From johnsonhammond1@hushmail.com Sat Apr 27 17:27:54 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C0BE21F9959 for ; Sat, 27 Apr 2013 17:27:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.48 X-Spam-Level: X-Spam-Status: No, score=-2.48 tagged_above=-999 required=5 tests=[AWL=0.119, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8N9jofWMdkv4 for ; Sat, 27 Apr 2013 17:27:54 -0700 (PDT) Received: from smtp1.hushmail.com (smtp1a.hushmail.com [65.39.178.236]) by ietfa.amsl.com (Postfix) with ESMTP id 5670421F9961 for ; Sat, 27 Apr 2013 17:27:53 -0700 (PDT) Received: from smtp1.hushmail.com (smtp1a.hushmail.com [65.39.178.236]) by smtp1.hushmail.com (Postfix) with SMTP id CD0173057F for ; Sat, 27 Apr 2013 17:33:05 +0000 (UTC) X-hush-relay-time: 213 X-hush-relay-id: b1bd903faba185ee07e5a0ed3a1fde37 Received: from smtp.hushmail.com (w5.hushmail.com [65.39.178.80]) by smtp1.hushmail.com (Postfix) with ESMTP for ; Sat, 27 Apr 2013 17:33:05 +0000 (UTC) Received: by smtp.hushmail.com (Postfix, from userid 99) id 93A42E6739; Sat, 27 Apr 2013 17:33:05 +0000 (UTC) MIME-Version: 1.0 Date: Sat, 27 Apr 2013 13:33:05 -0400 To: openpgp@ietf.org From: johnsonhammond1@hushmail.com Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="UTF-8" Message-Id: <20130427173305.93A42E6739@smtp.hushmail.com> Subject: [openpgp] Biggest Fake Conference in Computer Science X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Apr 2013 00:27:54 -0000 Biggest Fake Conference in Computer Science We are researchers from different parts of the world and conducted a study on the world’s biggest bogus computer science conference WORLDCOMP ( http://sites.google.com/site/worlddump1 ) organized by Prof. Hamid Arabnia from University of Georgia, USA. We submitted a fake paper to WORLDCOMP 2011 and again (the same paper with a modified title) to WORLDCOMP 2012. This paper had numerous fundamental mistakes. Sample statements from that paper include: (1). Binary logic is fuzzy logic and vice versa (2). Pascal developed fuzzy logic (3). Object oriented languages do not exhibit any polymorphism or inheritance (4). TCP and IP are synonyms and are part of OSI model (5). Distributed systems deal with only one computer (6). Laptop is an example for a super computer (7). Operating system is an example for computer hardware Also, our paper did not express any conceptual meaning. However, it was accepted both the times without any modifications (and without any reviews) and we were invited to submit the final paper and a payment of $500+ fee to present the paper. We decided to use the fee for better purposes than making Prof. Hamid Arabnia (Chairman of WORLDCOMP) rich. After that, we received few reminders from WORLDCOMP to pay the fee but we never responded. We MUST say that you should look at the above website if you have any thoughts to submit a paper to WORLDCOMP. DBLP and other indexing agencies have stopped indexing WORLDCOMP’s proceedings since 2011 due to its fakeness. See http://www.informatik.uni-trier.de/~ley/db/conf/icai/index.html for of one of the conferences of WORLDCOMP and notice that there is no listing after 2010. See Section 2 of http://sites.google.com/site/dumpconf for comments from well-known researchers about WORLDCOMP. The status of your WORLDCOMP papers can be changed from scientific to other (i.e., junk or non-technical) at any time. Better not to have a paper than having it in WORLDCOMP and spoil the resume and peace of mind forever! Our study revealed that WORLDCOMP is a money making business, using University of Georgia mask, for Prof. Hamid Arabnia. He is throwing out a small chunk of that money (around 20 dollars per paper published in WORLDCOMP’s proceedings) to his puppet (Mr. Ashu Solo or A.M.G. Solo) who publicizes WORLDCOMP and also defends it at various forums, using fake/anonymous names. The puppet uses fake names and defames other conferences to divert traffic to WORLDCOMP. He also makes anonymous phone calls and tries to threaten the critiques of WORLDCOMP (See Item 7 of Section 5 of above website). That is, the puppet does all his best to get a maximum number of papers published at WORLDCOMP to get more money into his (and Prof. Hamid Arabnia’s) pockets. Monte Carlo Resort (the venue of WORLDCOMP for more than 10 years, until 2012) has refused to provide the venue for WORLDCOMP’13 because of the fears of their image being tarnished due to WORLDCOMP’s fraudulent activities. That is why WORLDCOMP’13 is taking place at a different resort. WORLDCOMP will not be held after 2013. The draft paper submission deadline is over but still there are no committee members, no reviewers, and there is no conference Chairman. The only contact details available on WORLDCOMP’s website is just an email address! Let us make a direct request to Prof. Hamid arabnia: publish all reviews for all the papers (after blocking identifiable details) since 2000 conference. Reveal the names and affiliations of all the reviewers (for each year) and how many papers each reviewer had reviewed on average. We also request him to look at the Open Challenge (Section 6) at https://sites.google.com/site/moneycomp1 Sorry for posting to multiple lists. Spreading the word is the only way to stop this bogus conference. Please forward this message to other mailing lists and people. We are shocked with Prof. Hamid Arabnia and his puppet’s activities http://worldcomp-fake-bogus.blogspot.com Search Google using the keyword worldcomp fake for additional links. From jeanjacquesbrucker@gmail.com Mon Apr 29 02:15:58 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1FBF21F9D4A for ; Mon, 29 Apr 2013 02:15:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yzbWn3-bfylT for ; Mon, 29 Apr 2013 02:15:58 -0700 (PDT) Received: from mail-ea0-x230.google.com (mail-ea0-x230.google.com [IPv6:2a00:1450:4013:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id BD5A821F9CE6 for ; Mon, 29 Apr 2013 02:15:54 -0700 (PDT) Received: by mail-ea0-f176.google.com with SMTP id h14so2527158eak.35 for ; Mon, 29 Apr 2013 02:15:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:date:from:to:subject:message-id:in-reply-to:references :x-mailer:mime-version:content-type; bh=uxwT7g6Nrtd6zcN1kWzOsybKdxgkvWobcbm9+k2uhOA=; b=oXj27C//PZ8GI6I+rqv9hZ36tQk0lUbxH5oYSPgysgrl/Yny91tWgf4nQT3N0cwGYp xNyPWi++NKGpeHui9CYOMiqAboWujrhbtFHIHd7k54tBQTQLvtQ1RJiHvI6I8nABod98 eTJ9r1HMU+xuthXnxjG+SUud/FYHBHuFa+up1fVqvNLd16tvxOzr6eQZe/7b/k1wiIV0 CiVIsCx6VHWdAm8+Bml0uSVkgAje20GinezwnQPbo0henYUFXVdB7Dl/x7Wh8pX05WAm HCYHnL/RuGjN9CJc2gUAMTpASN3XvRVDYO4jGTyVJu7vt1T2G60QPEFJuXbnWgWmCxdQ FMjg== X-Received: by 10.15.95.74 with SMTP id bc50mr95740442eeb.36.1367226953053; Mon, 29 Apr 2013 02:15:53 -0700 (PDT) Received: from localhost.localdomain (mar92-18-78-239-130-37.fbx.proxad.net. [78.239.130.37]) by mx.google.com with ESMTPSA id e50sm14962694eev.13.2013.04.29.02.15.52 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Mon, 29 Apr 2013 02:15:52 -0700 (PDT) Date: Mon, 29 Apr 2013 11:15:32 +0200 From: Jean-Jacques To: openpgp@ietf.org Message-ID: <20130429111532.7e53c7f6@gmail.com> In-Reply-To: <517E0250.1040708@sixdemonbag.org> References: <20121212104620.GA35659@redoubt.spodhuis.org> <50D0AB16.5020505@brainhub.org> <2584059.Q9cNNqxsta@inno> <517E0250.1040708@sixdemonbag.org> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; x86_64-mageia-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/7=guc+j1815X+yMkqOgdX=q"; protocol="application/pgp-signature" Subject: Re: [openpgp] OpenPGPv5 wish list X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 09:15:58 -0000 --Sig_/7=guc+j1815X+yMkqOgdX=q Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Le Mon, 29 Apr 2013 01:17:04 -0400, "Robert J. Hansen" a =C3=A9crit : > On 4/28/2013 10:37 PM, Hauke Laging wrote: > > Other things we IMHO really need notation standards for: >=20 > This really isn't the place for it, guys. GnuPG-devel is for > discussion of how to make GnuPG track the standard better; the > OpenPGP list is for discussion of how to make the standard itself > better. Yep, so I switched the thread to the other mailing list. >=20 > > Things I want in the protocol: >=20 > I'll make my own wish list simple: >=20 > I don't want *anything* new included in the standard unless there > exists at least one user who says, "the absence of this feature is a > showstopper for me and is blocking my adoption of GnuPG." This user > needs to be able to show a real-world use case and be willing to > volunteer to run trials in a real-world environment. >=20 > No real-world user? No feature. So I answered because I really "need" such feature in OpenPGP for real-world : 2) What is the key used for? And I see at least 4 purposes : - To authenticate itself through TLS [RFC6091] - Maybe To sign other certificates (subkeys on smartcard issues) - To authenticate through HTTP (gpgauth or https://github.com/Open-UDC/open-udc/blob/master/docs/HTTP_OpenPGP_Authe= ntication.draft.txt) - To sign an OpenUDC transaction. I work especially on the 2 last purposes. And having the possibility for the owner to set descriptions, or more flags on its (sub)keys inside its OpenPGP certificate, would be a more elegant solution than some workaround we have to manage. >=20 > That's my own wish list, and I desperately hope it comes to pass. :) >=20 We have to better organize A wish list, or it will be a mess to identify their elements. :-) --- jbar. --Sig_/7=guc+j1815X+yMkqOgdX=q Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJRfjo0AAoJEICx309/5mldhisH/jEPEE/NyDOkF8HiHku1osLV xxyz31+728mFCOlf7Txc9kYX3VWbVN07bLnm5d9zYPYw20ST/JLtzHVr+4Ixqfso lZvwWYdxCia0r4qUwuUL1xN1+rBKUDpkzcpeKQkuf04rNSakR3/sRTsS7albzwsk K8iiYtg7dHopjUxNezv4ITeOua7LWhyqys0XUgmaw7jDeJ6I9tlrbiqd7dzFal5u 2GtbfvWVbK/ZbNURNUpsRs6+cx6lvmlsvWRBTI77Un7WNWVhvSbqny1NTRHNrySW iZ/mIhONJ6NRxpaMFuQWahKsfWAeXWh3Kp7DyHHN2FoH00ILuwAQCGjV5NMGUVA= =2VjT -----END PGP SIGNATURE----- --Sig_/7=guc+j1815X+yMkqOgdX=q-- From iang@iang.org Mon Apr 29 02:40:22 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 437B421F9D23 for ; Mon, 29 Apr 2013 02:40:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRDiSZiPAMbW for ; Mon, 29 Apr 2013 02:40:21 -0700 (PDT) Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) by ietfa.amsl.com (Postfix) with ESMTP id 9733421F9CED for ; Mon, 29 Apr 2013 02:40:21 -0700 (PDT) Received: from tormenta.local (www2.futureware.at [78.41.115.142]) by virulha.pair.com (Postfix) with ESMTPSA id 200B26D4A0; Mon, 29 Apr 2013 05:40:14 -0400 (EDT) Message-ID: <517E3FFE.1070005@iang.org> Date: Mon, 29 Apr 2013 12:40:14 +0300 From: ianG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: openpgp@ietf.org References: <20121212104620.GA35659@redoubt.spodhuis.org> <50D0AB16.5020505@brainhub.org> <2584059.Q9cNNqxsta@inno> <517E0250.1040708@sixdemonbag.org> <20130429111532.7e53c7f6@gmail.com> In-Reply-To: <20130429111532.7e53c7f6@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [openpgp] OpenPGPv5 wish list X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 09:40:22 -0000 On 29/04/13 12:15 PM, Jean-Jacques wrote: > 2) What is the key used for? > > And I see at least 4 purposes : > - To authenticate itself through TLS [RFC6091] > - Maybe To sign other certificates (subkeys on smartcard issues) > - To authenticate through HTTP (gpgauth or > https://github.com/Open-UDC/open-udc/blob/master/docs/HTTP_OpenPGP_Authentication.draft.txt) > - To sign an OpenUDC transaction. > > I work especially on the 2 last purposes. And having the possibility > for the owner to set descriptions, or more flags on its (sub)keys inside > its OpenPGP certificate, would be a more elegant solution than some > workaround we have to manage. Some comments from my experience/perspective, only. In my work I have done this by using pgp's comment field aka uid. Here's some: $ gpg -k | grep uid uid Iang [certification] (Africa-2012) uid Iang [contract] (lowsec-PIZZA-only) uid Systemics [operator] (Africa-2012) uid Systemics [server] (Babba-2012) uid Systemics [receipt] (Babba-2012) uid Systemics [receipt] (offa-20130101) uid Systemics [server] (offa-20130102) In my software I use the [tag] for the purpose, the (text) as a human comment, and everything else as the name of the keyholder. You could do whatever tho. Perhaps more on point, I do not want the OpenPGP system to provide me with bits that allow me to set purpose or anything else, because OpenPGP is too low-level. My designed claims like "this is an operator key" are too involved in the business layer to be foisted onto anyone else. The history of key-bits being used for human claims suggests this is a fast way to failure. E.g., non-revocation and the infamous you-must-understand-me bit. I don't know if this logic applies to anyone else. But if it did, hypothetically, I might record your claims in my key uids as such: uid Iang [HTTP-auth] (social-networks) uid Systemics [UDC-agent] (Black-2012) iang From philcerf@gmail.com Mon Apr 29 10:53:41 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F13721F9ABA for ; Mon, 29 Apr 2013 10:53:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9FGI0fh2FeuY for ; Mon, 29 Apr 2013 10:53:41 -0700 (PDT) Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id CECFF21F9AB9 for ; Mon, 29 Apr 2013 10:53:40 -0700 (PDT) Received: by mail-ie0-f178.google.com with SMTP id aq17so7552847iec.37 for ; Mon, 29 Apr 2013 10:53:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=CEOlh4VxbCAYzpTRi9v9tjSkBfONk4E/+MavXtMbYDo=; b=px2kS/zbRhRv+Krc5sF8FkeB6bFYmtylGLc5oaVGsbaihnvBAKDKdlulyba0NAFUV/ BsjSLdPIeavQ8OPqShZiNXrlJWw4pbeMXWfolMaL/BiBdF69ITvJffvibByJBhucwB1o cs0dOW4YFYQSshUz28jRC9F9xP6gw7LEg6SY4y04az8EHdDjN8LKXB20W/szaZnrJ2yc 7sfo2WgJ51dLItlMPTiOEZ5AvIQtEPm69vRUkoAjCcF1WXXNa2HQmxNktEZG4uqsmLfo ht8SZySsGoTqqtbGx9wAaO1LSmYvAJmr38PI3JijGYLXaWPInKLOxBT/y++vMaCfVGlo 8mrg== MIME-Version: 1.0 X-Received: by 10.50.77.33 with SMTP id p1mr8091290igw.36.1367258020408; Mon, 29 Apr 2013 10:53:40 -0700 (PDT) Received: by 10.231.1.136 with HTTP; Mon, 29 Apr 2013 10:53:40 -0700 (PDT) Date: Mon, 29 Apr 2013 19:53:40 +0200 Message-ID: From: Philippe Cerfon To: openpgp@ietf.org Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Cc: mailinglisten@hauke-laging.de, wk@gnupg.org Subject: Re: [openpgp] OpenPGPv5 wish list X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 17:59:54 -0000 Moving over to openpgp@ietf.org from gnupg-devel. On Mon, Apr 29, 2013 at 1:52 PM, Werner Koch wrote: > I don't want the whole X.509 mess introduced in a protocol we tried to > keep clean for real use. Well actually the contrary seems to be the case... OpenPGP is rather only used for mail and plain file encryption/signing, which covers of course already many fields, but nothing advanced. It would never have any chance to be used for government ID cards, or similar projects. > Please read 5.11: ... > There is nothing which enforces how you represet the name, you may put > arbitrary data into the UID. However, it is common to use a mail > address and thus GnuPG (by default) checks for that. Yeah I knew... but right now it's also used for the name of the user, which is the primary identification property... and it shouldn't be used for that (from a design POV). > Why should we change somthing which has not shown problems in the > past. If you want X.509, use X.509 for example with gpgsm. Obviously I don't want X.509 or I'd use it. And I don't see how this is touched by X.509 anyway. Of course there showed never problems up with the critical flag, simply as no-one uses it... yeah I know, gpg understands it... but one cannot even set it, can one? On Mon, Apr 29, 2013 at 4:37 AM, Hauke Laging wrote: >> 1) much more property fields that describe the key holder > That's easy as it can be done with notations; no need to change the proto= col. Well technically,... but there need such common notification to be defined, for all these properties, which is the important part here. > 1) How secure is the key? > 2) What is the key used for? > 3) How was the identity checked when certifying, how the email address an= d how > the comment? Absolutely agreed... especially in a machine understandable way. > 4) What statement does this signature make? That could be done via policy sig subpackets... even though this is not exactly defined right now. > You should not be forced to sign a UID as a whole. In principle yes... it=92s handy though to have a unique identifier (which is not the fingerprint) on keys... whether this needs to be signed by other users or just by the key itself is another question. > 1) For compatibility with the signature laws: We really need the option t= o > extend certifications from UIDs to subkeys. That way you could have a "no= rmal" > key and a CA could be sure that a certain subkey is on a smartcard only. > > 2) Officially supported offline main keys. Currently just a GnuPG extensi= on. > IMHO the most important feature with respect to security (for everyday us= age > keys). +1 > 3) Double-digest signatures and double-cipher encryption in case one gets > broken. Absolutely agreed, though it would be even better to allow arbitrary number of such. Maybe one could even think of doing the same with differen crypto systems (i.e. one that was not vulnerable to Shore ;) ) > 4) Signature weight: Limit the signing power of a key (to 1/n) so that > signatures of n different keys are enforced for paranoid applications. +1 > 5) Seperate header files for encryption. We have detached signatures. Tod= ay > you have to rewrite a huge encrypted file if you want to add (or remove) > recipients. Not so sure about this... to me the rationale behind the detached sigs is rather that you can keep the signed-only file in clean text. The encrpyted file is unreadable anyway, so you can also include the session key in it... and that you can re-encrypt quite fast at a later point for different users. On Mon, Apr 29, 2013 at 7:17 AM, Robert J. Hansen wro= te: > I'll make my own wish list simple: > > I don't want *anything* new included in the standard unless there exists > at least one user who says, "the absence of this feature is a > showstopper for me and is blocking my adoption of GnuPG." This user > needs to be able to show a real-world use case and be willing to > volunteer to run trials in a real-world environment. > > No real-world user? No feature. Well that's kinda stupid as it boils down to the hen egg problem, ain't it? Especially that OpenPGP looses ground in most areas (unless perhaps OpenSource) against X.509 should already show, that there are many showstoppers. Cheers, Phil. From wk@gnupg.org Mon Apr 29 11:48:24 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ABFD21F9AE5 for ; Mon, 29 Apr 2013 11:48:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.651 X-Spam-Level: X-Spam-Status: No, score=-9.651 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_UNSUB22=0.948] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Wc1rutsth6I for ; Mon, 29 Apr 2013 11:48:19 -0700 (PDT) Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by ietfa.amsl.com (Postfix) with ESMTP id 07E9F21F9A6A for ; Mon, 29 Apr 2013 11:48:18 -0700 (PDT) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1UWt7Y-0007j7-QR for ; Mon, 29 Apr 2013 20:48:16 +0200 Received: from wk by vigenere.g10code.de with local (Exim 4.80 #3 (Debian)) id 1UWszp-0001b9-NZ; Mon, 29 Apr 2013 20:40:17 +0200 From: Werner Koch To: Philippe Cerfon References: Organisation: g10 Code GmbH X-message-flag: Mails containing HTML will not be read! Please send only plain text. OpenPGP: id=1E42B367; url=finger:wk@g10code.com Date: Mon, 29 Apr 2013 20:40:17 +0200 In-Reply-To: (Philippe Cerfon's message of "Mon, 29 Apr 2013 19:53:40 +0200") Message-ID: <87wqrlrxim.fsf@vigenere.g10code.de> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: mailinglisten@hauke-laging.de, openpgp@ietf.org Subject: Re: [openpgp] OpenPGPv5 wish list X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 18:48:24 -0000 On Mon, 29 Apr 2013 19:53, philcerf@gmail.com said: > Well actually the contrary seems to be the case... OpenPGP is rather > only used for mail and plain file encryption/signing, which covers of > course already many fields, but nothing advanced. Depends on what you call advanced. OpenPGP is a low-level protocol and never really tried to address the application layer. > It would never have any chance to be used for government ID cards, or > similar projects. Why should a government do that? eID cards started in Europe (iirc, the German electronic signature law was the first at all). Europe has a history of waiting for X, aehmm the OSI network stack, and thus it is quite obvious that they started with X.400 et al. Further, you can make more (consulting) money with weakly defined/complex protocols than with a clean solution. The latter almost never wins (cf. IPSec lessons). > Yeah I knew... but right now it's also used for the name of the user, > which is the primary identification property... and it shouldn't be > used for that (from a design POV). Maybe not for your application, so go and use your own thing for it. There is nothing which will stop you. What about putting a DN into it? > Obviously I don't want X.509 or I'd use it. > And I don't see how this is touched by X.509 anyway. Because X.509 has all the useless bells and whistles which have been suggested in the past as the solution to every problem. Well alright, OpenPGP provides very similar ways to implement such features but fortunately it has not yet been abused > simply as no-one uses it... yeah I know, gpg understands it... but one > cannot even set it, can one? gpg -N '!foo@example.org=42' .... makes foo a critical notation. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From philcerf@gmail.com Mon Apr 29 16:09:18 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 697CA21F9BCA for ; Mon, 29 Apr 2013 16:09:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.652 X-Spam-Level: X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, SARE_UNSUB22=0.948] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-XDbdYEqR+3 for ; Mon, 29 Apr 2013 16:09:17 -0700 (PDT) Received: from mail-ia0-x22d.google.com (mail-ia0-x22d.google.com [IPv6:2607:f8b0:4001:c02::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 29E2521F9BC6 for ; Mon, 29 Apr 2013 16:09:17 -0700 (PDT) Received: by mail-ia0-f173.google.com with SMTP id 21so2712711iay.4 for ; Mon, 29 Apr 2013 16:08:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=vwFVqS3C1LW8MWm6U2lI+NIQW+LR8vLWp8W9zHG/dHA=; b=KZrzUPYEq5EY0USw5cwKk0+svMwPITOtoNo6GXC440+ZeTVb98lYWXuMMVyZJhZb2i CDd5pmRWBn5eqhvkU1+E6B6qiy2ktxBaH38iZpLRiemNCUCnerxvlwH615azc3pCdUuE 2eqraFCU+aiNpJoU4hdTfsTyzQP5dGOHFXYXhfbDDmhG1UgxLgj/TWIR0582/LG0OMY1 NoDnCqn1i8eYXuAaOZJgBdeWo7mocsB94RadxoNNXq9g57EnKR/YFv+kMtqLdbh/CSQt tmV03wUjN+W/1B/gzWpaYalHQcGH9BvyGoXPE8WlR1vw3SNalMXCf0F5ZQbyfkhbKE7+ g02w== MIME-Version: 1.0 X-Received: by 10.42.42.69 with SMTP id s5mr13500203ice.2.1367276924743; Mon, 29 Apr 2013 16:08:44 -0700 (PDT) Received: by 10.231.1.136 with HTTP; Mon, 29 Apr 2013 16:08:44 -0700 (PDT) In-Reply-To: <87wqrlrxim.fsf@vigenere.g10code.de> References: <87wqrlrxim.fsf@vigenere.g10code.de> Date: Tue, 30 Apr 2013 01:08:44 +0200 Message-ID: From: Philippe Cerfon To: openpgp@ietf.org, Hauke Laging Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Subject: Re: [openpgp] OpenPGPv5 wish list X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 23:09:18 -0000 On Mon, Apr 29, 2013 at 8:40 PM, Werner Koch wrote: > Depends on what you call advanced. OpenPGP is a low-level protocol and > never really tried to address the application layer. Well I think what has been proposed here now all belongs to the lowest layer, it=92s just cleaning up that one and making it more general. Especially the proposals by Hauke seem to be just what the key management system should be responsible for and which OpenPGP currently cannot really fulful. Like that I have several subkeys where one is explicitly marked as "not so safe" because I use it e.g. on my Android phone... and where clients have a machine readable way to warn me about data signed by such keys. Also my proposals for having more (standardised) descriptive fileds (name, address, IM, colour of eyes, employee) seems to be quite crucial to me. Right now people put such distinguising information often as comment into their UID, but that kinda sucks (and it kinda violates the email RFCs, which tell that any client interpreting mail addresses must ignore the comments). Or I'd like to be able to also include IM addresses in the keys, so that such clients could use this information to select the right key, which is expected on received messages. > Why should a government do that? eID cards started in Europe (iirc, the > German electronic signature law was the first at all). Europe has a > history of waiting for X, aehmm the OSI network stack, and thus it is > quite obvious that they started with X.400 et al. Well I know,.. but now we give them even reason. > Further, you can make > more (consulting) money with weakly defined/complex protocols than with > a clean solution. The latter almost never wins (cf. IPSec lessons). > Maybe not for your application, so go and use your own thing for it. > There is nothing which will stop you. What about putting a DN into it? Well of course I can always do whatever I want... but isn't the whole idea of a standard that everyone should follow it as far as possible? Clearly I can put a semicolon separated list of address, jabber account, date of birth, name and email address into the UID,... but everyone will think I'm crazy. > Because X.509 has all the useless bells and whistles which have been > suggested in the past as the solution to every problem. Well alright, > OpenPGP provides very similar ways to implement such features but > fortunately it has not yet been abused Well but X.509 simply sucks for it's trust model ;-) > gpg -N '!foo@example.org=3D42' .... > > makes foo a critical notation. And there's a similar syntax for the other signature subpacktes? The dates? The policy sig subpacket? Key usage? etc.? Cheers!