Re: [openpgp] Clarify status of subkeys with certification use
Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com> Fri, 25 May 2018 15:17 UTC
Return-Path: <kristian.fiskerstrand@sumptuouscapital.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA78812EAAF for <openpgp@ietfa.amsl.com>; Fri, 25 May 2018 08:17:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.245
X-Spam-Level:
X-Spam-Status: No, score=-1.245 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665, T_DKIMWL_WL_MED=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sumptuouscapital-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lfh3fAN3GSEg for <openpgp@ietfa.amsl.com>; Fri, 25 May 2018 08:17:27 -0700 (PDT)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 974171200C5 for <openpgp@ietf.org>; Fri, 25 May 2018 08:17:26 -0700 (PDT)
Received: by mail-wr0-x233.google.com with SMTP id x9-v6so9856444wrl.13 for <openpgp@ietf.org>; Fri, 25 May 2018 08:17:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sumptuouscapital-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=IKdygk3rUTmEoadwFigdoSDr172Gw/uPy0jn2oAmEA0=; b=U4QJkoH4+uMsGReI6cPv5ZtMuuISjEigm5aW5X1+kUPpWb/VbRdg/kaRDWQBlkMy+g psvk5tCN6uD5J2PAH3sjqcid7nI7SHP+WOt8aQIKY69xsqO323uxeUFwx/bNbsYJ4COm iMhj/G/ULpPh/1vSsfI2XkAb/GbE5e58ca+Zes28rVEX9Fo9AKs0oINGed64U/Sk9QzJ 56ZxYiTe+H8zFpMeYLML+7dEXnL2Vf5G8aHOqoi6YzLXMKLwHsUrptCKgZYDpFM7u6L+ 0E/t/pv3DEnWsP9QF9x0WTOBsgornEHTjwonPMgC7alGDfGnK1f5Fw2VwpX2izXxVvhf u1Sg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=IKdygk3rUTmEoadwFigdoSDr172Gw/uPy0jn2oAmEA0=; b=jWIvy/K04NtHNDqdrRrhm/9lzsHvQb56lGFKl0QCQ0OUolmIKS9TDYN8r5mFKAMHrB AXLAFO6ciXNJzlv9G6IHFbZgmWZQCKn78MpAn9aD/UF+3aRSAeKAg7SWytMP++/NspvJ aESes2CjiR5nzxnqH49qt1U7bDf602FMNJl/bc8kIpu2kYcmXAV/YCzxjhwvL2cBEepI IzVqE4hnvYrnR2qN+mKyEJkaL78VIuz5nZsgvamF9oEgx5fixhPUTvH97IB8ergy++mE s/R4EGl6LzIga2ehhWSfitnPGqcsj+q8RJWbfa0ur/gKYLAu5jkoD+CcSUZfYhVUYWdq ysOA==
X-Gm-Message-State: ALKqPwewj3MF+2IUJ6evyJKpupPJ93GcBbulPO/TFrqXMGLIRvgvjKcp UbGTzWLvdYluUDmCwcPxUfdLzLRwgqA=
X-Google-Smtp-Source: ADUXVKJzy769+1WHv8f1N6JjFlu7esL360sO83BM2dr+PFoCy5KKiFFHApkAean5nmOnAVte+euzAg==
X-Received: by 2002:a19:d763:: with SMTP id o96-v6mr1782598lfg.89.1527261444810; Fri, 25 May 2018 08:17:24 -0700 (PDT)
Received: from [192.168.185.150] ([195.69.7.73]) by smtp.googlemail.com with ESMTPSA id t4-v6sm5552767lff.48.2018.05.25.08.17.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 May 2018 08:17:23 -0700 (PDT)
To: "Neal H. Walfield" <neal@walfield.org>
Cc: Justus Winter <justus@sequoia-pgp.org>, IETF OpenPGP <openpgp@ietf.org>
References: <c37c7f94-edef-7f2d-9151-787112abcbfc@sumptuouscapital.com> <8736yg2gz3.wl-neal@walfield.org>
From: Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com>
Openpgp: preference=signencrypt
Autocrypt: addr=kristian.fiskerstrand@sumptuouscapital.com; prefer-encrypt=mutual; keydata= xsFNBEdj//4BEAC3zjKRryW1mLec38x0w9ByG50h6KJddkZe3UNdGhAa3S5E4NAi/fUoe3gD LUDDmpHZNqtbMgrobwUNjLrp+PDZNdMJFAnbWXvmsMwuax0SWJzy4alem34tvir3a2PpnVr9 ylyAyxPChMM0ANelT/fiYIEysjAbHXjri89qdT+yA16CMljoun7vIOmq7ohKdNd1Dci6qoyj 0NllvR2AiBI+ZJnoF4hkRKO1PNUJROzn/ku88idaNkWyq7rREI+WkhS+K6xg1R/d6mTp+bHP tmwGlN4U1Lgx9qeitYzirkQeA8EGK/EEPPZG85WvXSrTftoPvQswOtW7I+jkTdd30GHXf6JH Rq4oR0mT65mqckycPjXNw6RM0fxyx06/kbVG8x3tzc3roJF+hR+h5QWIWsQOc3ZAhbJPWnfP D/kEN20yvb6EXWha+70QJbrBsnN0M8MLF7x+ZWTKESOVpshUBG67iq/FWCpv3st2VTq4M0Ep b/ORIKlfEgSsGv6waooF0ik41ey3k6PIcuHTq/sCoFoC6EH75wqsbmLkVSyqTKm3MSjlN26d ei425iCXJSyH0L1WmeS0i0rzcF5BCu9V280DmNFHWkr4iHiyrVcNyccocMTeh6/ZG7XSI0wc TONVNnKtofVHkzwHMdDlDx4lFRG+V0ftimR5THlxtG8AzQKY9QARAQABzUJLcmlzdGlhbiBG aXNrZXJzdHJhbmQgPGtyaXN0aWFuLmZpc2tlcnN0cmFuZEBzdW1wdHVvdXNjYXBpdGFsLmNv bT7CwX8EEwEIACkCGwMCHgECF4ACGQEFCwkIBwMEFQoJCAUWAgMBAAUCWiWhXAUJFMX2sgAK CRALf4tg4+364/YeEACSDL8stCAArMoqgXlTAdAKQFedJHyoS2QFVzuLx+k7CCGt0jVrNh3d HRQ92pF2QJScWKw76/LHvh6lMBPJwBEXRIvQNDNUb/zyBx96FipC+Dkd8Fxu3s4W+6YCqUBa lmC5XKB6uF/W5wanvpAn1K8bvUb3sq86RYTD0qZui4LMhvm8A0A1Na4+ZeGyfBFhcH5Oh+nh wkZjL7mbMTe25QCeCs4wQpYowia70EZLcQF4MboF9GzH5PIb0ipG5Jtfk9QfSlT+bnkRL1KR DR6rHo7iAYcMt4oJVU1qo1akSBe0MsMI37OdWDtNvUy2Svd2BCLZl49KZnErleC3R/axrtkL 2w1f0P4FoiuPq7mPeiUBhLaZLlc2fz490cEwjsgsY6GuiCWlbyjBMtp0OKM4VBqt5tdxBo/R X5Y6kNOGWpDHx8D+Dl8ToTDJuH2I0k2wfcUibYzWfwXpPpwZ5iXidwLYXbBQ2qqlyB7MP3Po z3zl+UulJyxIYGjg2sO4FmmRs0tThceaNIiDtP5uPLu77oCkAAsWuFSfa6Iwq9+PIQTqTFhH nJ1v/xrdqKWSYB6tm9Tkb0KkUKxFhc7QVyphvh473UEAQ78bQFWrGHqiejQtiiR3MOubwUyt YkNi+ef068rs27SPfRmBAvRw2EMZWhWyX/P2xM4PPp24reOn4ZuAAM7ATQRVZfyNAQgAvppy gWUI21WpA8IZZC+HXywKOqAIXgEQG8m62kVE048A8gjwk8vcmDKU0vlD6OGZ0capeWzWK5kN Gi8kl4ejvgULXKQCAV8ycEUWXmBSmzabhGruMY96Hy1OILc9tb3Wpg3wggW+PZjc5IuLIa1k 9AiDg6SQExDhC27x1EUKZkxkIG+EThSKHbCFB3t4tbwlI8Na4LUfjOxCILA2KVl7CXD/eUNr apJeSGJOtYEhgNFhuHoSG7Po9k6cy2eRrviq9X9cEW10Y3ocCypKvenuUjrN4bUd0IUsODLy cZ3aL+zEmIdhZsG7dQeFmFeJKK+XDgLIMNgr+EP9+89U/COZ5QARAQABwsFlBBgBCAAPAhsM BQJXwxA2BQkE4salAAoJEAt/i2Dj7frjuDIP/2qDloXeGXfMLASc85cp09JLKrbISlTQZkvH WCQREQWzv9LJ4nUcELIhPTc18ntLhU+xJXLP+9d09cOlIiWWjRXXVCZ8IkcSkUplwCQz0Z2h XpmIOm/kycIDgo+qDCRrQhOCX3IhXGwslT7hWjUf/BlKN9f89Uy7VjBFLACOyP3hBZ1uLswN PcSfks/BzTtGTRZ/TEQxgmw0K2BwyJAwnMFqj8kQwc39P6euHln+33alzmUHDsp5rKUsMl58 x18jrV9KLokU/mDHZXoFeLY61dm9Nr46g+T9YYQagvGYfxIAyR9XcHeK1VxxCieSfC/jLKIT A9pu4Hgevl7DGm5/NHzUtqpwRwcbCqvj95Rgfe6lBwuD5g3olAXpZIQKbx73pWdoH0rwXGrQ Bs1weeFbIyVvoCozWoAoU7wVQSr8rHHZeq70b3Zp9DFdkXiSMu3LhU8Byl/spT3rQyLzCBoW DKDrKkifp+HV4mHoypxwD90CcEjeVObpCmhIEaxIDGKl2QaTm+RTwmVWCqr4YFv7QHRMmFVu STZpPmonZzK6VQJByeJMTDlbL0OpczJ8oVHp6txESKj/17xTs8JU1e/SSsdcYjFuLpzHvb97 0F5NQwMZeVuYRvJlCxL7z4Bpj7oPweATfwP43b+JWAser874u7AlBfonXTxe47pbYMioHPnb wsFlBBgBCAAPAhsMBQJaJaF0BQkGw/ojAAoJEAt/i2Dj7frjgbYQAIYDkXvyczRVnEZloYQb HsqjGwekWXTkTk74yYF5U+GoGGzbdFAmF2FhhWxlwIoPLtWoUXmdBknyqtAHCIlYrqPi0fsY 6SdIU3qdDDESjR9gixoPKOP5pFRC3KsPn0MNUXElbkdHvn0YSjuj0GdBi8YUa1XGRNW/O8PH 4HP900OipflQhuEC3yI5AYiq+Grd80RzJg8F108bn8YmoHapV5zZGfzp5L3pHCNOGsBlpTDr QA3XvlKti3AujaF88Nq3tj5kTsj73I30WOctGH3d9QWdySuK5RekAYvMSHU7M9oHtwV9dfVd RFbbuP4fhf+yF56Syu0k7jGe8e0d1xshwOMIXu8/3z4hYOpPfAvkl7n3QNHeqtT1KwRYqCCw KeK8pKZZlsBJ3D6XPuEZyTc/JIiZr8yALslTYubCCNyYQj7fByxM7neVPPaciNhbkGHImwfJ GPBSEuP/UXciroUcrvwwGfY76+WvezaU+O3SLcrT9i+emo9uA14Syb51RWz8h/x55Yu2UpON hArhearvW+0kJBx/YzG0Us7TLMNAiiQYlGibMmaBgRWW33vMXWT9H3FIN8L1NI/Qvy3/N0zD HawUOUvVMNtAzbWexFtxXQ7zyxLUBHHhFdezpWyXmm71qEaOMdDLnTwLqv3ENHUfZzmCc2Kt ZjTX0qrgBQD08nPn
Message-ID: <abd48445-b93e-99c2-b08e-3c08cb1a4a94@sumptuouscapital.com>
Date: Fri, 25 May 2018 17:16:42 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <8736yg2gz3.wl-neal@walfield.org>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="aiYffyeH6LkU3EXxqMqb8HFiaXZwlU8Fn"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/2kyGbnWFBQAOmUAM1q8CloP3_7Q>
Subject: Re: [openpgp] Clarify status of subkeys with certification use
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2018 15:17:29 -0000
On 05/25/2018 11:59 AM, Neal H. Walfield wrote: > Hi Kristian, Hi Neal and Justus, > > Justus and I have been thinking about how to realize per-device keys > and approximate forward secrecy. These two things are related: if we > want devices to do their own key rotation (and I think this is > sensible, as the alternative is to somehow regularly transfer secret > key material to each device), then the devices need to be able to > generate self-signatures. Since we don't want all devices to have > access to the primary key, each device could have its own > certification subkey. Wouldn't you anyways break the per-device nature if using this certification subkey to sign a third party keyblock, and the loss of one of the devices impacted your validity calculation across the ecosystem? Using this in such a per-device nature also seems to require rather special attention from the user/client, I could easily imagine ending up with a web of cross-signatures across multiple devices here. On 05/25/2018 11:59 AM, Neal H. Walfield wrote: > Consequently, please do not remove certification subkeys from RFC > 4880bis. If anything, I would prefer that RFC 4880bis clarifies that > certification subkeys should be supported. if we are removing it and not just making the current state more precise :) In any case; I'm not sure if this is a use-case I favor much personally, but it is an interesting concept so thanks for bringing it up for discussion. -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "Statistics are like a bikini. What they reveal is suggestive, but what they conceal is vital." (Aaron Levenstein)
- [openpgp] Clarify status of subkeys with certific… Kristian Fiskerstrand
- Re: [openpgp] Clarify status of subkeys with cert… Daniel Kahn Gillmor
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Leo Gaspard
- Re: [openpgp] Clarify status of subkeys with cert… Kristian Fiskerstrand
- Re: [openpgp] Clarify status of subkeys with cert… Kristian Fiskerstrand
- Re: [openpgp] Clarify status of subkeys with cert… Daniel Kahn Gillmor
- Re: [openpgp] Clarify status of subkeys with cert… Daniel Kahn Gillmor
- Re: [openpgp] Clarify status of subkeys with cert… Leo Gaspard
- Re: [openpgp] Clarify status of subkeys with cert… Leo Gaspard
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Leo Gaspard
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Leo Gaspard
- Re: [openpgp] Clarify status of subkeys with cert… Neal H. Walfield
- Re: [openpgp] Clarify status of subkeys with cert… Werner Koch