ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] [RFC4880bis PATCH] Drop "Compatibility Profiles" section.

2021-04-28 22:59:14
from [Paul Wouters] [Permanent Link] 
On Sat, 27 Mar 2021, Ángel wrote:


And that the place within the document might be right too?


That's an editorial matter, but I don't think so. I find the security
section to contain many things without a clear script, just a mixture
of things related to security. The problem is that most of the rfc has
some relation to security :-)
There are rfcs with only a few security points to note. Having a
section listing all of them is good. But I don't think that's suitable
for OpenPGP.

I would prefer to see as little as possible on the Security
Considerations, with the points within the most relevant section to the
topic. See for example how I positioned the line about you MUST use
Iterated and salted s2k at the part discussing rather than in that
generic section. IMHO that makes more sense, instead of having a S2K
requisite in a complete separate part of the document.



Nevertheless, the Security Considerations need an overhaul. There are


This is a good point and I've added this as an issue:

https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/29


(*) A phrase that got removed but should be recovered is «MDC MUST be
used when a symmetric encryption key is protected by ECDH.». I pondered
where to move it, but I concluded that should better go at its own
changeset stating that new algorithms cannot be used without MDC i.e.
they cannot be used with the "Symmetrically Encrypted Data Packet"
(still somewhat redundant, as that one MUST NOT be created).


If others agree, we need a tracking item for this too?


Yes, probably. Unless we get a quick consensus on this topic.


We did not, so I opened a tracking item for this too:

https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/30


Additionally, the phrase "A compliant application MUST only use
iterated and salted S2K"... is also mostly fine, but I had already
covered a proposal for that one in the previous
https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/42


I would need to hear from more people about this change to see if
there is consensus for this.

speaking with no roles others than an individual:


This part was proposed in February on a different thread. I am moving
your comment there and replying in that one:

https://mailarchive.ietf.org/arch/msg/openpgp/ml5gzuQtSY6ANBejs8Xk66x_abQ


I've merged in this change in a seperate commit, please review as part
of the next draft update. (commit 464ac8232f9)

Paul

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] The checksum may appear, Paul Wouters
Next by Date:  Re: [openpgp] [RFC4880bis PATCH] Clarify CRC-24 C example implementation, Paul Wouters
Previous by Thread:  Re: [openpgp] The checksum may appear, Paul Wouters
Next by Thread:  Re: [openpgp] [RFC4880bis PATCH] Drop "Compatibility Profiles" section., Daniel Kahn Gillmor
Indexes:  [Date] [Thread] [Top] [All Lists]