Re: [openpgp] Web Key Directory I-D -07

Bart Butler <bartbutler@protonmail.com> Thu, 15 November 2018 20:49 UTC

Return-Path: <bartbutler@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADD21130DE4 for <openpgp@ietfa.amsl.com>; Thu, 15 Nov 2018 12:49:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTIpy1doFXsJ for <openpgp@ietfa.amsl.com>; Thu, 15 Nov 2018 12:49:23 -0800 (PST)
Received: from mail4.protonmail.ch (mail4.protonmail.ch [185.70.40.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2467B130DD8 for <openpgp@ietf.org>; Thu, 15 Nov 2018 12:49:23 -0800 (PST)
Date: Thu, 15 Nov 2018 20:49:09 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1542314955; bh=0lLENDs9Ufj4SVqihaFqzMh5ihqvuPsYsQ1VQbqBMhs=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=jVc7vkVWWVw/nGDGo/sk+aAkNMwGiM1awsqtVD1nh4fbC1HltOQEgw7CBsNp/+Q5E sHFpjXYcuM4IU/VhgniThRb4Zj1ZrxD6Dc4s/qPPeGhWnT7k1czvmRJ+5dO/WvBUZW JM6FqJ2L9tM4Fl9w1Y7Z9hitmMqTzeI0ktTSjKbE=
To: Benjamin Kaduk <kaduk@mit.edu>
From: Bart Butler <bartbutler@protonmail.com>
Cc: azul <azul@riseup.net>, "openpgp@ietf.org" <openpgp@ietf.org>
Reply-To: Bart Butler <bartbutler@protonmail.com>
Message-ID: <PeruptDkIor0qwV7S32cKc0e6aezVsIn5Gh9f-Hyp5AdiGdpzPPRs4pAeXZSK1TmaFP2WW45V2K6X0UHYWDHGA==@protonmail.com>
In-Reply-To: <20181115194235.GH70453@kduck.kaduk.org>
References: <878t1xoz37.fsf@wheatstone.g10code.de> <9J2v287mmh9FWFLrXjxZGnVjA8HNCHpPc2wyEDDqhGeKAhE7grR6JKFMRoHJfKSq9qcjDGRNfoJ5sEODERtP0Q==@protonmail.com> <alpine.LRH.2.21.1811141020570.2540@bofh.nohats.ca> <20181115030305.GA14179@osmium.pennocktech.home.arpa> <20181115045743.GE70453@kduck.kaduk.org> <a7263dab-9949-4a75-bd81-9db0dbad0ab8@riseup.net> <20181115194235.GH70453@kduck.kaduk.org>
Feedback-ID: XShtE-_o2KLy9dSshc6ANALRnvTQ9U24aqXW2ympbGschdpHbU6GYCTUCtfmGhY9HmOyP1Uweyandwh1AVDFrQ==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="---------------------bc3ef92795a195af892783d4e3f352ee"; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/1Ft_1qJmansqksPhCjooHikYPwQ>
Subject: Re: [openpgp] Web Key Directory I-D -07
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2018 20:49:26 -0000

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, November 15, 2018 11:42 AM, Benjamin Kaduk <kaduk@mit.edu>; wrote:

> On Thu, Nov 15, 2018 at 10:16:55AM +0100, azul wrote:
>
> > Hi,
> >
> > > > Thus if presented with a new address test+foo@spodhuis.org and needing
> > > > to get a key for it, with Bart's proposal, the MUA and the OpenPGP
> > > > client software can make no assumptions. It must not normalize anything
> > > > to the left of the '@' sign. But the MUA can use WKD and get back a key
> > > > for test@spodhuis.org; the software can then record a mapping of
> > > > test+foo@spodhuis.org -> test@spodhuis.org in OpenPGP recipient key
> > > > selection preferences. When later sending email to
> > > > test+foo@spodhuis.org, the SMTP transaction proceeds unmodified: the MUA
> > > > does not rewrite the recipient, you have to preserve the address
> > > > as-given. The remapped OpenPGP key selection proceeds as suggested
> > > > though. If sending email to test+bar@spodhuis.org then another WKD
> > > > lookup needs to be made. (Future work might look at protocols for
> > > > indicating patterns to avoid repeated lookups).
> > > > I'm probably confused, but is this implying that WKD would insert a new
> > > > "lookup" operation such that a compromised WKD could cause me to encrypt a
> > > > message to an attacker-controlled key (with different UID) when I am trying
> > > > to encrypt to a non-attacker peer?
> > > > As far as i understand the compromised WKD could easily send you
> > > > an attacker controlled key with a valid UID as well.
> >
> > Why would the different UID make the attack any worse?
>
> It seems like there's a transparency difference --if the WKD gives me a
> totally spoofed key (valid/expected UID but attacker-controlled key
> material) then that key could/should be on the keyservers, and the actual
> holder of that UID can notice it and take action. If I as the WKD consumer
> get wholly redirected to the attacker's real key/UID, the actual intended
> recipient doesn't have any way to discover that there was an attack.
>
> -Ben

The MUA could always have some kind of warning in this situation if the UserID match isn't recognized ("recognized" matches could include subaddresses, etc. but would be at the MUA's discretion). I'd leave this up to the MUA implementation.

-Bart

>
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp