ietf-openpgp
[Top] [All Lists]

Re: [openpgp] v5 in the crypto-refresh draft

2021-06-04 13:11:10

Daniel Kahn Gillmor <dkg(_at_)fifthhorseman(_dot_)net> wrote:
    >  2) v5 certifications ("key signatures") hash a four-octet length of
    > the subject key; v4 certifications hash instead a two-octet subject key
    > length.

    > -----

    > (2) appears to prepare for keys larger than 65536 octets.  This looks
    > like post-quantum planning to me, but we are not including any PQ
    > schemes in the specification, and it's not clear that this change on
    > its own would be sufficient to support such a new scheme (especially
    > because there doesn't seem to be any CFRG consensus on what PQ scheme
    > to endorse yet).

Sure, but wouldn't it help a v5 implementation to more intelligently skip
such a thing?  I don't know if we can support multiple signatures with
different algorithms.

    > This change also has a consequence that it's not possible to transform
    > an embedded/inline signature into a detached or cleartext signature, or
    > vice versa, because detached or cleartext signatures have no place to
    > store the content byte, filename, or timestamp.  I've seen several use
    > cases where translating a signature between inline/embedded format and
    > detached or cleartext formats can be concretely useful.  In one
    > example, Debian's apt repository's Release, Release.gpg, and InRelease
    > files contain the same data and should be able to share cryptographic
    > signatures.

I think that your use case is reasonable.
I also was thinking that with the Executive Order wrt Supply Chain security,
and the number of systems which are debian based, and thus use Release.gpg at
the top, that having v5 sooner rather than later is probably important.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr(_at_)sandelman(_dot_)ca  http://www.sandelman.ca/        |   ruby on 
rails    [ 
        

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp