[openpgp] preferences on the direct-key signature
"Neal H. Walfield" <neal@walfield.org> Thu, 01 December 2022 11:53 UTC
Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61C2CC14CF14 for <openpgp@ietfa.amsl.com>; Thu, 1 Dec 2022 03:53:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8htIN_8HAtW8 for <openpgp@ietfa.amsl.com>; Thu, 1 Dec 2022 03:53:21 -0800 (PST)
Received: from mail.dasr.de (mail.dasr.de [202.61.250.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5D04C14CF13 for <openpgp@ietf.org>; Thu, 1 Dec 2022 03:53:21 -0800 (PST)
Received: from p5de92f23.dip0.t-ipconnect.de ([93.233.47.35] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1p0i7x-0005ZV-Uf for openpgp@ietf.org; Thu, 01 Dec 2022 12:53:17 +0100
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <neal@walfield.org>) id 1p0i7w-007l6F-SW for openpgp@ietf.org; Thu, 01 Dec 2022 12:53:17 +0100
Date: Thu, 01 Dec 2022 12:53:17 +0100
Message-ID: <87r0xj49xu.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: IETF OpenPGP WG <openpgp@ietf.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (Gojō) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/6W7KHRJ5QgcSLvyx22y_2lvyj2k>
Subject: [openpgp] preferences on the direct-key signature
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 11:53:26 -0000
> 5.2.3.7. Notes on Self-Signatures > > For version 5 keys, it is RECOMMENDED to store information about the > primary Public-Key as well as the Transferable Public Key as a whole > (key flags, key expiration, features, algorithm preferences, etc.) in > a direct-key signature (type 0x1F) over the Public-Key instead of > placing that information in a User ID self-signature. An > implementation MUST ensure that a valid direct-key signature is > present before using a v5 key. This prevents certain attacks where > an adversary strips a self-signature specifying a key expiration time > or certain preferences. I'm a bit confused by this advice. From what I understand: a v5 key MUST have a direct-key signature, but it is only RECOMMENDED to store, e.g., the key expiration subpacket there. In that case, how does that "prevent certain attacks where an adversary strips a self-signature specifying a key expiration time or certain preferences"? If the preferences are stored on a User ID self-signature, then they can still be stripped. Or what am I misunderstanding? > Implementing software should interpret a self-signature's preference > subpackets as narrowly as possible. For example, suppose a key has > two user names, Alice and Bob. Suppose that Alice prefers the AEAD > ciphersuite AES-256 with OCB, and Bob prefers Camellia-256 with GCM. > If the software locates this key via Alice's name, then the preferred > AEAD ciphersuite is AES-256 with OCB; if software locates the key via > Bob's name, then the preferred algorithm is Camellia-256 with GCM. > If the key is located by Key ID, the algorithm of the primary User ID > of the key provides the preferred AEAD ciphersuite. This advice doesn't consider preferences stored on the direct-key signature. Perhaps the order should be: - Optionally specified User ID - Primary User ID - Direct Key Signature I'm a bit worried about the key expiration subpacket, as different implementations may update it in different ways. For instance, Sequoia stores the key expiration on the direct key signature and in the User ID self signatures. When trying to change such a key using GnuPG, GnuPG only updates the key expiration subpacket on the User ID. See this issue for more details: https://gitlab.com/sequoia-pgp/sequoia/-/issues/926 I think it would be good to say that for v5 keys, the direct-key signature is the only source of truth for this type of information (specifically, the key expiration and key flags subpackets). Neal
- [openpgp] preferences on the direct-key signature Neal H. Walfield
- Re: [openpgp] preferences on the direct-key signa… Daniel Huigens
- Re: [openpgp] preferences on the direct-key signa… Daniel Kahn Gillmor