Re: Is PGP broken?
At 10:06 AM 11/29/00 +0100, [EMAIL PROTECTED] wrote: You have to agree that the "not using patented algorithms" thing solves the problem once and for all, if in a somewhat Gordian way (partly breaking backwards compatibility). We would never had any problems if not for PGP screwing it up -- by using potentially problematic pieces of code. PGP1.x used Bass-O-Matic, which had no patent problems :-) Also RSA, which had far more serious problems in the US than mere patents. PGP2.x used IDEA, which was patented but free for non-commercial use, and used RSA blatantly and unapologetically in violation of patent, so the restrictions on IDEA were mild in comparison. PGP 2.5 and later used RSAREF in the US, which could be used for free for non-commercial use, still more restrictive than IDEA, but had copyright problems outside the US, because of RSA's license. The PGP 2.6.x international versions used homebrew RSA implementations, which were patent-free outside the US (except maybe for Canada, I forget), but still used IDEA, which is patented in Europe, US, and a few other places, but not everywhere in the world. As PGP's track record went from "angelic" to "distinctly tarnished", I stopped using it. Many other people I know did as well. I've switched to GPG, which hasn't got any track record so far, once it became stable. We'll wait and see how they do. Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Re: Is PGP broken?
-BEGIN PGP SIGNED MESSAGE- I can see that one can put information associated with a signature outside the hashed area but I cannot see that one should do so and I doubt that this will improve security. First the key-ID. Why should I have it outside the signature? It's possibly not security-critical. But if it is the only exception why not put it into the signature, that would not reduce security. But having none unhashed subpacket would help to increase the trust of users in the reliability of certificates which had been undermined by problems related to unhashed packets. Second, an URL to find a certificate in a more secure place than keyservers is a good idea, especially if you think about the problems I mentioned earlier, but you do not change this URL every five minutes, and therefore it can be in the selfsignature. And, as Len pointed out you can consider this as security critical depending on what you call security. Third, the countersignature, its simply a technical problem that you cannot have a hash value unless you know what to put into it. But why should this famous thing be in my signature at all? If the hashed part is used to protect information the signature should verify that no alteration has taken place. If my signature needs signing for whatever reason I would like to see this as a seperate signature with no unhashed part. I doubt that all security revant problems associated with unhashed packets are figured out (in theory) and have been tested intensely in their implementations respectively. And why should I have a container in my certificate ready to be blown up with arbitrary information of indefinite lenght (as RFC-2440 allows) when the purpose of a certificate is to help to create trust. Trust in the crypto system depends on having a reliable means to check that the certificate is not changed in a way unauthorized by the owner and this would be far more easier and more transparent if there were no unhashed packets. Yes, I fear, advocating unhashed packets in signatures is the wrong track and we shall try thinking about what makes sense more often than thinking about what is possible (or useful). Ralf *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* * Ralf Senderek [EMAIL PROTECTED] * What is privacy * * http://senderek.de* without * * Tel.: 02432-3960Sandstr. 60 D-41849 Wassenberg * PGP-2.6.3i? * *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBOiynDSmc/oJTgiNJAQGQ5AP/S4pwcIXkqMtwZjOtNvEQF/TCYUrfVO2X sSOtLroy9tM3HhkI4Wl6fQg2TV3Nx0qZanCLHOPUZ5L/XCDwXeD8Zi9oBOEqEAKI InHN/qHoVspUykBtTC3UybsBZjiFEpayJlYSQ7uu7uOOi4vmVVXcvhcsbI9dUaFK SCvTKBuqtWs= =WSuJ -END PGP SIGNATURE-
Re: Is PGP broken?
"Enzo Michelangeli" [EMAIL PROTECTED] writes: I have an RFC draft for this which I wrote a while back but it was rejected by the PKIX WG chair(s) ("I am concerned that we not turn PKIX into PGP with ASN.1 syntax"), and I haven't had the motivation to publish it as an independent draft - would anyone even notice?. I don't think we need a draft for that: is there anything in the current RFC's preventing an S/MIME user agent from verifying an attached cert against a locally-stored copy, rather than traversing the certification path up to the root? Or also from installing root certs made by arbitrary peers? There's a lot more to it than that, the abstract for the draft describes the scope as: -- Snip -- Current X.509 profiles assume the presence of an arbitrarily large and all- encompassing PKI run by third parties in order to function. Unfortunately this doesn't take into account common cases such as the situation where parties have an existing trust relationship and want to share keys (without requiring a third party to issue them certificates), or where an end entity has a signing certificate and wants to issue their own confidentiality keys rather than requiring the cooperation of a third party to do it for them, or where an end entity wishes to distribute their keys via commonly-available mechanisms such as web pages instead of waiting for a Directory capable of performing this task to appear. This profile presents a mechanism for identifying and working with end-entity certificates which fulfil the above requirements. This use of end-entity certified keys, combined with the distribution mechanism described below, allows perfect forward (and backward) secrecy (keys can be rolled over hourly if required) which can be made completely transparent to the user, as well as doing away with the need for the (often unnecessary) reliance on a CA for certification of keys, and with the need for a Directory or similar mechanism for key distribution. -- Snip -- There's a copy online at http://www.cs.auckland.ac.nz/~pgut001/pubs/autonomous.txt if anyone wants so see the whole thing. Peter.
Re: Is PGP broken?
"Steven M. Bellovin" wrote: Purely procedurally, if you tried to get it published as an RFC it would probably be bounced by the IESG -- there's a policy against RFCs that are or appear to be end-runs around a working group. If something is in a WG's area, it's up to them to publish it. But this was rejected because it wasn't within the WG's scope (PKIX is X.509 based PKI, PGP certificates are out of scope). I suspect that the IESG would entertain a PGP CA document. -Jeff P.S. If you want to play with a hack S/MIME CA, try www.black-helicopter.org/bh Its a complete hack I put together (so be gentle). -Jeff
Re: Is PGP broken?
-BEGIN PGP SIGNED MESSAGE- At 05:52 PM 12/3/00 -0800, Bram Cohen wrote: ... If I recieve mail from a mailing list, it potentially might have info about both how to encrypt mail sent to the sender, and how to encrypt mail sent to the list - it really should be able to include both, and specify which is which. -Bram Cohen [Personally, I'm not sure it is worthwhile worrying about how to encrypt mail to a large mailing list -- a secret known by more than a couple of people is never secret for long. Signatures on list mail are another matter. --Perry] It seems like it might be really useful to have encryption on mailing lists for small groups, but I agree that lists with a hundred people on them may as well be in cleartext, for most purposes. It seems like a much more immediately useful feature would be to have mailing-list software that required a valid PGP signature from a known subscriber's key to allow posting, and then would sign all outgoing messages with the list software's public key. If subscribers automatically have to send in their public key, and receive the list software's public key, then at least the key distribution part of the problem would be handled more-or-less automatically. If that initial signup isn't interfered with, the mailing list gets signed messages, and the receivers all have the right key to check the message signatures. Interestingly, this kind of application would do what people usually want certificates to do, but without anyone in the role of a CA. --John Kelsey, [EMAIL PROTECTED] PGP Fingerprint: 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF ...| ``Slavery's most important legacy may be a painful insight ...| into human nature and into the terrible consequences of ...| unbridled power.'' --Thomas Sowell, _Race and Culture_ -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.1 Int. for non-commercial use http://www.pgpinternational.com Comment: foo iQCVAwUBOitPbiZv+/Ry/LrBAQF1xgQAucB4sFrxXOs6QQUPXlmZQuGzM0S2me7I 79ulcUnCOqgZYJs2l/Z8H3a8g3DRvQMQGEBaOdkrALSsQJamevJIskEoUPe1CDQj DGn/2h49a9c9JFVqOFGCOSlL8d0/Kn52tNwtsX8XPpLeg40Zkq6E/5HzclxGSFb5 M16nl46FzJk= =NAv6 -END PGP SIGNATURE-
RE: Is PGP broken?
A problem with including a public key with every plaintext message is that it isn't very discreet - actually looks kind of ugly in some peoples's email clients. You could use a separate PGP/MIME bodypart... Come to think of it, there are some tricky issues with regards to crypto on mailing lists, it might make sense to have a X-crypto-originator [EMAIL PROTECTED] line in the headers to specify that the crypto information contained in that piece of mail applies to the address [EMAIL PROTECTED] - otherwise there's no clear way of unraveling all the possible mixes of from, to, and reply-to headers which could possibly be sent to a mailing list. The recipient would probably ignore the mail headers and use the userID(s) in the public key certificate included in the message. Ian :0)
Re: Is PGP broken?
"Enzo Michelangeli" [EMAIL PROTECTED] writes: Apart from standards issues, one thing I'd like to see added to popular S/MIME agents is a mini-CA to issue self-signed certificates. This would allow people to use S/MIME as they use PGP (who relies on the WoT anyway?), breaking the dependency from hierarchical CA's. Creating such an agent would be now a viable OpenSource project, without any need for expensive toolkit licenses. I have an RFC draft for this which I wrote a while back but it was rejected by the PKIX WG chair(s) ("I am concerned that we not turn PKIX into PGP with ASN.1 syntax"), and I haven't had the motivation to publish it as an independent draft - would anyone even notice?. Peter.
Re: Is PGP broken?
At 9:55 AM +0100 11/29/2000, PA Axel H Horns wrote: On 29 Nov 2000, at 7:07, Stephan Eisvogel wrote: Adam Back wrote: (And also without IDEA support for patent reasons even now that the RSA patent has expired.) Do you know when the IDEA patent will expire? I will hold a small party myself then. B) The EP 0 482 154 of ASCOM TECH AG has been filed on May 16, 1991. Add 20 Years. If ASCOM TECH AG pays annual renewal fees to the respective national Patent Offices every year. Otherwise it might lapse earlier. Axel H Horns There is also US patent 5214703 which was filed on Jan. 7, 1992. See http://www.delphion.com/details?pn=US05214703__ Arnold Reinhold
RE: Is PGP broken?
On Mon, 4 Dec 2000, Ian Brown wrote: Come to think of it, there are some tricky issues with regards to crypto on mailing lists, it might make sense to have a X-crypto-originator [EMAIL PROTECTED] line in the headers to specify that the crypto information contained in that piece of mail applies to the address [EMAIL PROTECTED] - otherwise there's no clear way of unraveling all the possible mixes of from, to, and reply-to headers which could possibly be sent to a mailing list. The recipient would probably ignore the mail headers and use the userID(s) in the public key certificate included in the message. To clarify - I think doing things based on PGP userIDs is unworkable, and would like to do everything based on email addresses. -Bram Cohen
Re: Is PGP broken?
It is often useful to include some information associated with a signature that is not in the hashed portion. There are several reasons for this. First, some information is not security critical and there is no reason to hash it. Second, some such information may be subject to change and updates, and it is desirable for the document to be edited in place in order to make changes without invalidating the siganture. And third, some information cannot be calculated until after the signature hash is calculated due to the semantics involved. Examples of the first case would be an identifier which indicates the signing key. In PGP this would be the key ID; in SMIME, CMS and other PKCS-7 derived formats it is the IssuerAndSerialNumber. These fields are not hashed. This is not security critical because it is essentially a hint about where to find the key. If this data is altered, the wrong key will be found and the signature won't verify. Examples of the second case would be other kinds of hints for finding the signing key, in the form of URLs or database pointers which might change. PGP's preferred key server subpacket might fall into this category. Another example would be the KeyInfo field in the XML signature format (http://www.w3.org/TR/2000/CR-xmldsig-core-20001031/). This has a number of options for ways to identify and locate keys. It is not in the hashed area. Examples of the third case would be the UnauthenticatedAttributes of the PKCS-7 family. CMS (RFC2630) uses this field to hold a countersignature, which is a signature on a signature. This cannot be calculated until after the signature is calculated so it must be in the unhashed region. PGP might want to add a countersignature mechanism in the future and an unhashed subpacket would be a good place for it. If you are really convinced that allowing unhashed data is wrong, you should lend your expertise not only to PGP, but to the many other ongoing cryptographic working groups and let them know that they are all on the wrong track.
Re: Is PGP broken?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4 Dec 2000, lcs Mixmaster Remailer wrote: Examples of the first case would be an identifier which indicates the signing key. In PGP this would be the key ID; in SMIME, CMS and other PKCS-7 derived formats it is the IssuerAndSerialNumber. These fields are not hashed. This is not security critical because it is essentially a hint about where to find the key. If this data is altered, the wrong key will be found and the signature won't verify. Agreed. This is the main exception I pointed out to Ralf, and these are the reasons I gave him in my private email to him. Examples of the second case would be other kinds of hints for finding the signing key, in the form of URLs or database pointers which might change. PGP's preferred key server subpacket might fall into this category. I'm hesitant to put this outside the hashed area. The preferred key server is a preference stated by the key owner; he should be the only one able to change that. PGP might want to add a countersignature mechanism in the future and an unhashed subpacket would be a good place for it. I'm not against unhashed subpackets. I'm against unhashed security-critical subpackets. I would think that the best way to design a program interpreting certificates with such packets would be to have a "whitelist" of subpackets permitted outside the hashed area. Anything not in this whitelist should be rejected or ignored. - --Len. __ L. Sassaman Security Architect | "The world's gone crazy, Technology Consultant | and it makes no sense..." | http://sion.quickie.net| --Sting -BEGIN PGP SIGNATURE- Comment: OpenPGP Encrypted Email Preferred. iD8DBQE6LCvtPYrxsgmsCmoRAhkKAJ42qvI3uMksU0VkQgVkO14ZkAtPpQCg7pUN zJeRhi/+IXcqSDalM9MSLiE= =wOQl -END PGP SIGNATURE-
Re: Is PGP broken?
- Original Message - From: "Peter Gutmann" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, December 05, 2000 4:45 AM Subject: Re: Is PGP broken? "Enzo Michelangeli" [EMAIL PROTECTED] writes: Apart from standards issues, one thing I'd like to see added to popular S/MIME agents is a mini-CA to issue self-signed certificates. This would allow people to use S/MIME as they use PGP (who relies on the WoT anyway?), breaking the dependency from hierarchical CA's. Creating such an agent would be now a viable OpenSource project, without any need for expensive toolkit licenses. I have an RFC draft for this which I wrote a while back but it was rejected by the PKIX WG chair(s) ("I am concerned that we not turn PKIX into PGP with ASN.1 syntax"), and I haven't had the motivation to publish it as an independent draft - would anyone even notice?. I don't think we need a draft for that: is there anything in the current RFC's preventing an S/MIME user agent from verifying an attached cert against a locally-stored copy, rather than traversing the certification path up to the root? Or also from installing root certs made by arbitrary peers? Enzo
Re: Is PGP broken?
"L. Sassaman" wrote: PGP will also never have the platform coverage that open source software can have. In addition to all the platforms (except Macintosh) that PGP supports, GnuPG runs on Irix, True64, FreeBSD, NetBSD, OpenBSD, BSD/OS, SCO, SunOS, and others. That's not PGP's fault; it's just the nature of commercial vs. open source software. But to say that PGP runs on "nearly all platforms" is misleading. ??? I have PGP running on FreeBSD. Did I miss something? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Re: Is PGP broken?
Bram Cohen writes: Not that I'm going to propose a new standard or even modifications to old ones - there are already too many of those, the problem is making one of them acceptable, or develpoing a new one which has a good chance of getting universal support. Have you looked at CryptoKong? http://catalog.com/jamesd/Kong/Kong.htm --digsig Russ Nelson 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG BSvaK4MOZ2HQvr15n12Wn//srJ0bGg0SBsjB0i7z 9DzVhXhT9dtOvXQsvNgW9fxxzbg1MahNdUf/jGDb -- -russ nelson [EMAIL PROTECTED] http://russnelson.com | If I knew the Crynwr sells support for free software | PGPok | destination of the 521 Pleasant Valley Rd. | +1 315 268 1925 voice | handbasket, I never would Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | have gotten into it!
Re: Is PGP broken?
-BEGIN PGP SIGNED MESSAGE- "L. Sassaman" [EMAIL PROTECTED] wrote: Shameless plug: Ben Laurie and I were discussing this exact topic earlier this month. I'm going to England next month to sit down and hash out exactly what we want to do, but we would like to add OpenPGP features to OpenSSL. [...] I think the benefits of having an Apache-style licensed OpenPGP toolkit are obvious. This is a grand idea and I hope you will receive widespread support. But I would like to ask you to do me (and others) the favour to interprete the RFC-2440 (OpenPGP-Standard) in a way that the number of unsigned packets in signatures is definitely zero. This would be the way one would think of a signature in the non-digital world anyway. Good luck, Ralf *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* * Ralf Senderek [EMAIL PROTECTED] * What is privacy * * http://senderek.de* without * * Tel.: 02432-3960Sandstr. 60 D-41849 Wassenberg * PGP-2.6.3i? * *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* -BEGIN PGP SIGNATURE- Version: 2.6.3ia Charset: noconv iQCVAwUBOio0KSmc/oJTgiNJAQGWjgQAle2fU2syOy/NzHSN8IcUQ0Xi5zZbc9sx ca2rhOyRnm2TWehdRnt0vzHHl/cOsyOtlGc8407aYiHY0d2wsmbO7/TYumNRW7PO CJu9PJKIF5nMKVr2HeAJi2g/0jrJI9h1GIewP6rmKURCLzKhhu9FribILAp88OxO CDFLSWCdzZg= =qCZ+ -END PGP SIGNATURE-
Re: Is PGP broken?
On Wed, 29 Nov 2000, Ian BROWN wrote: Bram Cohen wrote: What we really need is a system which just stops passive attacks. The best idea I've come up with so far is for all outgoing messages to have a public key attached, and if you have the public key of an email address you're sending to you use it Indeed -- this is one of the current advantages of S/MIME over OpenPGP. Absolutely no reason why any PGP implementation shouldn't do it. This also allows you to do perfect forward secrecy: generate new short-life encryption key pairs for each message, sign the public key with your longer-lived signature key, and include it in your message for the reply. See http://www.ietf.org/internet-drafts/draft-brown-pgp-pfs-01.txt for an attempt by Adam Back, Ben Laurie and myself to standardise this and other PFS techniques for OpenPGP. Good to know someone's done work along these lines. A problem with including a public key with every plaintext message is that it isn't very discreet - actually looks kind of ugly in some peoples's email clients. This could be changed by making a header line saying something like X-accepts-crypto, and have other mailers only send their keys to addresses they've formerly gotten mail with that header line from. Come to think of it, there are some tricky issues with regards to crypto on mailing lists, it might make sense to have a X-crypto-originator [EMAIL PROTECTED] line in the headers to specify that the crypto information contained in that piece of mail applies to the address [EMAIL PROTECTED] - otherwise there's no clear way of unraveling all the possible mixes of from, to, and reply-to headers which could possibly be sent to a mailing list. -Bram Cohen
Re: Is PGP broken? - public keys in every message
-- 2 At 12:01 PM 12/3/00 -0800, Bram Cohen wrote: A problem with including a public key with every plaintext message is that it isn't very discreet - actually looks kind of ugly in some peoples's email clients. This could be changed by making a header line saying something like X-accepts-crypto, and have other mailers only send their keys to addresses they've formerly gotten mail with that header line from. One nice thing about Elliptic Curve crypto is that the keys are nice and short. This makes it much easier to use the whole key instead of PGP-like KeyIDs, and makes it easier to do signatures that aren't aesthetically annoying. Here's an example of a document signed by James Donald's Crypto Kong, from his page at http://www.jim.com/jamesd/Kong/Kong.htm -- Example signed document. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG BSvaK4MOZ2HQvr15n12Wn//srJ0bGg0SBsjB0i7z 9DzVhXhT9dtOvXQsvNgW9fxxzbg1MahNdUf/jGDb The first lines of mmencode is the key and the last two are the signature. Kong has its problems (including being Windows-specific), but it's an interesting experiment in crypto user interface. (Also, there's a real question as to what version is what - the web page says "1.1.2", the Download page says "1.1.1", and the code I actually downloaded says "1.1.3", so I hope it's not a hoax.) --digsig [EMAIL PROTECTED] DBY838ylRbu3lT5qQ5kM6XI++JHR0NBZtaQ52Egs7Vq KcdeXicUTIlSnilH+vKrYZJjNTTRlyOemCgX/z5M 4cko2RYx7R+ZRoVTBDDDu0TIrXfAwscgUjSH733Pw Thanks! Bill Bill Stewart, [EMAIL PROTECTED] PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Re: Is PGP broken?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In my opinion, cryptography should be seen as an evolutionary process. Protocols are continuously evaluated for their "fitness" in the context of current number theory, advances in computers/CPUs, and many individual/company/implementation specific requirements. It may be impossible to get the ideal solution, but we optimize to what we consider vital for survival. Regarding secure e-mail, PGP and S/MIME have evolved in different populations; using different measurements to determine fitness. Naturally, the protocols themselves have mutated, but we also have new species being introduced (some propriety, some public), as you noted. Today, with companies trying to market secure e-mail to the masses, the boundaries of these communities are fuzzy. Simultaneously, individuals in this greater population have drastically different requirements. Predictably, and understandably, the general population tries to optimize for "easy", especially when not familiar with the tradeoffs. The true danger is when companies, who believe in Creationism, start to optimize for market share and "easy", since that fulfills their objectives and their target audience's one and only requirement. I believe this to the motivation for the ZixIt/Yahoo announcement. I trust Darwinism will take care of the rest... - -- David Bird [EMAIL PROTECTED] PS: I applaud the idea of implementing OpenPGP in OpenSSL!! I agree that creating a public source C library is critical in promoting compatibility. I also agree, ultimately, OpenPGP will prevail. ! Date: Wed, 29 Nov 2000 17:17:28 -0800 (PST) ! From: "L. Sassaman" [EMAIL PROTECTED] [snip] ! There have been secure email companies popping up with proprietary key ! formats. (Hushmail and Zixit[2] are the two big ones that I can think of ! immediately). If RFC 2440 functionality were available in a crypto library ! without a restrictive license, perhaps we'd see companies such as those ! adopting OpenPGP as the format of choice. Perhaps we would see OpenPGP ! features shipping with email clients, so that users would not need to rely ! on plugins and wrappers for their email. [snip] ! Shameless plug: Ben Laurie and I were discussing this exact topic earlier ! this month. I'm going to England next month to sit down and hash out ! exactly what we want to do, but we would like to add OpenPGP features to ! OpenSSL. [snip] ! [2] -- Sadly, a standard format would only be a small improvement on ! Zixit, which has a system that I would never recommend anyone trust for ! securing anything of importance. -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Comment: Processed by Mailcrypt 3.5.1, an Emacs/PGP interface Charset: noconv iQA/AwUBOir2WYTAuwXcZQtzEQKW8wCeP1L8oc0VuclCbraolH2affD3WrkAnjq2 hXoq9wpbW+Z30+XZ0vYryAhp =dX/v -END PGP SIGNATURE-
Re: Is PGP broken?
On Sun, 3 Dec 2000, Ben Laurie wrote: Bram Cohen wrote: Come to think of it, there are some tricky issues with regards to crypto on mailing lists, it might make sense to have a X-crypto-originator [EMAIL PROTECTED] line in the headers to specify that the crypto information contained in that piece of mail applies to the address [EMAIL PROTECTED] - otherwise there's no clear way of unraveling all the possible mixes of from, to, and reply-to headers which could possibly be sent to a mailing list. Umm. PGP keys are largely self-identifying, at least in this case. It wouldn't really matter how the short-lived key arrived, the fact that its signatory is the guy you are about to email is the interesting thing. Who cares who delivered it to you, or how? If I recieve mail from a mailing list, it potentially might have info about both how to encrypt mail sent to the sender, and how to encrypt mail sent to the list - it really should be able to include both, and specify which is which. -Bram Cohen [Personally, I'm not sure it is worthwhile worrying about how to encrypt mail to a large mailing list -- a secret known by more than a couple of people is never secret for long. Signatures on list mail are another matter. --Perry]
Re: Is PGP broken?
- Original Message - From: "Peter Gutmann" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 30, 2000 1:30 PM Subject: Re: Is PGP broken? "Enzo Michelangeli" [EMAIL PROTECTED] (or someone, the quoting makes it difficult to tell) Yes, that was me. writes: If it may of any comfort (or perhaps enhanced desperation), the S/MIME community has similar headaches: in these days, the [EMAIL PROTECTED] list is debating whether, in S/MIME v.3, RSA should be made a MUST algorithm together with, or in alternative to, DSS and D-H. At this moment (RFC2630) neither RSA nor RC2 are MUST, so interoperability is not guaranteed with v.2 agents... S/MIME interoperability is guaranteed because everyone ignores the RFC and does RSA and RC2 (for backwards-compatiblity only) and 3DES first and everthing else only if they have the time and/or budget. For "S/MIME" I mean the two standards (v.2 and v.3), not its various implementations (still largely based on v.2). The truth is: with any standard, the fact that a version[N+1] lacks some of the MUST's of the version[N] represents a bad omen for a successful deployment. Now that the patent on RSA has expired, and that the export control laws in the US have finally been relaxed, this issue should be addressed. For PGP that will be more difficult due to the continuing encumbered status of IDEA, but for S/MIME it could be fixed now. Apart from standards issues, one thing I'd like to see added to popular S/MIME agents is a mini-CA to issue self-signed certificates. This would allow people to use S/MIME as they use PGP (who relies on the WoT anyway?), breaking the dependency from hierarchical CA's. Creating such an agent would be now a viable OpenSource project, without any need for expensive toolkit licenses. Enzo
Re: Is PGP broken?
Russell Nelson wrote: Is it just me, or is PGP broken? I don't mean any particular version of PGP -- I mean the fact that there are multiple versions of PGP which generate incompatible cryptography. Half the time when someone sends me a PGP-encrypted message, I can't decrypt it. Presuming that I'm right, is anyone attempting to fix PGP? Not to mention anything about PGP keyservers, or the utter and complete absence of anybody doing point-source PGP signing. Although it is broken the strategy I use is to use a 2.x generated key with 5/6.x PGP versions. This seems to work pretty smoothly. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Re: Is PGP broken?
Bram Cohen wrote: What we really need is a system which just stops passive attacks. The best idea I've come up with so far is for all outgoing messages to have a public key attached, and if you have the public key of an email address you're sending to you use it Indeed -- this is one of the current advantages of S/MIME over OpenPGP. Absolutely no reason why any PGP implementation shouldn't do it. This also allows you to do perfect forward secrecy: generate new short-life encryption key pairs for each message, sign the public key with your longer-lived signature key, and include it in your message for the reply. See http://www.ietf.org/internet-drafts/draft-brown-pgp-pfs-01.txt for an attempt by Adam Back, Ben Laurie and myself to standardise this and other PFS techniques for OpenPGP. The worst that could really happen is that I lose my key info, construct new stuff, and next time Russ sends me mail I respond 'sorry, but I lost my old private key, please send that last message again'. A nice touch in a mailer would be to store sent messages in an "in transit" folder until a signed receipt is received, either in an individual receipt message or piggy-backed onto the reply, to help with this and other problems. The only real gotcha is that the first message is unencrypted, and that's not a big deal, especially when you know about it and always send a 'checking to make sure I got your address right' message to start things off. Right. And we could all start putting our public keys into the DNS -- do NAI have any plans to put that functionality into their software (e.g. allow the key manager to communicate with an agent running on your local authoritative nameserver?) Including your public signature key in signed messages also solves a gotcha with distributed keyserver systems, reverse lookup of keys by keyID. Ian :0)
Re: Is PGP broken?
"Enzo Michelangeli" [EMAIL PROTECTED] (or someone, the quoting makes it difficult to tell) writes: If it may of any comfort (or perhaps enhanced desperation), the S/MIME community has similar headaches: in these days, the [EMAIL PROTECTED] list is debating whether, in S/MIME v.3, RSA should be made a MUST algorithm together with, or in alternative to, DSS and D-H. At this moment (RFC2630) neither RSA nor RC2 are MUST, so interoperability is not guaranteed with v.2 agents... S/MIME interoperability is guaranteed because everyone ignores the RFC and does RSA and RC2 (for backwards-compatiblity only) and 3DES first and everthing else only if they have the time and/or budget. Actually barring the RC2/40 vs 3DES duality imposed by export controls, S/MIME is a lot more interoperable than PGP, and certainly for signed messages any S/MIME mailer can handle the output of any other S/MIME mailer. OTOH I can't get different versions of PGP 2.x, 5.x, and 6.x to interoperate, which is why I'm one of the people who's sticking to 2.x as the least painful option - although I have multiple versions available of which at least one will eventually process a message if I try them all in turn, most of the people I correspond with can't do this and 2.x provides the best guarantee of interoperability. Peter.
Re: Is PGP broken?
Stefan Kelm writes: BTW, what do you mean by "point-source PGP signing"? Instead of leaving your key signing up to your friends, PGP could benefit from a policy-based signature. You could come up with any number of policies: o This keyholder is a Mason/Scout/Rotarian. o This keyholder is a Catholic/Mormon/Lutheran/Quaker. o This keyholder paid $X to sign their key (where X is a number large enough that key abandonment has consequences). o This keyholder has $Y in escrow, to be paid out under some circumstances. o This keyholder has identified themselves to a Notary Public. A photocopy of the identification is on file. o And last but not least: this keyholder publishes their key's signature weekly in the Sunday New York Times. -- -russ nelson [EMAIL PROTECTED] http://russnelson.com | If I knew the Crynwr sells support for free software | PGPok | destination of the 521 Pleasant Valley Rd. | +1 315 268 1925 voice | handbasket, I never would Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | have gotten into it!
Re: Is PGP broken?
Not to mention anything about PGP keyservers, or the utter and complete absence of anybody doing point-source PGP signing. Yeah, the whole system looks none too scaleable. It certainly isn't. Please keep in mind, however, that the pgp.net keyserver system is in no way related to NAI and/or pgp.com. Given that all the keyservers are being operated by volunteers in their spare time the system runs fairly well. BTW, what do you mean by "point-source PGP signing"? Cheers, Stefan. --- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail [EMAIL PROTECTED], http://www.secorvo.de --- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
Re: Is PGP broken?
Adam Back writes: And lastly even if they had done it right, GPG went in and fucked it up some more by sticking religiously to the "don't use patented algorithms" free software mantra to the huge detriment of PGP interoperability. You have to agree that the "not using patented algorithms" thing solves the problem once and for all, if in a somewhat Gordian way (partly breaking backwards compatibility). We would never had any problems if not for PGP screwing it up -- by using potentially problematic pieces of code. As PGP's track record went from "angelic" to "distinctly tarnished", I stopped using it. Many other people I know did as well. I've switched to GPG, which hasn't got any track record so far, once it became stable. We'll wait and see how they do. I don't think there is currently any alternative to GPG. (The king is dead, long live the king). In fact I'm surprised this isn't as evident as I expected, since it is being discussed here. Please tell me why I should stop using GPG and go back to using PGP, any version of it.
Re: Is PGP broken?
- Original Message - From: "Bram Cohen" [EMAIL PROTECTED] To: "Russell Nelson" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, November 29, 2000 10:55 AM Subject: Re: Is PGP broken? What we really need is a system which just stops passive attacks. The best idea I've come up with so far is for all outgoing messages to have a public key attached, and if you have the public key of an email address you're sending to you use it. If you receive a different public key than one you saw before, you overwrite the old one. Uhm, that sounds dangerous: what if Mallet sent me a mail faking your return address, and attaching his public key? My reply to you would be readable by him. In S/MIME this trick of attaching the public keys works because the they are signed by a trusted (well, sort of) third party, which rarely changes keypair. This doesn't stop active attacks at all, but would be very easy to use. Then, sending plaintext would be even easier :-) If it may of any comfort (or perhaps enhanced desperation), the S/MIME community has similar headaches: in these days, the [EMAIL PROTECTED] list is debating whether, in S/MIME v.3, RSA should be made a MUST algorithm together with, or in alternative to, DSS and D-H. At this moment (RFC2630) neither RSA nor RC2 are MUST, so interoperability is not guaranteed with v.2 agents... Enzo
Re: Is PGP broken?
On 29 Nov 2000, at 7:07, Stephan Eisvogel wrote: Adam Back wrote: (And also without IDEA support for patent reasons even now that the RSA patent has expired.) Do you know when the IDEA patent will expire? I will hold a small party myself then. B) The EP 0 482 154 of ASCOM TECH AG has been filed on May 16, 1991. Add 20 Years. If ASCOM TECH AG pays annual renewal fees to the respective national Patent Offices every year. Otherwise it might lapse earlier. Axel H Horns
Re: Is PGP broken?
On Tue, 28 Nov 2000, Russell Nelson wrote: Is it just me, or is PGP broken? I don't mean any particular version of PGP -- I mean the fact that there are multiple versions of PGP which generate incompatible cryptography. I'd say that's an accurate assesment. Presuming that I'm right, is anyone attempting to fix PGP? Not that I've heard of. Not to mention anything about PGP keyservers, or the utter and complete absence of anybody doing point-source PGP signing. Yeah, the whole system looks none too scaleable. What we really need is a system which just stops passive attacks. The best idea I've come up with so far is for all outgoing messages to have a public key attached, and if you have the public key of an email address you're sending to you use it. If you receive a different public key than one you saw before, you overwrite the old one. This doesn't stop active attacks at all, but would be very easy to use. The worst that could really happen is that I lose my key info, construct new stuff, and next time Russ sends me mail I respond 'sorry, but I lost my old private key, please send that last message again'. The only real gotcha is that the first message is unencrypted, and that's not a big deal, especially when you know about it and always send a 'checking to make sure I got your address right' message to start things off. -Bram Cohen
Re: Is PGP broken?
Fixing incompatibility of OpenSource OpenPGP implementations with PGP 2.x is difficult due to the royalties demanded by IDEA's patent holders (at least, for non-personal use). Efficient key distribution (or lack thereof) is a serious problem, but most people don't try to use it anyway, preferring peer-to-peer manual exchanges followed by out-of-band authentication of the fingerprint... Enzo - Original Message - From: "Russell Nelson" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 29, 2000 10:22 AM Subject: Is PGP broken? Is it just me, or is PGP broken? I don't mean any particular version of PGP -- I mean the fact that there are multiple versions of PGP which generate incompatible cryptography. Half the time when someone sends me a PGP-encrypted message, I can't decrypt it. Presuming that I'm right, is anyone attempting to fix PGP? Not to mention anything about PGP keyservers, or the utter and complete absence of anybody doing point-source PGP signing. -- -russ nelson [EMAIL PROTECTED] http://russnelson.com Crynwr sells support for free software | PGPok | The best way to help the poor 521 Pleasant Valley Rd. | +1 315 268 1925 voice | is to help the rich build Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | up their capital.
Re: Is PGP broken?
No, it's not just you, it is indeed broken. So there are a number of culprits: - Probably mainly RSA for being difficult to deal with, and in general letting lose a bunch of rabid lawyers on the crypto community. Fortunately the patent has no expired. - PGP/NAI for shipping versions without RSA support, and for some of that time shipping add ons which added RSA support - GPG/FSF for shipping versions without RSA support for patent reasons. (And also without IDEA support for patent reasons even now that the RSA patent has expired.) I hate patents. It seems also there was a fair bit of stupidity on the part of PGP. I think they were trying to deal with the problems RSA were causing them, when they tried to renege on the license to use RSA that PGP acquired through ViaCrypt or whatever the story was. But then they apparently decided to conciously try to stamp out use of RSA, and release versions without RSA support during times when they in fact could use RSA. PRZ was I'm pretty sure I recall trying to persuade people to stop using it. As good cause as it was to stop people using RSA before the RSA patent expired -- the approach taken had precisely the opposite effect of that desired. Loads of people stuck to 2.x because it was the only version that worked. If they had instead made the upgrade smooth with no incompatibility issues, I reckon a lot more people would've moved over to pgp5.x/6.x. I know I tried it several times and gave up in disgust. And lastly even if they had done it right, GPG went in and fucked it up some more by sticking religiously to the "don't use patented algorithms" free software mantra to the huge detriment of PGP interoperability. The only remaining patent problem is IDEA, and they are incredibly reasonable about licensing compared to RSA (non-commercial use free, fixed published licensing terms, etc) I'm sure Vin'll give us the RSA labs spin... over to you Vin :-) Perhaps even some PGP folks would like to defend their decisions to release PGP versions without RSA support. Adam Is it just me, or is PGP broken? I don't mean any particular version of PGP -- I mean the fact that there are multiple versions of PGP which generate incompatible cryptography. Half the time when someone sends me a PGP-encrypted message, I can't decrypt it. Presuming that I'm right, is anyone attempting to fix PGP? Not to mention anything about PGP keyservers, or the utter and complete absence of anybody doing point-source PGP signing.