Please write respectfully on this list (Re: PQC public key format specification)

Bernhard Reiter bernhard at intevation.de
Thu Feb 15 12:06:22 CET 2024


Am Donnerstag 15 Februar 2024 10:35:53 schrieb Heiko Schäfer via 
LibrePGP-discuss:
> Just a bit up in this same thread, Werner explained that the design of
> draft-wussler is "alien to the OpenPGP way", which I understand as:
> considering the design a "mistake", because the design is "not in the
> spirit" of OpenPGP.
>
> Andrew's reply picked up the structure of this argument, and made a
> counterpoint to it. That seemed reasonable to me, at the time.

There was more context to Andrew's statement:

| They could have been stored on the card (plenty of room since ECC keys are 
| smaller than RSA) or they could have been stored in the spec (by defining 
| fixed values) but the practice that emerged was neither. It retained 
| algorithmic agility but at the cost of added failure modes (and a 
| combinatoric explosion). Was this in the spirit of the OpenPGP way of doing 
| things? It's certainly arguable that it was not and that we shouldn't repeat 
| that mistake.      

That statement assumes that not storing the the parameters on the card
was a mistake without reason and can be misread (over the full comment) that 
making mistakes or not correcting them would be "the spirit of the OpenPGP 
way". I do not think that Andrew meant it this way, but I'll find it okay for 
Werner to remind the list that going more down that direction will at some 
point be subject to moderation.

But again this is just my take on it, trying to increase the understanding.
I am not the moderator on this list and I haven't made the rules.
(This is why I gave "my take" on it.)

> Could you 
> please clarify why statements such as:
> > the way the Wussler draft used the algorithm IDs is alien to the
> > OpenPGP way

I did understand this as a technical history,
that IDs have been used differently in OpenPGP in previous years.

> or, for that matter:
> > Nobody with a sane mind uses the metadata to directly save to a file
> > with that name without taking necessary precautions

Again that seems to be specific technical consensus.
Like documented here
 https://www.rfc-editor.org/rfc/rfc6266#page-5
about the filename parameter of the Content-Disposition header in mails:
 It is essential that recipients treat the specified filename as
 advisory only, and thus be very careful in extracting the desired
 information.

I am not sure if Werner assumed that anyone here had proposed doing that 
different specifically and thus meant this person would not have "a sane 
mind". If that were a likely missread I would also consider it outside
of the proposed mailinglist rules. 

Regards
Bernhard

-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://librepgp.org/pipermail/librepgp-discuss/attachments/20240215/fcf9b4f6/attachment.sig>


More information about the LibrePGP-discuss mailing list