Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1422665AbbEUQ7K (ORCPT ); Thu, 21 May 2015 12:59:10 -0400 Received: from lan.nucleusys.com ([92.247.61.126]:43948 "EHLO zztop.nucleusys.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S964804AbbEUQ7F (ORCPT ); Thu, 21 May 2015 12:59:05 -0400 Date: Thu, 21 May 2015 19:58:56 +0300 From: Petko Manolov To: Andy Lutomirski Cc: David Howells , "Luis R. Rodriguez" , Andy Lutomirski , LSM List , James Morris , "Serge E. Hallyn" , "linux-kernel@vger.kernel.org" , Linux Wireless List , Kyle McMartin , David Woodhouse , Seth Forshee , Greg Kroah-Hartman , Joey Lee , Rusty Russell , Mimi Zohar , Konstantin Ryabitsev , Michal Marek , Abelardo Ricart III , Sedat Dilek , keyrings@linux-nfs.org, Borislav Petkov , Jiri Kosina , Linus Torvalds Subject: Re: [RFD] linux-firmware key arrangement for firmware signing Message-ID: <20150521165856.GJ18164@localhost> Mail-Followup-To: Andy Lutomirski , David Howells , "Luis R. Rodriguez" , Andy Lutomirski , LSM List , James Morris , "Serge E. Hallyn" , "linux-kernel@vger.kernel.org" , Linux Wireless List , Kyle McMartin , David Woodhouse , Seth Forshee , Greg Kroah-Hartman , Joey Lee , Rusty Russell , Mimi Zohar , Konstantin Ryabitsev , Michal Marek , Abelardo Ricart III , Sedat Dilek , keyrings@linux-nfs.org, Borislav Petkov , Jiri Kosina , Linus Torvalds References: <20150519221128.GP23057@wotan.suse.de> <20150519200232.GM23057@wotan.suse.de> <555BA438.2070802@kernel.org> <9567.1432223509@warthog.procyon.org.uk> <20150521164313.GH18164@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Score: -1.0 (-) X-Spam-Report: Spam detection software, running on the system "zztop.nucleusys.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On 15-05-21 09:48:10, Andy Lutomirski wrote: > On Thu, May 21, 2015 at 9:43 AM, Petko Manolov wrote: > > On 15-05-21 16:51:49, David Howells wrote: > >> > >> I do have patches to parse PGP key data and add the public keys found therein > >> onto the kernel keyring, but that would mean adding an extra key data parser. > > > > PGP is widely used so i would gladly have one more parser in the kernel. > > > PGP is also a crappy format: > > http://blog.cryptographyengineering.com/2014/08/whats-matter-with-pgp.html > > and using PGP means we're probably stuck with PKCS#1 v1.5, which should have > been phased out worldwide many years ago. > > In any event, I don't see why PGP compatibility requires any sort of > OpenPGP parser in the kernel. Just because GnuPG goes out of its way > to be incompatible with anything other than the OpenPGP ecosystem > doesn't mean that you can't relatively straightforwardly generate raw > PKCS#1 signatures from an OpenPGP key. > [...] Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1587 Lines: 37 On 15-05-21 09:48:10, Andy Lutomirski wrote: > On Thu, May 21, 2015 at 9:43 AM, Petko Manolov wrote: > > On 15-05-21 16:51:49, David Howells wrote: > >> > >> I do have patches to parse PGP key data and add the public keys found therein > >> onto the kernel keyring, but that would mean adding an extra key data parser. > > > > PGP is widely used so i would gladly have one more parser in the kernel. > > > PGP is also a crappy format: > > http://blog.cryptographyengineering.com/2014/08/whats-matter-with-pgp.html > > and using PGP means we're probably stuck with PKCS#1 v1.5, which should have > been phased out worldwide many years ago. > > In any event, I don't see why PGP compatibility requires any sort of > OpenPGP parser in the kernel. Just because GnuPG goes out of its way > to be incompatible with anything other than the OpenPGP ecosystem > doesn't mean that you can't relatively straightforwardly generate raw > PKCS#1 signatures from an OpenPGP key. > Oh, i do agree with you in terms of quality of both formats. However, this is what is commonly used these days and not having these parsers in the kernel would require us to write tools for conversion to saner format. Which does not exist for the moment. Once we have those in place it would be all the same to me. Petko -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/