ietf-openpgp
[Top] [All Lists]

Re: [openpgp] [RFC4880bis PATCH] Drop "Compatibility Profiles" section.

2021-03-26 22:16:20
On 2021-03-25 at 23:27 -0400, Paul Wouters wrote:
On Fri, 26 Mar 2021, Ángel wrote:

I'm attaching the
proposed patch below so that people following the list can see
it.

Hi Daniel

Yep. I wanted it to appear on top of merge_requests/41 but did not
find
how to do that. Happy to learn how to do that.

Now that Paul has merged your branch, I have rebased it and opened
a
direct MR against the main repository:
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/44

I had a look at it. While some text indeed is weird because of the move
from an ECC only document into the generic bis document, I think some
of the text you suggest removing might still make sense, such as the
recommendations of hash algorithms for these curves. 

Good point, that table may be useful without the requirement levels.

And that the place within the document might be right too?

That's an editorial matter, but I don't think so. I find the security
section to contain many things without a clear script, just a mixture
of things related to security. The problem is that most of the rfc has
some relation to security :-)
There are rfcs with only a few security points to note. Having a
section listing all of them is good. But I don't think that's suitable 
for OpenPGP.

I would prefer to see as little as possible on the Security
Considerations, with the points within the most relevant section to the
topic. See for example how I positioned the line about you MUST use
Iterated and salted s2k at the part discussing rather than in that
generic section. IMHO that makes more sense, instead of having a S2K
requisite in a complete separate part of the document.

Nevertheless, the Security Considerations need an overhaul. There are
multiple types of items: general advice, attack descriptions, key size
tables...
And it must grow, some of that is outdated, while other missing.

That ECC table I would probably place it at its own section, probably
as a 13.5.

Other points should perhaps be 15.x subsections.



(...)

I agree that needs fixing. The question is how/when to do this. If we
cut the entire section as you propose, we need to a file a tracking bug
to re-evaluate what to bring back, revised or verbatim later on in the
process when we are pulled up all the existing non-controversial work.

I agree with opening a task to reevaluate that later, if merged.
This was not intended as a permanent removal.


I think we're better clearing it and seeing what is importable. I may
have missed some sentence, but I doubt you could keep most of it as
such.*

I think that could work, but let's get the opinion of a few others ?



(*) A phrase that got removed but should be recovered is «MDC MUST be
used when a symmetric encryption key is protected by ECDH.». I pondered
where to move it, but I concluded that should better go at its own
changeset stating that new algorithms cannot be used without MDC i.e.
they cannot be used with the "Symmetrically Encrypted Data Packet"
(still somewhat redundant, as that one MUST NOT be created).

If others agree, we need a tracking item for this too?

Yes, probably. Unless we get a quick consensus on this topic.


Additionally, the phrase "A compliant application MUST only use
iterated and salted S2K"... is also mostly fine, but I had already
covered a proposal for that one in the previous
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/42

I would need to hear from more people about this change to see if
there is consensus for this.

speaking with no roles others than an individual:

This part was proposed in February on a different thread. I am moving
your comment there and replying in that one:

https://mailarchive.ietf.org/arch/msg/openpgp/ml5gzuQtSY6ANBejs8Xk66x_abQ


Regards


_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp