Re: [openpgp] Registration of the 'proof' notation

"Neal H. Walfield" <neal@walfield.org> Wed, 30 September 2020 10:22 UTC

Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A04C93A0A90; Wed, 30 Sep 2020 03:22:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tOLj3B9LRdju; Wed, 30 Sep 2020 03:22:51 -0700 (PDT)
Received: from mail.dasr.de (mail.dasr.de [217.69.77.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A1463A0061; Wed, 30 Sep 2020 03:22:47 -0700 (PDT)
Received: from p5de92429.dip0.t-ipconnect.de ([93.233.36.41] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from <neal@walfield.org>) id 1kNZG0-00023s-LF; Wed, 30 Sep 2020 10:22:44 +0000
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1kNZG0-0008Tj-6o; Wed, 30 Sep 2020 12:22:44 +0200
Date: Wed, 30 Sep 2020 12:22:44 +0200
Message-ID: <87v9fv36ob.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: Wiktor Kwapisiewicz <wiktor=40metacode.biz@dmarc.ietf.org>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
In-Reply-To: <fd255115-b047-ca6a-9ce9-b2f30b0b459d@metacode.biz>
References: <fd255115-b047-ca6a-9ce9-b2f30b0b459d@metacode.biz>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 EasyPG/1.0.0 Emacs/26 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/8Hk3FDLYY9Rgfx1oIlB5actVntE>
Subject: Re: [openpgp] Registration of the 'proof' notation
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2020 10:22:54 -0000

Hi Wiktor,

Thanks for submitting the proposal.  For the record, I'm against it.

On Wed, 30 Sep 2020 11:20:08 +0200,
Wiktor Kwapisiewicz wrote:
> I'd like to request registration of notation in the IETF namespace (non
> suffixed) as a sub-section of 5.2.3.17. Notation Data [0]:
> 
> -----------------------------
> The 'proof' notation
> 
> The proof notation contains a resource identifier that can be verified
> as being associated with the OpenPGP key. The identifier SHOULD be in
> URI format. This is intended in particular to associate user accounts on
> the web. The specifications on how the verification should be performed
> is beyond the scope of this document.

For those following along at home: Vincent explored this idea of
social proofs for OpenPGP (he called them linked identities) in his
master's thesis.  He submitted two I-Ds describing how to add them to
OpenPGP using User Attributes:

  https://datatracker.ietf.org/doc/html/draft-vb-openpgp-linked-ids-01
  https://datatracker.ietf.org/doc/html/draft-vb-openpgp-uri-attribute-01

Some discussion can be found here:

  http://moderncrypto.org/mail-archive/messaging/2015/001348.html

Without getting into the details, I think Vincent's proposal is good,
and should be the preferred way forward assuming we want this feature.
And, I think this feature is desirable.

> This notation in a user space variant (proof@metacode.biz) is already in
> use by several services the biggest of which is https://keyoxide.org/
> (developed by Yarmo Mackenbach) and partially documented in
> https://metacode.biz/openpgp/proofs

For the record, Hagrid also supports them, e.g.:

  https://keys.openpgp.org/wiktor@metacode.biz



The use of the proof notation is a nice hack given the state of the
ecosystem.  In particular, AFAIK, no OpenPGP implementation outside of
Open Keychain supports adding social proofs / linked identities to an
OpenPGP Certificate, but most do support adding notations even if that
support is a bit clumsy, cf. the "Adding proofs" section in:

  https://metacode.biz/openpgp/proofs

But, that doesn't mean that this hack should be standardized
particularly given that it is using existing OpenPGP mechanisms
(notations) exactly as intended.

These are several reasons why I prefer the User Attribute approach:

  - Since the notations are attached to a User ID self signature, it
    is not possible for a third party to certify a linked identity in
    the usual manner.  For instance, I think it would be useful to
    create a User Attribute for a social media handle or some service,
    and then have someone cerify that identity.  We could embed a URI
    in a User ID packet (e.g., twitter://@nwalfield,
    ssh://walfield.org), but this further complicates parsing User ID
    packets, which means that OpenPGP applications are less likely to
    make use of this information.

  - Notations change the semantics of certification.  When Alice
    certifies that "Bob <bob@example.org>" controls the Certificate
    0xBBBB, is she also certifying Bob's linked identities?  The
    notations are stored on the User ID's self signature and not on
    the User ID packet, but...

  - Traditionally, OpenPGP has had one identity per artifact.  This is
    nice, because it means that it is possible to only publish
    relevant information.  For instance, the WKD specification says:

        The mail provider MUST make sure to publish a key in a way
        that only the mail address belonging to the requested user is
        part of the User ID packets included in the returned key.
        Other User ID packets and their associated binding signatures
        MUST be removed before publication.

        https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service-10#section-5

    Similarly, Hagrid (the software behind https://keys.openpgp.org)
    only returns User IDs and their self signatures for which the
    email has been confirmed.  Using notations, it is not possible to
    separately confirm the linked identifies, and Hagrid must either
    publish a User ID with all of the linked identities, publish the
    User ID without a self signature, or not publish the User ID at
    all.  All of those options are unsatisfying.

:) Neal