ietf-openpgp
[Top] [All Lists]

Re: [openpgp] "OpenPGP Simple"

2015-03-17 01:49:37

On Mar 16, 2015, at 7:04 PM, Peter Gutmann 
<pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz> wrote:

Jon Callas <jon(_at_)callas(_dot_)org> writes:

Certainly the ASCII Armor checksum is something that could go, since we don't
need to worry so much about modem line noise. :-) But you have to know enough
to ignore it.

It's not just the checksum, the entire ASCII armoring should have been
discarded years, no decades, ago.  The whole thing was originally implemented
because facilities like FidoNet and Usenet didn't handle binary messages, and
the checksum was because things like 2400bps modems (pre-MNP) on the DOS PCs
that PGP 1 was written for wouldn't cancel out line noise, so it was useful to
check for inadvertent message corruption before you warned about invalid
signatures.

The MIME standard (going back to RFC 1341) is over 20 years old and pretty
much everything supports it, but PGP persists with something from even earlier
(PEM, from 1987, that's nearly 30 years ago).  It's not just "a museum of
1990s crypto" (thanks to Matthew Green for the great quote), it's also a
museum of 1980s and 1990s everything-else.  The entire discussion of "ASCII
armour" should have been replaced with "use a mechanism like MIME" years ago.

(Oh, and by "MIME" I mean proper use of MIME, not "wrap PGP-PEM in MIME
headers and pretend it's MIME", RFC 2015/3156).


Maybe not decades.

ASCII armor as it exists now uses the same encoding as MIME for base64, purely 
by chance. It is one of the things that makes me least crazy because it’s 
mostly standard and actually kinda useful. There are a lot of semantic places 
where it’s nice to know that something is an OpenPGP object in human-readable 
form.

Something that seems to be forgotten all over the place is that email is 
actually one of the least interesting places to use OpenPGP. ASCII armor ends 
up being a nice way to encode something so you don’t have to play "guess the 
binary format."

Relatively recently, I was opining to someone that it would be useful to come 
up with a JSON encoding for OpenPGP that would give an easy-to-parse thing 
that’s not just ASCII armor. But some years ago, I said the same thing but it 
was XML, not JSON. And a few years before that, it was S-Expressions, most 
recently in SPKI format, and more Common LISP-ish before that even. JSON is 
what the cool kids are using this decade, don’t you know.

And *that* is the reason to just stick with ASCII armor.

        Jon

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>