[][src]Struct sequoia_openpgp::policy::StandardPolicy

pub struct StandardPolicy<'a> { /* fields omitted */ }

The standard policy.

The standard policy stores when each algorithm in a family of algorithms is no longer considered safe. Attempts to use an algorithm after its cutoff time should fail.

When validating a signature, we normally want to know whether the algorithms used are safe now. That is, we don't use the signature's alleged creation time when considering whether an algorithm is safe, because if an algorithm is discovered to be compromised at time X, then an attacker could forge a message after time X with a signature creation time that is prior to X, which would be incorrectly accepted.

Occasionally, we know that a signature has not been tampered with since some time in the past. We might know this if the signature was stored on some tamper-proof medium. In those cases, it is reasonable to use the time that the signature was saved, since an attacker could not have taken advantage of any weaknesses found after that time.

Implementations

impl<'a> StandardPolicy<'a>[src]

pub const fn new() -> Self[src]

Instantiates a new StandardPolicy with the default parameters.

pub fn at<T>(time: T) -> Self where
    T: Into<SystemTime>, 
[src]

Instantiates a new StandardPolicy with parameters appropriate for time.

time is a meta-parameter that selects a security profile that is appropriate for the given point in time. When evaluating an object, the reference time should be set to the time that the object was stored to non-tamperable storage. Since most applications don't record when they received an object, they should conservatively use the current time.

Note that the reference time is a security parameter and is different from the time that the object was allegedly created. Consider evaluating a signature whose Signature Creation Time subpacket indicates that it was created in 2007. Since the subpacket is under the control of the sender, setting the reference time according to the subpacket means that the sender chooses the security profile. If the sender were an attacker, she could have forged this to take advantage of security weaknesses found since 2007. This is why the reference time must be set---at the earliest---to the time that the message was stored to non-tamperable storage. When that is not available, the current time should be used.

pub fn time(&self) -> Option<SystemTime>[src]

Returns the policy's reference time.

The current time is None.

See StandardPolicy::at for details.

pub fn accept_hash(&mut self, h: HashAlgorithm)[src]

Always considers h to be secure.

pub fn reject_hash(&mut self, h: HashAlgorithm)[src]

Always considers h to be insecure.

pub fn reject_hash_at<N, R>(
    &mut self,
    h: HashAlgorithm,
    normal: N,
    revocation: R
) where
    N: Into<Option<SystemTime>>,
    R: Into<Option<SystemTime>>, 
[src]

Considers h to be insecure starting at normal for normal signatures and at revocation for revocation certificates.

For each algorithm, there are two different cutoffs: when the algorithm is no longer safe for normal use (e.g., binding signatures, document signatures), and when the algorithm is no longer safe for revocations. Normally, an algorithm should be allowed for use in a revocation longer than it should be allowed for normal use, because once we consider a revocation certificate to be invalid, it may cause something else to be considered valid!

A cutoff of None means that there is no cutoff and the algorithm has no known vulnerabilities.

As a rule of thumb, we want to stop accepting a Hash algorithm for normal signature when there is evidence that it is broken, and we want to stop accepting it for revocations shortly before collisions become practical.

As such, we start rejecting MD5 in 1997 and completely reject it starting in 2004:

In 1996, Dobbertin announced a collision of the compression function of MD5 (Dobbertin, 1996). While this was not an attack on the full MD5 hash function, it was close enough for cryptographers to recommend switching to a replacement, such as SHA-1 or RIPEMD-160.

MD5CRK ended shortly after 17 August 2004, when collisions for the full MD5 were announced by Xiaoyun Wang, Dengguo Feng, Xuejia Lai, and Hongbo Yu. Their analytical attack was reported to take only one hour on an IBM p690 cluster.

(Accessed Feb. 2020.)

And we start rejecting SHA-1 in 2013 and completely reject it in 2020:

Since 2005 SHA-1 has not been considered secure against well-funded opponents, as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. As of 2020, attacks against SHA-1 are as practical as against MD5; as such, it is recommended to remove SHA-1 from products as soon as possible and use instead SHA-256 or SHA-3. Replacing SHA-1 is urgent where it's used for signatures.

(Accessed Feb. 2020.)

Since RIPE-MD is structured similarly to SHA-1, we conservatively consider it to be broken as well.

pub fn hash_cutoffs(
    &self,
    h: HashAlgorithm
) -> (Option<SystemTime>, Option<SystemTime>)
[src]

Returns the cutoff times for the specified hash algorithm.

pub fn accept_critical_subpacket(&mut self, s: SubpacketTag)[src]

Always considers s to be secure.

pub fn reject_critical_subpacket(&mut self, s: SubpacketTag)[src]

Always considers s to be insecure.

pub fn reject_critical_subpacket_at<C>(&mut self, s: SubpacketTag, cutoff: C) where
    C: Into<Option<SystemTime>>, 
[src]

Considers s to be insecure starting at cutoff.

A cutoff of None means that there is no cutoff and the subpacket has no known vulnerabilities.

By default, we accept all critical subpackets that Sequoia understands and honors.

pub fn critical_subpacket_cutoff(&self, s: SubpacketTag) -> Option<SystemTime>[src]

Returns the cutoff times for the specified subpacket tag.

pub fn good_critical_notations(&mut self, good_list: &'a [&'a str])[src]

Sets the list of accepted critical notations.

By default, we reject all critical notations.

pub fn accept_asymmetric_algo(&mut self, a: AsymmetricAlgorithm)[src]

Always considers s to be secure.

pub fn reject_asymmetric_algo(&mut self, a: AsymmetricAlgorithm)[src]

Always considers s to be insecure.

pub fn reject_asymmetric_algo_at<C>(
    &mut self,
    a: AsymmetricAlgorithm,
    cutoff: C
) where
    C: Into<Option<SystemTime>>, 
[src]

Considers a to be insecure starting at cutoff.

A cutoff of None means that there is no cutoff and the algorithm has no known vulnerabilities.

By default, we reject the use of asymmetric key sizes lower than 2048 bits starting in 2014 following NIST Special Publication 800-131A.

pub fn asymmetric_algo_cutoff(
    &self,
    a: AsymmetricAlgorithm
) -> Option<SystemTime>
[src]

Returns the cutoff times for the specified hash algorithm.

pub fn accept_symmetric_algo(&mut self, s: SymmetricAlgorithm)[src]

Always considers s to be secure.

pub fn reject_symmetric_algo(&mut self, s: SymmetricAlgorithm)[src]

Always considers s to be insecure.

pub fn reject_symmetric_algo_at<C>(&mut self, s: SymmetricAlgorithm, cutoff: C) where
    C: Into<Option<SystemTime>>, 
[src]

Considers s to be insecure starting at cutoff.

A cutoff of None means that there is no cutoff and the algorithm has no known vulnerabilities.

By default, we reject the use of TripleDES (3DES) starting in the year 2017. While 3DES is still a "MUST implement" algorithm in RFC4880, released in 2007, there are plenty of other symmetric algorithms defined in RFC4880, and it says AES-128 SHOULD be implemented. Support for other algorithms in OpenPGP implementations is excellent. We chose 2017 as the cutoff year because NIST deprecated 3DES that year.

pub fn symmetric_algo_cutoff(&self, s: SymmetricAlgorithm) -> Option<SystemTime>[src]

Returns the cutoff times for the specified hash algorithm.

pub fn accept_aead_algo(&mut self, a: AEADAlgorithm)[src]

Always considers s to be secure.

This feature is experimental.

pub fn reject_aead_algo(&mut self, a: AEADAlgorithm)[src]

Always considers s to be insecure.

This feature is experimental.

pub fn reject_aead_algo_at<C>(&mut self, a: AEADAlgorithm, cutoff: C) where
    C: Into<Option<SystemTime>>, 
[src]

Considers a to be insecure starting at cutoff.

A cutoff of None means that there is no cutoff and the algorithm has no known vulnerabilities.

By default, we accept all AEAD modes.

This feature is experimental.

pub fn aead_algo_cutoff(&self, a: AEADAlgorithm) -> Option<SystemTime>[src]

Returns the cutoff times for the specified hash algorithm.

This feature is experimental.

pub fn accept_packet_tag(&mut self, tag: Tag)[src]

Always accept packets with the given tag.

pub fn reject_packet_tag(&mut self, tag: Tag)[src]

Always reject packets with the given tag.

pub fn reject_packet_tag_at<C>(&mut self, tag: Tag, cutoff: C) where
    C: Into<Option<SystemTime>>, 
[src]

Start rejecting packets with the given tag at t.

A cutoff of None means that there is no cutoff and the packet has no known vulnerabilities.

By default, we consider the Symmetrically Encrypted Data Packet (SED) insecure in messages created in the year 2004 or later. The rationale here is that Symmetrically Encrypted Integrity Protected Data Packet (SEIP) can be downgraded to SED packets, enabling attacks exploiting the malleability of the CFB stream (see EFAIL).

We chose 2004 as a cutoff-date because Debian 3.0 (Woody), released on 2002-07-19, was the first release of Debian to ship a version of GnuPG that emitted SEIP packets by default. The first version that emitted SEIP packets was GnuPG 1.0.3, released on 2000-09-18. Mid 2002 plus a 18 months grace period of people still using older versions is 2004.

pub fn packet_tag_cutoff(&self, tag: Tag) -> Option<SystemTime>[src]

Returns the cutoff times for the specified hash algorithm.

Trait Implementations

impl<'a> Clone for StandardPolicy<'a>[src]

impl<'a> Debug for StandardPolicy<'a>[src]

impl<'a> Default for StandardPolicy<'a>[src]

impl<'a> From<&'a StandardPolicy<'a>> for Option<&'a dyn Policy>[src]

impl<'a> Policy for StandardPolicy<'a>[src]

Auto Trait Implementations

impl<'a> RefUnwindSafe for StandardPolicy<'a>

impl<'a> Send for StandardPolicy<'a>

impl<'a> Sync for StandardPolicy<'a>

impl<'a> Unpin for StandardPolicy<'a>

impl<'a> UnwindSafe for StandardPolicy<'a>

Blanket Implementations

impl<T> Any for T where
    T: 'static + ?Sized
[src]

impl<T> Borrow<T> for T where
    T: ?Sized
[src]

impl<T> BorrowMut<T> for T where
    T: ?Sized
[src]

impl<T> DynClone for T where
    T: Clone
[src]

impl<T> From<T> for T[src]

impl<T, U> Into<U> for T where
    U: From<T>, 
[src]

impl<T> ToOwned for T where
    T: Clone
[src]

type Owned = T

The resulting type after obtaining ownership.

impl<T, U> TryFrom<U> for T where
    U: Into<T>, 
[src]

type Error = Infallible

The type returned in the event of a conversion error.

impl<T, U> TryInto<U> for T where
    U: TryFrom<T>, 
[src]

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.