ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] whitespace definitions in OpenPGP [was: Re: I-D Action: draft-ietf-openpgp-crypto-refresh-01.txt]

2021-02-19 11:08:28
from [Guillem Jover] [Permanent Link] 
On Mon, 2021-02-15 at 18:56:34 -0500, Daniel Kahn Gillmor wrote:

It seems clear to me that the text about whitespace that was merged into
-01 doesn't have WG consensus at the moment -- iiuc, it may address the
original concern raised by Guillem, but is unintentionally overbroad,
and might introduce further incompatibilities between implementations if
they try to follow the spec as written.


Ack.


In the meantime, so we don't lose sight of the legitimate problem that
Guillem wants addressed, I've opened
https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/11


Thanks. I think there are three related issues here:

  * Non-uniform definition and usage of "whitespace/blank" in the RFC.
    This makes it difficult to understand and interpret what's intended,
    and affects how people implement. (Clarifying this was my main intent.)

  * Consideration on what set of whitespace should be accepted as valid,
    even reducing or augmenting. This is going to create a potential
    tension between interop, backwards compatibility and security
    concerns when chaining various implementations. (I don't mind greatly
    about this one, as for dpkg I'd need to decide based on the least
    common denominator from the implementations supported anyway.)

  * Documenting that regardless of the set of characters defined as
    valid whitespace, accepting a non-reduced set of characters can have
    security implications when chaining various implementations with
    different acceptance checks. (I think this would also be useful
    for glue implementations and "users", such as dpkg.)


If someone from the group wants to propose alternate text that addresses
the issue but doesn't introduce the inconsistencies identified by Andrew
and others, then please propose that text on-list here (in a different
thread?)  -- and if you can also make it as a merge request on gitlab
that'd be a bonus.


I might try, but I'm not sure I'll have the immediate time for this.

Thanks,
Guillem

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] whitespace definitions in OpenPGP, Daniel Kahn Gillmor
Next by Date:  [openpgp] I-D Action: draft-ietf-openpgp-crypto-refresh-02.txt, internet-drafts
Previous by Thread:  Re: [openpgp] whitespace definitions in OpenPGP, Daniel Kahn Gillmor
Next by Thread:  Re: [openpgp] I-D Action: draft-ietf-openpgp-crypto-refresh-00.txt, Michael Richardson
Indexes:  [Date] [Thread] [Top] [All Lists]