0bXQGbQImHIyMgB9/ lva8D+yvy2gyf2vjRhmJEEco7w9FdzP7p3PhKrUiTjRsjHw8iV8LOCFx9njZOq9mism9ZZ16tZpx 9mXOf11HcH1RtVuyyQRS/4ytQPzwshXdSDDW6Btkmo9AbZQKC54/hSyzpp3Br2T2xDH7ecnonDB/ jv8rWuKXSTbX3xWAIrNBNDcTYaNe4jkms4HF7jJE19eRlqsXMMx6Fxvrh4TtKICwJYJ3AUmXrK3X Ti/mjqYfJ1fpBn54rWs8nhSR1fuZPD+aMlcP8BDUPlNKPKtj0DGSh3/VlnnwARAQABtClWaW5jZW 50IEJyZWl0bW9zZXIgPGxvb2tAbXkuYW1hemluLmhvcnNlPokCOAQTAQIAIgUCVTNZmgIbAwYLCQ gHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQe9GDIN6t+hHcVg//aeiijNqsQ3pjbFQn3VvND7hNfJ vrVcLZ+U4kOzXPF818aVdOnDyNXyE17vBDDcvaZ730sCsZIRZJ3KhUJ+nPvdttKjUIGLARmx+pA3 Jl3IIv2uLtOb3I0TMuyfIGJVGF+q10/CeDMKVjKlmyOVrR0opkel+KEoN7VLq3Hf3zPKENO1HBgp LHeP31tlb9cgs+u4o2wLrVe9myHbuFBW7EjWbSvdz2zliwbsFeFVLMNcWrKAU0GkkiH69SgnwmXU RkhGma4L27GLtkHHufsxfbcPqPtmtCttsGZU4EmrghGUqVyDOxnn8ZqybzLrRfpin+OCIX+aHJz5 r2L8qtrP0LorNMX3Gopd26vfhNvq/wq8xk++bW1R5FmkaUhx9h+DhO2ybcg7p/E8JHc8zrWv+bb3 0o9lkrOaU8GxXrgtb1cjtbb+MxFvjm0Elw7MSZDG7sF/APFU6cwuIA9Nai/OGAUCSt/W2ecS8Zox cWWbGSEiDvjtEctkpmHjfVuGoL34966Olm41VdH+NjgoSYUJKx4Mty8DRcZxdyoXll84LvDkEEYK ZqOIACsJf8CDFvUkmhXc+moCj15Yxtj3/RslRVEiOUyrpDwB72zWcZG8YnzoyGxhcRIc/gFejO/y SI8bzCpYngeuTb5NjFG+ChGiInHbQcFeHBlaHtKi2o/B5axIO5Ag0EVDvOgQEQALJby/ztliToGE u1lslvWQUQ6teKZVUQ7hy9bM4N83G0AGLatUBHtY6PkJBe4XkIw3sK7LoFCV2W4GSt4zWp9l+kG3 /J8Ow7EFjN0F7DrCg0M0lMg9dQz9jYSoBR8skaH3BRzCq9AKIVKV94poL/G65289L7zKDHoZnnyF qbBtedYZir0SZx+kiouZ1qnmxRPaYmH2fkuiuvYEAyzLDLYM8F5gQhdZM4YVtuvSICYPet0z4CDi JX/vZmDi3AzzoEVaKeAM/0H9f9Ni547J2+8dZSllgTrA+fq0aMJVScAObIxTAQtEq0DoNBzPpVrm W10b4bmgePrAvNkifqSr5StymSBgwvoeW6GrJiyN4XhoLOadZzwgjqioR1nXw5tXtrr5sYdkZ06b 1WWHkxtu1hFTdLC7RYNxY07ytLNM+C2lplCwCwlWB7RwI9BL1Dhre4kv8uaaX2Gksaq9mDf9MSDW qQ0TJ/RAiwMGmFrzBEYI1J2Oyeshi/dqW4/OiZAukOIlxOnt6u8zU2KL6Qjxqqna0oTbS4Zv3fRd YkuUCL6CDEJdkuRAiW+Gw+lKcMjXqApEqixhaDkoB/kwtu+2gIFTzAxMfwFN1YtNc0kJZWnFkGIW MrrwTcOwAFzlFz7wn/EyMFtg+ERcqMX0+olXDwM8MODI2+BzulPuEDEteCw09hABEBAAGJAh8EGA ECAAkFAlQ7zoECGwwACgkQe9GDIN6t+hFjuQ//UQyg49f8TytUYQaBb8R0UfI+KhQFs1Nsz2z8a3 0CD1MeiHHYWdAcomVvTkg4g5LbnYHVDrj/XagY3FN/AIE97usFbsTG+rsWAOLi7N2dN2ehWZ634k MvrgyC9uTiOdkw31+B8K5MpyySgD8e6SAzRfiu06/bcQOUyJifw8Hudpj9by4uyGhSH+kHu4afrp OduUighbsGFtcuRwwQ/w/oSk68XvPUgiOQWMZh/pVoXdFyFvrt/hgArCi8dfy5UPK58nl7jPnu/I uQXrJ50nNAFIIxPVeo2/B83KAnEZPU+qWZsdba0V+FIIQQVizLtQFMuJJk4/UTAOfJ2tBpQ9PADX 6/scqDE7unXNWdxcHTjK7KmWjXC8CyhGOx8V/rb7Ial4mZo4cTED6SNlO7dV1XYwnSctL2HCYNM3 RUe4eJ7JWuu7/Nbf6yip2eq7BQKZ9hAH/se/OSZNYsEkZ4pxUc8W5U3uAZImUwC6L74SM0jBZIuD mQhOYX6sZZ6urIn/MYlj4/hqSBFS4vTK7nXRLmtr7+5T5U5srVseUiYc+l9pu9/XD8zGIu+M2xEd 41NwP44GDQTQm0bFljRv5fSblwmi56YHPFQUIh2RZNX3kOJgeyQ3enw5uY+7ocKRVP38hpnffliL lJcO6TtHWnElS3pACbTQM0RHJox3zqU3q6K3c=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/y_l3KFXCNBwAj7kbE6hU6Go0oyo>
Subject: Re: [openpgp] respecting key flags for decryption
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 11:25:02 -0000
Hey Jon, thanks for your thoughtful reply! > Moreover, gnupg is not merely a tool, it’s a reference implementation and as > a reference implementation it needs to have meta-features for the purpose of > debugging. I agree with thre premise here, but not the conclusion. In the concrete bug report I have, a bank(!) implemented OpenPGP in a way that included two major blunders: 1) they encrypt to a subkey that doesn't have the flag. 2) they include a one-pass signature packet, but then no actual signature (which isn't a valid OpenPGP message, by spec). The reason this happened, I strongly suspect, is exactly because they treated GnuPG as a reference implementation: they tested that it worked against GnuPG (or some frontend), found it worked in practice (without even a warning), and then left it at that. > it’s *Alice* who has broken protocol, not me. Why punish me because someone > else has a broken implementation? > OpenPGP oughta say that an implementation MUST NOT encrypt to a sign-only key, > but it should leave it at that. I believe that this all goes back to Postel's law of "conservative in what you emit, liberal in what you accept". You're advocating for being "resilient" in the face of bugs in implementations, and that sounds like a good idea on paper. However, I've come to believe that for the long term health of an ecosystem. The reason is that the required "bug compatibility" that is required to actually be interoperable accumulates over time. This leads to more and more implicit knowledge (rather than explicit, as in by spec) being necessary to create or maintain an implementation. Martin Thomson put these thoughts into an I-D fairly recently: https://www.ietf.org/archive/id/draft-thomson-postel-was-wrong-03.txt It is at this point terribly hard and time consuming to write an OpenPGP implementation that works interoperably, because of a general expectation that everyone be 100% GnuPG bug compatible. It's just a blip on the radar, but the case described above happened five years into working on OpenKeychain. And it's not a fluke, I have more similar incidents (will post about them soon). > The standard should not forbid resiliency in the face of a bug. This is a very reasonable sentiment for specs like HTML, we certainly wouldn't want to outright reject a website just because of a missing </i>. But in the context of a cryptographic protocol, this is super dangerous. Being overly relaxed in what we accept means giving attackers a large amount of wiggling room. This is exactly what brought us EFAIL. We should learn from that, and I hope we can do better in the future. - V
- [openpgp] respecting key flags for decryption Vincent Breitmoser
- Re: [openpgp] respecting key flags for decryption Jon Callas
- Re: [openpgp] respecting key flags for decryption Vincent Breitmoser
- Re: [openpgp] respecting key flags for decryption Peter Gutmann
- Re: [openpgp] respecting key flags for decryption Stephen Farrell
- Re: [openpgp] respecting key flags for decryption Werner Koch
- Re: [openpgp] respecting key flags for decryption Peter Gutmann
- Re: [openpgp] respecting key flags for decryption Jon Callas