[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sam Hartman] Openpgp comments
Forwarded with permission.
It looks like we still have some work to do on rfc2440bis.
Do we need a meeting in San Diego? If so, I need to
request it today.
--- Begin Message ---
Hi. I'm sorry it has taken so long but I needed to spin up to speed
on openpgp standards, read the old 2440, read the new doc, understand
some of the political history and then talk to Russ.
I'm Basically done with the new doc. I want to work through the
description of PGP CFB mode, but that's all I have left.
However Russ and I have two large issues that we need fixed before I can bring the document to the IESG.
The first is the lack of IANA registries. I understand this is left
over from 2440. Back then, the IESG was much more willing to approve
documents without IANA registries. Even in recent times the IESG has
done this--for example, RFC 4120 doesn't have IANA registries created.
It's actually my negative experience with RFC 4120 as well as changes
in IESG membership that cause me to be quite certain that PGP needs
IANA registries for all its parameters. This is doubly true if we're
closing down the working group. You can use standards action as the
registration policy if you are concerned about interactions with the
rest of the spec. Take a look at RFC 2434. The one caution I'd
suggest is that if you use the IESG approval registration policy,
please give the IESG clear guidelines on what we should look for.
"Evaluate using the same criteria as standards actions" is a fine
criteria as is something like "avoid security and interoperability
The second issue is the encryption with integrity packet. Today this
is hard-wired to use SHA-1. That's not OK. We need an upgrade path
for that and I think we need to support SHA-256 now.
I realize both of these issues are large.
I'd be happy to get together with you and the authors on a conference
call if that would be useful.
--- End Message ---
Derek Atkins 617-623-3745
Computer and Internet Security Consultant