IETF Logo Mail Archive

[openpgp] Re: Primary Key Binding sigs on authentication subkeys

Daniel Huigens <d.huigens@protonmail.com> Wed, 22 January 2025 16:41 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 995CBC180B45 for <openpgp@ietfa.amsl.com>; Wed, 22 Jan 2025 08:41:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id swtIhs6MWDSN for <openpgp@ietfa.amsl.com>; Wed, 22 Jan 2025 08:41:01 -0800 (PST)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51F18C14F74A for <openpgp@ietf.org>; Wed, 22 Jan 2025 08:41:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1737564059; x=1737823259; bh=AMLYggVRo1pX2mTS8assqB7oQXrlPm+L8eq1dWWQt1s=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=JjIJrFfW9Dsk1aI+ZKTJEGlN2ZVRVD+Stxa96hfjXMLOpLygbow3oBikFAyADGVbZ l7HPciqNdvxUu3OTad3U19tmgtO4yR8Uxk1w0fxmcl0xLExJKEZdbcAMO2Vx+SRBLN uegYxnHQT4mI0nTh2qMWmquClRRHsxRPOyi02mO/jU0XAGEZ21ll07AEZqVi9rxOCf 6DDeB0jMBekZeqhcyZTb3P7PhrBNCqeI/eeeube1/A/NJtcwPkl5ickh8v8OhVzlph I7yzrOg9PEEnyfktLdJo1EMQjzwqTVLlgmFOr3vJELpM87U/6pbDwR1Qu6gB5j8Nyf kdgEJN54bKtSw==
Date: Wed, 22 Jan 2025 16:40:54 +0000
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <HBqO7fta_A4PuuS2EkZ4W5g6SAnzgN38ZYjpGWqgZJHCFqCQUNQ-BAXEHRqa7pwGU5jI7s6XpvGV2ZYLpa6se9e-SJDujNO6yknALtzlAW8=@protonmail.com>
In-Reply-To: <D6B824E8-5559-41FB-8EC4-ACC0C35FAEB0@andrewg.com>
References: <D6B824E8-5559-41FB-8EC4-ACC0C35FAEB0@andrewg.com>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: 38a0f18a3908a407554bcbdf97053d3cb3d4e724
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: ROJCTWDNWYUYVKKOUWZENB6Q4OMPJP5J
X-Message-ID-Hash: ROJCTWDNWYUYVKKOUWZENB6Q4OMPJP5J
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF OpenPGP WG <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Primary Key Binding sigs on authentication subkeys
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/1c2sC0rLoBJRT01JAkH8_Tc7j2Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi Andrew & all,

Thanks for raising this! In the interest of maybe moving this discussion
forward I'll repeat (more or less) what I wrote in the issue :)

Section 2.2 of the spec [1] talks about how to do authentication using
signatures. Therefore, it seems like authentication subkeys should be
included in the category of "subkeys that can issue signatures".

I'm not sure if there's any plausible attack possible when omitting the
backsig check; the only thing I can think of is if you (for some reason)
whitelist the issuer (sub)key fingerprint, and then trust the primary
key & e.g. display the User ID (of the person that supposedly has
authenticated) based on that, which would admittedly be a strange thing
to do, though the spec text might lead you to believe that this would
be sound.

Also, I'm not sure whether anyone actually does authentication via
signatures, or whether it's really a great idea. Nevertheless, since
the spec allows it it seems reasonable to make sure that _if_ anyone
does it, it's indeed secure.

But, if existing keys don't have this backsig, then I suppose we indeed
can't enforce it there. So I would be fine with checking the backsig for
v6 keys only, for example.

---

For what it's worth, our libraries don't really meaningfully support
authentication (sub)keys beyond reading and verifying them; you can't
generate or use them to sign/verify anything, at the moment.

So, unless folks think it's worth changing that, we could also consider
deprecating authentication subkeys entirely, and say that an application
that (for some reason) wants to do authentication using OpenPGP, should
use a dedicated key/certificate, and just use a normal signing (sub)key?

Best,
Daniel

[1]: https://www.rfc-editor.org/rfc/rfc9580.html#name-authentication-via-digital-

v2.35.0 | Report a Bug | By Email | System Status