IETF Logo Mail Archive

Re: [openpgp] Clarifiction on v5 signatures

Wiktor Kwapisiewicz <wiktor@metacode.biz> Fri, 26 October 2018 11:19 UTC

Return-Path: <wiktor@metacode.biz>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A37130DDA for <openpgp@ietfa.amsl.com>; Fri, 26 Oct 2018 04:19:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=metacode.biz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dCVpioWbn2nG for <openpgp@ietfa.amsl.com>; Fri, 26 Oct 2018 04:19:40 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9A6B130DD7 for <openpgp@ietf.org>; Fri, 26 Oct 2018 04:19:39 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id u18so620443lff.10 for <openpgp@ietf.org>; Fri, 26 Oct 2018 04:19:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=metacode.biz; s=2017; h=to:references:from:openpgp:autocrypt:organization:cc:subject :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=6JVpeQirp31pCMIJn+ZVNJgbpXZdXp/JiLGF3xe4wG8=; b=p4HG09dVSZMecrlVEmayWWbcP4zJ5zQ1Jup9pWFIK1iCGvqMrFST1ow6wFptIS6BVO jNWAgy4vrhOmOM2/qFSW5opQtXNIbYeGHMxYXK7Gm+B4LSWu33PPGLBBkCpDYbjdBeyi H25m2NaKZaK5vOcgzNt3dvsqtT7lwWlF0rNPOCEqy5KVw/E26gCJZDvCsX7KMhjkqvEI yqITJTm7YWRny0r73yENU7EQ7NP+Q40o7aT5bCL/DN7TvrCkuD8UmPaFMdI14AHPvddF 9uQGhI/+cXP3fg/OID3QPeVpSr9Xiyph1bqZtntWmHNS6HkwamYz07KNHcJiiXuWP5vY 1Z7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:references:from:openpgp:autocrypt :organization:cc:subject:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=6JVpeQirp31pCMIJn+ZVNJgbpXZdXp/JiLGF3xe4wG8=; b=fBsOBU8PwiFP1zkP93RoJ0yHMLEhsAO0GT2KyV4kwU5h9YK74pC5pISiau8+c7tu3Z NpmXmXAqfKNcr4kKYnBmjIwAEJteG2iVnh5AGfm2C4LWz6lQ9MXrU4aRg+R1+5lqbjvU ur8ppf6BWxEhNHQOafFhTbDdp6I59TBDsSAKDi7hxvo49m55FGK+89w5aRDZXRrj+KeT HCC/0MWlBFIeR/coCqDj54aTieYyjJk2fhf+0Iv2AacJyGdqN0GCBX8W0yCEOJiTd7Nf +sYBSwYADER5mIaD1m8A0H422GpZmlMiLcNBBYS9f2zi4v4tHFhnk2wlGvqAV9Y6pR+V Nf7w==
X-Gm-Message-State: AGRZ1gLWH5xaM0SI5kWhklTh7W2EyvgBheXlg9C432licirXidbJhexi Z/Okxh6ZD7QWslIhdhJtxuQf8ALaMqI=
X-Google-Smtp-Source: AJdET5foKcztxl+kCYp9XrrLj6ZZr/Yvw5FSFX0rgF5gyEPdnKsq5E+huIF2aRseSd/DZ+1znS2VTw==
X-Received: by 2002:a19:4948:: with SMTP id l8-v6mr1876551lfj.16.1540552776960; Fri, 26 Oct 2018 04:19:36 -0700 (PDT)
Received: from ?IPv6:2a02:a317:4e3d:4680:f6ed:4b3c:7510:34c3? ([2a02:a317:4e3d:4680:f6ed:4b3c:7510:34c3]) by smtp.googlemail.com with ESMTPSA id k18-v6sm1524052ljk.58.2018.10.26.04.19.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Oct 2018 04:19:36 -0700 (PDT)
To: Werner Koch <wk@gnupg.org>
References: <877ei9szyc.fsf@wheatstone.g10code.de> <dda2d47e-b06e-cd6c-9bab-d8f30149c2ad@gmx.net> <87mur2nyt6.fsf@wheatstone.g10code.de> <f2770475-3b73-3849-33cf-91aaf52c1999@metacode.biz> <87tvlam1iz.fsf@wheatstone.g10code.de> <d9ece307-8153-24ce-2de4-07792e3c1ffb@metacode.biz> <87lg6lm2w8.fsf@wheatstone.g10code.de>
From: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Openpgp: url=https://metacode.biz/@wiktor/openpgp/key
Autocrypt: addr=wiktor@metacode.biz; keydata= xsFNBFhoYHoBEADzmg9UuwDrtvyejU01gDY1J1iJiCi4XGJ4lCfYeLC2jSagIxU/5Lu0lRft 0Loi2tsjpo0c8docP7HFxafEEvnnt/iabd6I536llMuw0uno4PgnD3ljcCMZLT+vn+amIDta lzVoMnSqzoNUotMNMtjIFuAaQ/wr4/Mp9CIgJdviGUc3PscqUiiUVVtk6uF0x657NULZgSIT /Mrqlr2i4RuyPwXe2Qt0uEA3KWWjF0l2NpAMVrqz+nHsLoNOaAsfdx94bzKQrrSeSQqEO2f+ /eO/hbUAFAmEhrotmUO8wJNygo8TgkdlzFI+UE4p8/KW0aCgGGgR8YkCvHq2OQhAAYFNJoNz Hqw0FGxdsY8qWFkYpoSB8zKspNy8KliofCamMYXoPF7eVIxIiKvxrAykGP4jNnzSoV0cn+bY fXnox1IhnqbnoJIT7kTmXv4JmWoYm8ThHqpEgcQOUUQzSRXb9OiNwiXT71ijeO1qswMRpsgk 6AGKSZGWxa3c4ive/p8z1Ax27BFZSh2FceIcMCcGLrDjnQYgeFsAJ1jSxZQXkGuJFHfb4nff Big7aq/vyKrQFQXG0NQQL7rZAdk/s665vifos0yPmRDu7yDT1ggdyBp4Pa4re+ZJcNRNzNHo zU9al+CoImCQjnTtKMXmOe/BzGrpHI4QR3NNzVa423WCIWkHfwARAQABzSlXaWt0b3IgS3dh cGlzaWV3aWN6IDx3aWt0b3JAbWV0YWNvZGUuYml6PsLB7gQTAQoAmAIbAQgLCQgHDQwLCgUV CgkICwIeAQIXgHMUgAAAAAAqAEB0aW1lc3RhbXArYml0Y29pbi10cmFuc2FjdGlvbkBtZXRh Y29kZS5iaXphZmNiMDkyYzVjYTY0MDk1MjZkMThhZTljZjIyZDNiNTVkMzdlNzIzZWIxYjc0 ZTNmODRmN2U2YjA1MmExNjJhBQJaLoPdBQkDwPuGAAoJEGyIV+DY6PB0CNkQAKGTFHzG4YO6 yne5jfMlGcF8JUYq0EGHE9DRK6oAyGo+1TGFbf1bS4wULvA6LFBOLd+aI7uuN062kDdtHVUf 0S0AZ9ByjIBdQJsqx47W6uXsRX/pB0a70QqS6NbS3AL/fdwZOj/TBk8bdsfg7Z+hH+ykMcOs EYLmdMLmrqYgl9EyP4FmsnU9H8x4yKp0/Kv4BQYfjn68CFvyM2NQU3MR/H3sqvM/uY5AJwTp A8X1ZbN8pjZO5YRTiQtMrXekNzhP3p0ep1+cu2UxQO6jXV6Sjdm8D8RJzGaxCuhN/VhLNSvh cb2T5sejBAhU8JmKNle4+z5wZWB4bl5Dfkg1NpSEEdv7so+KXCnszo89UJJijlfgBFtm5WjK u7gCR8CVOeGQwQolEzi18zihCwRy1rg/xKokk7q6ZBEvxM1sBYNd81mi1PgrNwgH4jPULfQk UJtU7HLRVNLbnrIyEQbLOJegBLaWHgR4T69blBGg1oqiq/1PHnZuJauZhhNEAViX42VKJP1z w6PIfvbjg27wf4OjEDtVVXCrxqqljHRilagFQHGlU+iF6Ii2C3pNod11+lqJC0riFylxK/wu zHpoZdFg10gqMWIE2Exm7nJ6ToKv5kZqKC97mWrmh6FFEr6HmjDDuo+N4RER3VGj0dSey5nc eFQ2vry17IGN1ljV9TiARDgizsBNBFs/lS0BCAC5oX3r3luF7czMF8UFxJz55XuvNRs4tEjo Hzqcqoe4+RJyfNDtspgevYIq1WTKw/H3ZYsd2wZpkM3I+BJn9eeHZKs77qXQZGN5PBB65rZo LjMx+qHa6wH4lIYMYW7eB9HHMsT/5E3ILBSRzZIwJimd/QdIMKSrJ5mPMkAd+9+xob5zKHO5 L5pbQtJSGS0m17/hA0kCTLI885hLtT3JsI/KWwuAYDrTwsayzh/hG/NgdA3I8xlrQCLC0EFJ oxHkN9tCyXeKPlrIPYyMB1jHTo1iNV0CQGpk+zf6DA/ySGfJxd30ksJZ8y5qxD43zS0YffYM C01CeuqPoGZ2Fy9VxhODABEBAAHCwXwEGAEKACYWIQRlOQmi8ON8EG9fr1RsiFfg2OjwdAUC Wz+VLQIbDAUJAeEzgAAKCRBsiFfg2OjwdKQ4D/wIb8s2Tw8MhbbwASutzTwg3g3KReDRHgSz z7RJtePIM8HC6qm9++9sxoqww7qm35vb604HtMRORYmfXgVSocsYg/eAk8LoBVfCZidDVBia /i/dYx/8LHeX/0PqPluSusQh64BFUoVetUCP+kISbK8vgDt4HfDSgtenC5lpTAdk257A84p2 zDnUtVr8XNv09m7ASft6Wh5Wrn+aWlJrf6T6eysk9OIw8VpSuq0oG3vcEoTbHKJN8TDliPUc QVz5Qti0tgB40PLrqOpTdENdxbiaUNFpHm3Tkk+n7CEFcOayFvy5vU6Nih0hu+LFC2XHzQRw sLnuQ2EilWtXRulcwvFo6A3Vp+gidxc6UwC+LBFJjvDMv5hmsdhSm08r2hd2k61oL6NCGVB3 fxuJT85UHsEC04N72Fa26+Spkh3DtJMrKqJlBBas7oJYh6644DB4rccd6VT3n7Zv1pd2uIWv gjORztfBzRJEysOeHoNpr4hEocg62beu9cnGHpYB9j3mhv+E2IYPnJKqit18G7xb7QnyQU7L YfctLO0GLNdTBavWJggHPzUp09vb3uGS3dMdAYbWTBtnXttkdYuLx/oCe1LVUQYotsX7s83V kVc2n6xzrcaebmgoFtGUfUmOV0U0xbqv6Mxg27qctYh1QidvRyt0xqGA0Qhz/vvoQdfQeMlO Tg==
Organization: Metacode
Cc: openpgp@ietf.org
Message-ID: <486d2345-69c1-c329-d887-f164b5dc90d4@metacode.biz>
Date: Fri, 26 Oct 2018 13:19:34 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <87lg6lm2w8.fsf@wheatstone.g10code.de>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/-8AIbDWCEixCF71YixYayL8cVSg>
Subject: Re: [openpgp] Clarifiction on v5 signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2018 11:19:42 -0000

On 26.10.2018 12:13, Werner Koch wrote:
> On Thu, 25 Oct 2018 19:01, wiktor=40metacode.biz@dmarc.ietf.org said:
> 
>> Oh, got it, I'll try to find the previous discussion. The second octet
>> key flags (ADSK and timestamping) look really interesting but the
> 
> The ADSK (Additional Decryption Subkey) is an idea of mine on how to
> ease ease encryption to several devices.  You would install the separate
> private subkeys on each device and if the sender supports the ADSK it
> would encrypt to these subkeys.  This is similar to what OpenKeychain
> does but a more selective approach.  OTOH, I am not sure whether one can
> find a threat model where such a scheme would be useful.

I think that would be useful to allow creating encryption subkeys
directly on the hardware token (of course with having a backup
encryption subkey on an offline computer too!).

That way when one hardware token is lost one would revoke only the
encryption subkey that was on that token.

This scheme is currently possible only with signing subkeys, ADSK would
extend the idea to encryption subkeys too.

(I assume changing GnuPG behavior to align with OpenKeychain is not
possible due to backwards-compatibility issues?).

> We also have 2 other flags (group key and split key) which are also not
> well defined, so the ADSK does not hurt too much.  I have no problems to
> drop that flag, though.

Split key (0x10) looks like a good way to implement separation of duties
(where multiple people are needed to use the key). I don't think this is
possible in OpenPGP now.

Thanks for the flag details!

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

v2.23.0 | Report a Bug | By Email