ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Intent to deprecate: Insecure primitives

2015-04-08 10:32:22
from [David Leon Gil] [Permanent Link] 
Brief update on plans for deprecation: The tracking issue is at
https://github.com/yahoo/end-to-end/issues/31

Please feel free to open another issue if you have specific objections. I
will either be convinced by your arguments, and change the plan, or explain
why I don't.

On Mon, Mar 23, 2015 at 12:25 PM Christoph Anton Mitterer <
calestyo(_at_)scientia(_dot_)net> wrote:


On Tue, 2015-03-17 at 11:04 -0400, Derek Atkins wrote:

Show me an MUA that does this, please?  None of the OpenPGP-aware MUAs
I've ever used have this feature, as far as I know.  I suppose I could
go out of my way to replace the encrypted email with a
re-encrypted/plaintext email.

But frankly I'd like my encryption software to just maintain the ability
to decrypt it later.


While I don't think that implementations should throw away old algos
(even if insecure) - the should just no longer use it for creating new
content, and should only decrypt/verify signatures with appropriate
warnings, I'd say that the question of long term storage of
encrypted/signed content (e.g. mails) is (and should be) beyond the
scope of OpenPGP.
That being said, the WG shouldn't alter the decisions it makes based on
that question, but rather only on security considerations.


As for e.g. long term email storage:
- if you just store them as received over the wire (i.e.
encrypted/signed) they may very well become insecure over time, so the
original purpose of confidentiality and authenticity is no longer
guaranteed (by leaving them with the old encryption/signature).

- constantly re-encrypting them seems to be not feasible, and you cannot
re-sign mails from someone else.

- IMHO the appropriate way would be for a MUA to record that the mail
was sent encrypted to you and by whom of your contacts it was signed (if
any of that was the case) - for later reference.
And any further protection of the content should be handled by disk
encryption.


Cheers,
Chris.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp


_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] OpenPGP private certification, Phillip Hallam-Baker
Next by Date:  Re: [openpgp] ways forward wrt IETF wg - please try answer by Apr 8th, David Leon Gil
Previous by Thread:  [openpgp] MIME signature impact, Phillip Hallam-Baker
Next by Thread:  Re: [openpgp] Intent to deprecate: Insecure primitives, Christoph Anton Mitterer
Indexes:  [Date] [Thread] [Top] [All Lists]