IETF Logo Mail Archive

Re: [openpgp] User ID Attribute Subpacket

Justus Winter <justuswinter@gmail.com> Mon, 04 March 2019 15:03 UTC

Return-Path: <justuswinter@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8647131128 for <openpgp@ietfa.amsl.com>; Mon, 4 Mar 2019 07:03:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OZIue29YOnOT for <openpgp@ietfa.amsl.com>; Mon, 4 Mar 2019 07:03:06 -0800 (PST)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C080E131157 for <openpgp@ietf.org>; Mon, 4 Mar 2019 07:03:05 -0800 (PST)
Received: by mail-ed1-x534.google.com with SMTP id h58so4501809edb.5 for <openpgp@ietf.org>; Mon, 04 Mar 2019 07:03:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dFJTbotGg8PnrCLCKNvJsScTYNleXRTZrjEtuYLxgoc=; b=KNhCXZxXPV7IwcpHWmMTVb4J377SbpdutKUibKxZ4HjQ2a8IXBnGgzv9xojNX1t0JJ Da60kRSkU0RHJ34Fn1P4k7+ATT+ZUQ5fUy1hdlVYZQ2gTqbRlJXgvNqQKxvpCPfJjXIO 5p3H8Sd9VDvWtSsTzjupEqmXOPOOksUhRUf4uCOP3Mn+TumNFUU+RIhY4etATRPmIMzJ b8wPEMEMMoR8NRlPxNZWwtZQQHZ15c52ibW0IM3m5g4ekBHmcny51o3MOT+dCtsGJro9 N9kOXItfK00u0z14aWMmmw3HJ4cT0dgx39/WgDOARfeG6LeQ6ts10pbofpQNcia92M2I aSFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dFJTbotGg8PnrCLCKNvJsScTYNleXRTZrjEtuYLxgoc=; b=t12gOFktRE/fk1gSia3mlQEJuTKNMRogTQYYepwAShCJACC56mF7FobgshTTAhonAY 3zo5QdL5ffligvLUUpQpNJWOpJkbfj0sJcjz+dcDVyV9bwZY7WZdERDzqjSMIwbT1uKh vQGE7qzu3Qtl4gpXDe82IHyH/cn1o5bpWcrmlOnQc3091qzzIEGubRwwCtYa6PImId3l oBv5Fiw2znoJ0xRdBcWIINVIGiIXnOTfDwbaAyOTphtG8JfnhHpVxkKDN9DyiS56Nz3x DyvQMqNC3n7qW/7FeH9op0CRV7pxfsFL9T5DpfXbJpBPuMWya/BfcCtemA1jEiIIG6kI bt+w==
X-Gm-Message-State: APjAAAXP7a8pPSwK+jhvsdWPC+8uo0dqkGZg5VPUaFY24ojlD3L12LLX AyCc3KmZ9/LaolVTttXHGqQQkJQNJElN/rNFRjg=
X-Google-Smtp-Source: APXvYqyadaTp8iqeXo1asxWr5vXDGZgX4MTgUYI6CinK23Qh3d1Ii8DEscxvfiCbh5kt1OC3n/NfmrTE05RtTnagOXg=
X-Received: by 2002:a50:adc7:: with SMTP id b7mr15960189edd.280.1551711783434; Mon, 04 Mar 2019 07:03:03 -0800 (PST)
MIME-Version: 1.0
References: <CA+t5QVsS871zG30dhW_GZ9ALq8bDASD-D3p0YQp9iGJEXUddmA@mail.gmail.com> <d34d0310-2851-dc4b-b5b3-79c7ec530e73@metacode.biz> <CA+t5QVsTATuw4pRhEdMOogh3YA237Rd2zOzzX3B3tZL04tfE0w@mail.gmail.com> <d7bf74c8-8415-da7a-4bf9-5bd455fb657e@metacode.biz> <sjmwolu30jc.fsf@securerf.ihtfp.org> <CA+t5QVuUEjR+6KmzPQJOZXaq3NhavMHa=qTMd8dQwdcT=2dwQQ@mail.gmail.com> <546b32d041f2cd0227aaa737f8841b26.squirrel@mail2.ihtfp.org>
In-Reply-To: <546b32d041f2cd0227aaa737f8841b26.squirrel@mail2.ihtfp.org>
From: Justus Winter <justuswinter@gmail.com>
Date: Mon, 04 Mar 2019 16:02:48 +0100
Message-ID: <CA+t5QVuWOpQ0=9=iZFrcTaH0b=O76vYuD0hXsKz3yj9kbQkEjg@mail.gmail.com>
To: Derek Atkins <derek@ihtfp.com>
Cc: openpgp@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/51DeCO8jXvaKKzZiq1sKev-aZNw>
Subject: Re: [openpgp] User ID Attribute Subpacket
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2019 15:03:16 -0000

On Mon, Mar 4, 2019 at 3:38 PM Derek Atkins <derek@ihtfp.com> wrote:
> On Mon, March 4, 2019 5:38 am, Justus Winter wrote:
> > Sorry, this makes no sense at all.
> >
> > On Wed, Feb 20, 2019 at 5:08 PM Derek Atkins <derek@ihtfp.com> wrote:
> >> 2) The reason for the User ID Attribute subpacket was that we wanted to
> >>    have multiple Attribute subpackets included in the certificate in a
> >>    primary signature, but this was not possible with 4880.  My memory is
> >
> > User Attribute subpackets are not in the signature, but in the User
> > Attribute
> > packet.
>
> Please re-read what I wrote.  Note that when I say "in the signature" I
> mean "protected by the signature."  This could also be read as "included
> in the hash that is signed."

Given that in OpenPGP, Signatures have Subpackets, and your proposal
is also about adding notations, which is stored in said subpackets, "in the
signatures" is too ambiguous to discuss the matter.

> Also, if you read draft-atkins-openpgp-device-certificates (even though it
> expired), it explains this in gory detail:
>
>    RFC 4880 section 12.1 defines a v4 Public Key Format as a sequence of
>    packets starting with a Primary Key and then a sequence of packets
>    and subpackets that add Revocations, User IDs, and Signatures.
>
>    The description in RFC 4880 requires a User ID.  Implementors of this
>    specification can loosen that requirement such that an augmented V4
>    device certificate looks like the following sequence (no longer
>    requiring a User ID packet):
>
>            Primary-Key
>               [Revocation Self Signature]
>               [Direct Key Signature...]
>               [User ID [Signature ...] ...]
>               [User Attribute [Signature ...] ...]
>               [[Subkey [Binding-Signature-Revocation]
>                       Primary-Key-Binding-Signature] ...]
>
> The issue at hand was that you cannot make a single signature that covers
> both a User ID packet and a User Attribute packet.  Moreover, the format
> REQUIRED a User ID packet, which meant that if you wanted to sign a bunch
> of User Attributes you HAD to have TWO signatures in the certificate.

I support dropping the requirement of a UserID or UserAttribute packet.

> My goal was to reduce that to a SINGLE signature by allowing the User ID
> to exist as a User Attribute Subpacket.  This would let you use the User
> Attribute signature type and include a User ID (attribute subpacket) along
> with additional attribute subpackets all protected by a single signature.
>
> > The only thing that having UserID subpackets for the User Attribute packet
> > is that you can have multiple userids bound by one binding signature.  But
> > that is a feature that I dislike, because then we can no longer strip down
> > TPKs so that they only include a subset of the userids, which can enhance
> > the privacy of our users.  This is important for pEp, Autocrypt, and
> > Hagrid.
>
> It is not the only thing -- see above.  It lets you bind a User ID and
> additional attributes with a single signature, which is the primary goal.

I'm still confused by what you mean by "additional attributes".  Your proposal
states:

   Whereas the User ID Packet only
   allows a single UTF-8 string content, the User Attribute Packet
   allows the addition of multiple attributes in subtype packets.
   Unfortunately RFC 4880 only defined a single Attribute Subpacket, the
   Image Attribute.  This means that you need two signatures if you want
   to have an ID and an image.

So your usecase is to have a UserAttribute packet, with a single UserID
subpacket, and one or more Image subpackets, bound by a single signature.
Is that correct?

> Note that you can already have multiple UserIDs on a key.  If your main
> gripe is that you could have multiple User ID Attribute Subpackets bound
> by the same signature, I am fine if you want to limit that and say that an
> implementation MUST NOT (or SHOULD NOT) include more than one in a single
> Attribute packet.

My gripe is that UserID subpackets seem redundant, therefore needlessly
complicating the standard, and neither this discussion, your draft, nor the
language that ended up in draft-06 properly motivates the redundancy.

> 1) I want to enable a certificate where the primary key cannot sign

Fine with me.

> 2) I want to have a single binding signature that binds a User ID AND
> additional attributes

This is what I don't understand.

> 3) I want to enable a reduction in space consumption due to a bunch of
> notations that we use
> 4) I introduced some additional notation types which we use (and should be
> useful to others)

Fine with me.

Thanks,
Justus

v2.23.0 | Report a Bug | By Email