Re: [PATCH 00/14] KEYS: Add support for PGP keys and signatures

From: Jason A. Donenfeld
Date: Mon Jan 17 2022 - 09:35:07 EST

Next message: Brian Foster: "Re: [PATCH] vfs: check dentry is still valid in get_link()"
Previous message: Neil Armstrong: "Re: [PATCH 1/3] arm64: dts: meson: add Broadcom WiFi to P212 dtsi"
Next in thread: James Bottomley: "Re: [PATCH 00/14] KEYS: Add support for PGP keys and signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

While it looks like you put a lot of work into this patchset, I think
the general idea of adding PGP *to the kernel* is a pretty daunting
proposition. The general consensus in the crypto engineering world is
that PGP ought to be on its way out. We definitely don't want to
perpetuate this project-on-life-support into the permanence of kernel
code. Some quick Google searches will reveal a litany of blog posts to
the tune of, "why oh why are people still using this?" Here's one from
2019: https://latacora.micro.blog/2019/07/16/the-pgp-problem.html . I
think these are arguments to take seriously. And even if you disagree
with some parts, you may want to consider whether the remaining parts
warrant a bit of pause before adding this to the kernel and perpetuating
PGP's design further.

If you're looking for a simple signature mechanism to replace the use of
X.509 and all of that infrastructure, may I suggest just coming up with
something simple using ed25519, similar to signify or minisign? Very
minimal code in the kernel, in userspace, and very few moving parts to
break.

Jason

Next message: Brian Foster: "Re: [PATCH] vfs: check dentry is still valid in get_link()"
Previous message: Neil Armstrong: "Re: [PATCH 1/3] arm64: dts: meson: add Broadcom WiFi to P212 dtsi"
Next in thread: James Bottomley: "Re: [PATCH 00/14] KEYS: Add support for PGP keys and signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]