OpenPGP (RFC4880bis & RFC4880bisbis) wishlist
In the absence of a better place to document this, I'd like to collect problems with the OpenPGP wire format. Feel free to discuss and add.
-
S2K objects need to be prefixed by an explicit length -
SKESK5 packets do not contain the symmetric algorithm, so they can not be used with a SEIP container - We clarified the fact that SKESK5 packets can only be combined with SEIPDv2 packets.
-
key flags subpacket should be mandatory for subkey binding signatures -
have a policy on how to treat multiple subpackets of the same type - for most of them having multiple would invalidate the signature (as in, it is well-formed but can never verify positive, like what happens to critical, unknown notations)
-
add a better way to scope trust signatures than regular expressions -
a tsig depth of 255 should mean infinite, not 255 (#365 (closed)) -
Change 16-bit subpacket area size to 32 bits. -
The AEAD chunk size should be fixed to e.g. 64kb. - Not fixed size, but at least capped at 4 megabytes.
-
Add the ability to reuse session keys, e.g., include a "nonce" to the SEIP/AED packet that the session key extracted from the PKESK / SKESK is xor'd with. -
For key revocations, there should be a subpacket "SuceededBy" to facilitate primary key rotation. It could include a fingerprint, the new key, and/or a tsig. -
Standardize how to represent certificates with some keys containing secret key material (https://tests.sequoia-pgp.org/#Detached_primary_key). -
Add salt to the signature. It would be even better if this salt were at the start of the hashed data. That would have completely frustated the SHA-1 is a shambles attack. - add your pet peeve here...
Edited by Justus Winter