IETF Logo Mail Archive

[Openpgp-dt] OpenPGP Design Team notes 2022-04-12

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 12 April 2022 15:12 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp-dt@ietfa.amsl.com
Delivered-To: openpgp-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E105D3A1721 for <openpgp-dt@ietfa.amsl.com>; Tue, 12 Apr 2022 08:12:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=zWByOolg; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=fSxCDs+f
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xEEOfoEcHu9R for <openpgp-dt@ietfa.amsl.com>; Tue, 12 Apr 2022 08:12:23 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 715EB3A1785 for <openpgp-dt@ietf.org>; Tue, 12 Apr 2022 08:12:23 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1649776341; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=uNG71wuOEWCQ5eGgrdLmsGNTQWihEgGNP99KNvbA8D4=; b=zWByOolgZ3qDn0UioLte7AX2eeekS08FRn8YdPfFcAwtGLzeGpiQpy6cT3YLlskiuv0sl cVSLmsBg1lk/M9eCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1649776341; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=uNG71wuOEWCQ5eGgrdLmsGNTQWihEgGNP99KNvbA8D4=; b=fSxCDs+fYU8684aNU2xWS4Ti6vwxLKrzh6Y9x68ikQLmBCqJLnr45gOCEYXO0Mlf9ct+6 izTORYSp6FSZgV+uwP7ksADCU6xmUx8GJgv44F1tM3GAIpcvQAlpRvICCjm7RtVIO+jDEN4 3W0q1U1C+HLs7ogrnQwMsL54eZR4Nj6M/tWKIA7hG5fnUNUgDO3NufNwYb5KiJplHYQEbLF LDx9HK05VgX2FWjdXGE2qSuE1T7+H768eCjpp1jYJMckauhdHOY18/t3q3NH0n1SEtFUJQz dGx698hAa0WMSP5K0ddTpN19EpbQwh6urBAci7ChBi/wh0S1Gn5P2KrY+JHA==
Received: from fifthhorseman.net (2603-8000-df00-593c-0c5d-9165-325b-66aa.res6.spectrum.com [IPv6:2603:8000:df00:593c:c5d:9165:325b:66aa]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 6E313F9B1 for <openpgp-dt@ietf.org>; Tue, 12 Apr 2022 11:12:21 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id E964F204DC; Tue, 12 Apr 2022 08:12:16 -0700 (PDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp-dt@ietf.org
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Tue, 12 Apr 2022 08:12:15 -0700
Message-ID: <874k2ymj3k.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp-dt/RpHXID3TDb0fNs-0piMfcJblCaI>
Subject: [Openpgp-dt] OpenPGP Design Team notes 2022-04-12
X-BeenThere: openpgp-dt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OpenPGP working group design team <openpgp-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp-dt>, <mailto:openpgp-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp-dt/>
List-Post: <mailto:openpgp-dt@ietf.org>
List-Help: <mailto:openpgp-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp-dt>, <mailto:openpgp-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2022 15:12:29 -0000

# OpenPGP Design Team Meeting
## 2022-04-12

Present:

  * dkg
  * stephen
  * justus
  * daniel h

# Agenda

# actions from IETF-113
  - meeting minutes https://datatracker.ietf.org/doc/minutes-113-openpgp/
  
  ## "Action on chairs: Start thread on mailing list to discuss whether people prefer the changes to modes of operation in -05 or Werner's proposal." - Stephen will try craft a mail on this and run it by DT/Werner before sending to WG list
  ## "Action for chairs: Start thread on the mailing list to discuss preference between a) the tentative proposal for v5 keys (see above) or b) the status quo (possibly better documented)." DKG to craft mail to WG list on that.
  ## "Action: Chairs: Create a thread on this topic (use of sha1collisiondetect as opposed to SHA1)" DKG to craft a mail to WG list on that.
  
# DT timing...
  - we (still) have a bunch of MRs (20 open now) and issues (49), how do we get to done before the universe cools?
  - we'll again ask the DT to do a full trawl of open MRs/Issues, express opinions and esp try to make issues closeable
  - we don't aim to close all issues before we're done (e.g. some will be for potential future work)
  - chairs need to ask Paul W if he still has bandwidth for merging stuff or if he needs help
  - we'd like a deadline: 
    - we'll plan to meet some more (2-3 hours) in the week leading up to the deadline, chairs will do polls for slots that work for DT folks
    - the deadline: 2022-05-13 (implies actions above have similar timing)
  - the GOAL: another draft after that and then WGLC
  
# Risks to interop:
   https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/107
  - Tricky issue, maybe goal here is just that those implementations don't reject message but treat v5 sigs as broken (possibly via ickky cheating as was done with tls versions)? Or, perhaps we do need allow v5 keys produce v4 sigs (sometimes)?
  - Might imply we need better guidance as to what to do when you have both v5 and v4 keys in-play
  - proposal A: give a deadline for having patches for all listed implementations, 
  - proposal B: invent a new way to transport a v5 signature as though it was a v4 signature
  
  We're hoping to get to the patches (A) in a reasonable amount of time.  if not, we can consider (B).
  Legacy implementations still can't reply to a v5 cert, so we expect people to stick with v4 keys for a while.
  Action: identify patches for each existing implementation.
  
  Another outcome of this: certificate lookup mechanisms by e-mail address need to be modified to permit multiple certificates per address.  at least one per primary key version; perhaps one per primary key algorithm?  Concerns about "ghost proposal" key injection for allowing inclusion of arbitrary keys.  What should a recipient do if they receive multiple keys?  use the first key that they can interpret?  use them all?
  
# more discussion around multiple encryption subkeys

there are legitimate reasons for people to want multiple encryption-capable subkeys on their certificate, where each message is encrypted to each subkey?  There are also legitimate reasons for a keyholder to have multiple encryption-capable subkeys where the keyholder wants users to prefer one over the other, but not to encrypt in parallel.  Most current implementations do not encrypt to all encryption-capable subkeys.  Should the keyholder signal their intent?  if so, which way: as a desire for parallel encryption (single encryption is default) or as a desire for single encryption (parallel is the default)?

## Fingerprint vs. wire format key ID

dkg: the spec doesn't need to have a fingerprint for v5 keys at all.  I can make a provocation MR that demonstrates this (e.g. key identifiers within a signature can use the same digest that the signature uses).  The point is that what we've been calling "fingerprint" is used in many places, and they do not need to all be the same thing.

## ECDH KDF params

stats:
https://gitlab.com/sequoia-pgp/sequoia/-/issues/838#note_909813463

proposal: identify the most common KDF parameters for each known ECDH curve, and document them in the spec.  New ECDH keys with that spec MUST use the documented params.

v2.23.0 | Report a Bug | By Email