Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey

Daniel Huigens <d.huigens@protonmail.com> Tue, 30 April 2024 15:47 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27E6FC14CEFA for <openpgp@ietfa.amsl.com>; Tue, 30 Apr 2024 08:47:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hHN1h-TSd-8Y for <openpgp@ietfa.amsl.com>; Tue, 30 Apr 2024 08:47:42 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8734C14CEED for <openpgp@ietf.org>; Tue, 30 Apr 2024 08:47:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1714492059; x=1714751259; bh=4yO3LDZrl/3Y1kqcfhwMfPo4mmZTwRXI0GWxewTfRWQ=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=O/7iJ6ehZlbIgDeHN1m2Xpl7F3oVmsKd7vz9dM+LyiFdoyx40FCLsN7U9tpnoZ3o0 6d25yDODNbIorEBOZCgIknOt3Iime8Yj42FinfkiVA5Qt0EBdrWF6VcG4+7JtlHGkU TOLjNl2P2ADvlKgk4jkv6HVtWx2YzOe3eVc+pqDZODgASfd9SdGOX4GIdrrz2D9uzn 55C2U2/wSpa7tSVAcv9apH6QOd8BGE05nyAm8Z/fKKhCjVxk7wYgFf6iKQ+fawuU/f WQTiZaw8dzuVNpgl+aj+nbUzOI3M3Go25dKHGRusyEw/AW/1h+xM0uO+fPf5Qee4Z4 EaYRtapLo1HYg==
Date: Tue, 30 Apr 2024 15:47:33 +0000
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Simon Josefsson <simon@josefsson.org>, IETF OpenPGP WG <openpgp@ietf.org>
Message-ID: <-ZhU4QDZerCI_Kt-MHZTrNXJqwhvuFppoGASttd2jNFrH_83B_arkTl8PiUuvcSAg1Rh6ReonATelYM_3muxGnkTbclv9f-3Ssms7cXlAQ4=@protonmail.com>
In-Reply-To: <25809E9B-BCD2-4205-B4E7-147F72887268@andrewg.com>
References: <87o7anhybr.fsf@fifthhorseman.net> <87jzkunest.fsf@fifthhorseman.net> <87y199g67k.fsf@kaka.sjd.se> <A0B535B4-215B-4159-9F39-0D33C24ECF2F@andrewg.com> <87frvhnhx0.fsf@fifthhorseman.net> <74AAE7BF-BD6C-4F27-9BFF-A4AA972056A4@andrewg.com> <tPdBr7QK7VoBsKag0QafjtDv9mB_jBTxHI00f_gSyM8SnUPkPukP2FqmSc-zcccXkvl13s8pDhnuNr9JkzgnY_XVNJlEEpUpqWvN1Ufw2Jg=@protonmail.com> <64E6E654-BE59-4F7F-83ED-34E9AFA89E52@andrewg.com> <YdQAqCSppzuMJIV23pd0CROjA3ATRR-PLn6ojVQQLi3pJqDnd6KBbLQaDpCa5z3Qlgqe80SFzjzrl5hfwk-m08oBiFM4ppPuyAi3iOOUNr4=@protonmail.com> <25809E9B-BCD2-4205-B4E7-147F72887268@andrewg.com>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: 72cdedb556b91095f67483a1683d307ff64b6a3d
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/AcmiDKJWsj81ofj55AxlRibR70o>
Subject: Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2024 15:47:46 -0000

On Tuesday, April 30th, 2024 at 13:33, Andrew Gallagher wrote:
> In the strict OpenPGP meaning of “trust”, no. If you would use the new key anyway under your chosen trust model, then use it, otherwise don’t. But on top of that there’s an application-level decision about whether to notify the user that something has happened at the OpenPGP layer. That’s not a protocol issue, it’s a purely UX one, and I don’t think it should be specified here.

I don't think we can really separate the intended trust/security model
from the specification in that sense, because it's important that the
creator and consumer of the subpacket agree on the meaning, and the UX
decisions in turn depend on that. For example, with the current text, I
would personally not be comfortable removing a warning about a changed
key, because the text explicitly says that we shouldn't trust the key
more than we otherwise would.

> Yes, I did consider that we could define a “trust equivalence” signature that would be closer conceptually (and cryptographically) to a subkey binding signature than to a certification. But I’m not sure that belongs here either, and it certainly opens a lot more questions.

But I'm not sure we need a new signature type for that; we could just
interpret a third-party certification with type ID 0x13 (Positive
certification of a User ID and Public-Key packet) made by a key with
the same User ID as having that meaning, for example? Then we don't
need any new mechanism for this.

> Being absent from a particular keystore is not strong evidence of anything, as it depends heavily on the policy and/or capabilities of that keystore. I keep coming back to WKD… since it can only serve one key, it is impossible to use it for an optional (e.g. PQC) transition, so either I keep my old key on WKD and direct people elsewhere (somehow!) for my PQC key, or I put my PQC key on WKD and leave my non-PQC correspondents in limbo.

Yeah, fair enough. But regarding WKD, I think we should discuss the
transition separately, and allow serving multiple keys (perhaps only if
the client signals that they support that somehow). Because I don't
think having to put one key on WKD and one key on HKP is a particularly
good solution - it's a lot of added work on both sides, difficult to
keep in sync, and clients who use WKD will prefer to receive both keys
from there somehow, presumably.

Best,
Daniel