[openpgp] Profiles in SOP [was: Re: Code-signing in OpenPGP]
Daniel Huigens <d.huigens@protonmail.com> Wed, 03 April 2024 10:45 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D9CBC169431 for <openpgp@ietfa.amsl.com>; Wed, 3 Apr 2024 03:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ONVMuyS5xhVu for <openpgp@ietfa.amsl.com>; Wed, 3 Apr 2024 03:45:47 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84A9CC14F601 for <openpgp@ietf.org>; Wed, 3 Apr 2024 03:45:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1712141139; x=1712400339; bh=PYGnMzXvZWRqHfeScTxId+ZPQM+xhgw+pxs7d7Y1uYs=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=SvRSumWmR9Ol7LwdNFUGbB5yp2z0z99VNhvbzN2hq1YR9dGqFI3hAuZxAwIcYQXd/ TeDyxcnp5GmR94wAx2UXvzwVtPitCfJ3nHu6l8bXvYnWLMTfrIHBF67i3AzBaHrmjf ATtPYZG3qTQGBlIJK1ObQEBSJfDRQBtOzZfgFrh+GzVCDB9Nw9AOfsMtD3GBYOBsMQ /jkH2yddP7+rM8GlPsGgfU8ROIaPhuOdy1DFYmCTZeGibV81yCK8mLkDfDhS3C3i/D lWBIgUrK9Eki3Nev8kbjRcNjYCFtEDV1u4tO2KgNYmWHSHxN2hbZaHRAWfaGL9uAe9 uPpnNxMDGw94A==
Date: Wed, 03 Apr 2024 10:45:32 +0000
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: IETF OpenPGP WG <openpgp@ietf.org>
Message-ID: <IOsqTlabHoAS0bRML1H9vWe-gMTjKo00lBtR5VMaE0oUIeZC1y_TdiSjgyfkyjtq0ZuGbhd2vXTIBcfQXFj8JXiSi26flHQDHePI04EYVuo=@protonmail.com>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/6Ocaj05MBUQHAVcD4uW9HQnyKOo>
Subject: [openpgp] Profiles in SOP [was: Re: Code-signing in OpenPGP]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 10:45:52 -0000
Hi dkg, On Friday, March 29th, 2024 at 19:11, Daniel Kahn Gillmor wrote: > If a bunch of different implementations all coalesce around the same > narrowly-chosen set of profile behaviors for key generation and > encryption, that would be an interesting outcome. Looking at the interop test suite results [1], the profiles SOP implementations have landed on are: (with their meanings for keygen) - rfc4880: use RSA - draft-koch-eddsa-for-openpgp-00: use EdDSA & ECDH over Curve25519 - draft-ietf-openpgp-crypto-refresh-10: use Ed25519 & X25519 I.e. only the IETF namespace seems to be used, not the user namespace. And none of them offer an option to use Ed448 & X448, for example. So to me it looks like the consensus of the implementations is to use the profile option to answer the question of "which standard do you want to follow / what do you want to be interoperable with", and not "what security level do you want" or "what's your use case" or anything like that - though perhaps we should indeed change that, more on that below. I would argue that it's the application that should answer that first question (because it knows whether it's a greenfield deployment and whether it should care about interoperability), and so the choice of profile shouldn't really be presented to an end user at all, as it's currently implemented. Instead, the questions the options I proposed (--security & --longevity) would answer are "how secure do you want your artifacts to be" and "how long do you want your artifacts to be secure for", respectively. And those are potentially closer to being answerable by an end user. >From your email, it sounds like the question you want(ed?) --profile to answer is more like "what's your use case", perhaps? With options like - lightweight@...: for daily emails, git commits, etc. - heavyweight@...: for announcement emails, git tags, tarballs, etc. (adapted from your first email) - which probably is indeed even better. But to me, this still seems somewhat orthogonal to the question of "what do you want to be compatible with". E.g. you might want to create high-security/longevity artifacts while also caring about interop (although you can't always have everything, ofc); or you might be in a greenfield deployment. So, given the current use of --profile, I think it might make more sense to create a separate parameter for that. --- All of that being said, before --profile was added, my position was that the current use of --profile (i.e. to select a standard to follow) should be covered either by an env variable or by having different variant of the sop binary, e.g. you could have gosop-crypto-refresh and so on. That way, it's more clear that it's something that should be selected by the application (or for testing only) rather than the user. And, it's arguably also a variant of the SOP standard (not just its implementation), since the SOP spec references RFC4880 explicitly - so if `sop generate-key --profile=draft-ietf-openpgp-crypto-refresh-10` generates a v6 key, that's technically not compliant with SOP, which is a bit surprising. So, a variant of the binary could claim to implement a variant of SOP (which would refer to the crypto refresh instead). The profile could then refer to a set of preferences within that spec; e.g. "high-security" for Curve448, "performance" for Curve25519, and "compatibility" for RSA (though to be pedantic this would still refer to RSA as specified in the crypto refresh, i.e. at least 3072 bits, while the variant using RFC4880 could technically generate 2048-bit keys, although probably it shouldn't) and a different set of profiles/ algorithms for the other variants/specs. Perhaps we could still do that; but then, I would propose to drop the IETF namespace, and also drop the requirement for an @domain after the user space profiles - every profile name would just be specific to the variant & implementation by definition. But, perhaps that ship has sailed? If so, we could also give this concept a different name, of course. Best, Daniel [1]: https://tests.sequoia-pgp.org/#versions
- [openpgp] Profiles in SOP [was: Re: Code-signing … Daniel Huigens
- Re: [openpgp] Profiles in SOP [was: Re: Code-sign… Daniel Kahn Gillmor