[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [openpgp] Intent to deprecate: Insecure primitives
- To: Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx>, openpgp@xxxxxxxx
- Subject: Re: [openpgp] Intent to deprecate: Insecure primitives
- From: David Leon Gil <coruus@xxxxxxxxx>
- Date: Wed, 08 Apr 2015 15:32:07 +0000
- Archived-at: <http://mailarchive.ietf.org/arch/msg/openpgp/JrLP7is6yvKgFPa93aK1SAqPEbE>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1428507138; bh=biwTBJvdBHd5cgzWpex4bQBbkQoph0w8nZrtaPJVh90=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Sender; b=kHgcfmu+2Meo0TWdU6DRYkl9NEwSwOMvZj+/eq7QpFNoanDnKES7Jj/Jo8/xidX91 7sSRoLK28ida3dPUn917Ax66MGlcj+64adJzhCdpAwHhMLFAZEm4mXJhtBiRxZmi8C U8qBU2MU+iKvUl0GzysyieclYAdZh1ZnaPKF8RGU=
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=LrPPXoUZ4QPE+WYNChK5yd4vpX36eYu1Kk5vKrssdFc=; b=z5B0GRD6OkOyRa0PJGzi9WW+tILOP/4eI7U4Mi3pgxkliMs8uMk6m4sHGVJBbzPQLK hyBLt5k4vnFBHPcQeNttDDlZ/qEU+Uv1YCdNVzmO2c/f7kAQjAzGmw6EAC5d1W36mEvK 1uJhw3UvFo3sR03vRGRyAHMBxIgtrwav8G+8NzwDglpCFWvCUH3fvLRU0eslbPFcdQJz LAU/tdi+Y9UiaLWKnO4gAFUm5DVUhVz2gjN8tSOIu8yRXkx2+E/3vxxvu64ezngJ/DLw 6zOA3aPO1wbidq586d+ullYKWdduNLoHROyDosYg46HG49aoN3XergHlDecqReyUt5cl IO8g==
- In-reply-to: <firstname.lastname@example.org>
- List-archive: <http://www.ietf.org/mail-archive/web/openpgp/>
- List-help: <mailto:email@example.com?subject=help>
- List-id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
- List-post: <mailto:firstname.lastname@example.org>
- List-subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:email@example.com?subject=subscribe>
- List-unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
- References: <r422Ps-1075i-0DF0A0ED5D364ECAABA63F541D9C6A16@Williams-MacBook-Pro.local> <email@example.com> <firstname.lastname@example.org>
- Sender: "openpgp" <openpgp-bounces@xxxxxxxx>
Brief update on plans for deprecation: The tracking issue is at https://github.com/yahoo/end-to-end/issues/31
Please feel free to open another issue if you have specific objections. I will either be convinced by your arguments, and change the plan, or explain why I don't.
On Mon, Mar 23, 2015 at 12:25 PM Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx
On Tue, 2015-03-17 at 11:04 -0400, Derek Atkins wrote:
> Show me an MUA that does this, please? None of the OpenPGP-aware MUAs
> I've ever used have this feature, as far as I know. I suppose I could
> go out of my way to replace the encrypted email with a
> re-encrypted/plaintext email.
> But frankly I'd like my encryption software to just maintain the ability
> to decrypt it later.
While I don't think that implementations should throw away old algos
(even if insecure) - the should just no longer use it for creating new
content, and should only decrypt/verify signatures with appropriate
warnings, I'd say that the question of long term storage of
encrypted/signed content (e.g. mails) is (and should be) beyond the
scope of OpenPGP.
That being said, the WG shouldn't alter the decisions it makes based on
that question, but rather only on security considerations.
As for e.g. long term email storage:
- if you just store them as received over the wire (i.e.
encrypted/signed) they may very well become insecure over time, so the
original purpose of confidentiality and authenticity is no longer
guaranteed (by leaving them with the old encryption/signature).
- constantly re-encrypting them seems to be not feasible, and you cannot
re-sign mails from someone else.
- IMHO the appropriate way would be for a MUA to record that the mail
was sent encrypted to you and by whom of your contacts it was signed (if
any of that was the case) - for later reference.
And any further protection of the content should be handled by disk
openpgp mailing list
openpgp mailing list