-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
age-plugin: Add labels extension to recipient-v1
#37
base: main
Are you sure you want to change the base?
Conversation
- The `x25519` recipient stanza has an implicit empty label set. | ||
- The `scrypt` recipient stanza has an implicit label set containing a single | ||
random label. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In str4d/rage#365 (comment) I noted that we also need to decide on how file header grease (currently unspecified) interacts with the label set, because what it results in is extra stanzas.
The simplest approach, and the one compatible with the behaviour of pre-labels clients, is that grease has an implicit empty label set. This lets it be added alongside x25519
and any pre-labels plugins, but not alongside scrypt
. However, it means that plugins which start using labels would as a side-effect never have their headers greased. This might be fine (and in fact would probably be a nice side-effect for corp usage, where you probably don't want random extra stanzas), but would be annoying for e.g. postquantum-only headers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's indeed a greasing loss, but probably worth it to keep the implementation general. Empty label set sounds right.
- The `x25519` recipient stanza has an implicit empty label set. | ||
- The `scrypt` recipient stanza has an implicit label set containing a single | ||
random label. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's indeed a greasing loss, but probably worth it to keep the implementation general. Empty label set sounds right.
treat the plugin's recipient stanzas has having an empty label set. | ||
- The `x25519` recipient stanza has an implicit empty label set. | ||
- The `scrypt` recipient stanza has an implicit label set containing a single | ||
random label. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
random label. | |
random label. In other words, it can't be combined with any other stanza. |
- `(extension-labels)` - indicates that the client is using "labels" to constrain | ||
the recipient stanzas that it will accept. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- `(extension-labels)` - indicates that the client is using "labels" to constrain | |
the recipient stanzas that it will accept. | |
- `(extension-labels)` - indicates that the client supports "labels" to constrain | |
the recipient stanzas and will accept a `labels` command in phase 2. |
- The order of labels in the command is undefined. Clients MUST treat them as a | ||
set. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- The order of labels in the command is undefined. Clients MUST treat them as a | |
set. | |
- The order of labels in the command is irrelevant. Clients MUST treat them as an | |
unordered set. |
more than once. | ||
- The order of labels in the command is undefined. Clients MUST treat them as a | ||
set. | ||
- Response is `(ok)`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Response is `(ok)`. | |
- Response is `(ok)` or an error. |
postquantum-secure, and that they can only be combined with other stanzas | ||
that are also postquantum-secure. | ||
- *Common private label* - used by plugins created by the same private entity | ||
to permit their recipient stanzas to be used together. For example, private |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to permit their recipient stanzas to be used together. For example, private | |
to permit their recipient stanzas to be used only together. For example, private |
recipient stanzas it generates in this phase. | ||
- Labels can have any value, but usually take one of several forms: | ||
- *Common public label* - used by multiple plugins to permit their recipient | ||
stanzas to be used together. Examples include: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
stanzas to be used together. Examples include: | |
stanzas to be used only together. Examples include: |
Designed with @FiloSottile.
This extension to
recipient-v1
enables clients to require that plugins provide a set of labels at encryption time. These labels are used to restrict which stanzas can appear together in the same file header.We don't make any changes to
identity-v1
because decryption time restrictions are pointless: an attacker can drop stanzas or reuse the single stanza.This can be used for