[openpgp] A more modest proposal for domain separation
Daniel Huigens <d.huigens@protonmail.com> Thu, 24 November 2022 15:54 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6A93C14F73E for <openpgp@ietfa.amsl.com>; Thu, 24 Nov 2022 07:54:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 798kXXQ0w32W for <openpgp@ietfa.amsl.com>; Thu, 24 Nov 2022 07:54:39 -0800 (PST)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38240C14F72F for <openpgp@ietf.org>; Thu, 24 Nov 2022 07:54:39 -0800 (PST)
Date: Thu, 24 Nov 2022 15:54:26 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1669305275; x=1669564475; bh=4PxEzv+OBzYkQ5Hm+D/nJgeel11y/gfWJEg97H4cUZs=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=hEUYZmGNFzUVReX0ZTTTQ+hS0C8ubXf1QYTUkWesMbWRRmBCoFHX5hIJTuXwPPXWA eb1lUdEKfZoywhI6q6INB1EDaQuKaA99iDWK466cFAWVbqXxAwADXqAYttePn2nZh9 prJc/ml4Ff0hXEZCRL/V+PZBZcDHVEO5xk8DStIc8i0IFeiy+4j3o9tkbsD6+5Uc2n ncsW7UuS5/xEOcQBbU6oAfzJVgPStZcdC8btJEkFi5EHe2LfFdel5J4usHN/CthNaq s6A9pCBONLMPUlNW1JF4xAO2+9rD5EjSmHyJkcKIC9Lz9vc0QPhhm8eQ0YzjnFC/Qp WcOY5kYznAubA==
To: IETF OpenPGP WG <openpgp@ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <cCT3O7uQdqfhdXuZDRQAh9OXdoMUcMgy0Bw9yos8HYgTwYGhcL1HfJBbaCI6Omx3hCfNA0GiM3H12njyoDa-LnXoHctsbvT0XfMYvBC07LE=@protonmail.com>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/B6t3IjqcaaNepgUgXd6u6dA4gmo>
Subject: [openpgp] A more modest proposal for domain separation
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 15:54:43 -0000
Hi folks, We discussed domain separation / context parameters at IETF 115. There, we were talking about adding a registry for applications, and filling in the initial values for such a registry, etc, and it sounded like the conclusion was that that's a lot of work and to table it for now. I want to try to formulate a simpler approach, with perhaps a more modest (initial) goal, compared to the one we initially approached this from. Rather than (immediately) considering context binding in the case of email, or other existing applications, I would like to achieve that new applications or protocols that want to use OpenPGP in a way that's entirely internal to that application or protocol, but still want to use the existing key infrastructure (i.e. use existing keys from WKD or keys.openpgp.org or so) can be immune to context confusion; i.e. they can be reasonably sure that a given message or signature was created by that application, and not by other existing uses of OpenPG (e.g. email). This is particularly important if the application wants to subsequently process the message in some way which is potentially security-sensitive. For example, imagine a backup system that encrypts backed-up files with your existing keyring, and stores the backup on an external (untrusted) server. It would be bad if that server could take an email you sent or received and insert it into a backup, if it would later get restored and written to disk, e.g. in a location where it would/could be executed. (Of course the devil is in the details and that attack might not work exactly as described, depending on the implementation, but I think it's better to categorically exclude the possibility of this happening.) --- With signatures, it's possible to achieve this today, as has been noted, by creating a notation signature subpacket, and checking that that's there when verifying the signature. However, this has an overhead, which could be avoided by using a dedicated parameter that's hashed into the signature but not stored there. For messages, it's not possible at all, today. (For public-key encrypted messages, this isn't as relevant since anyone could've created them, anyway, but for symmetrically encrypted & integrity protected messages, it's more relevant.) I think a registry is not actually really required for this, if we state that the application identifier should be a domain that the application controls - or, for protocols, it could be rfcXXXX.ietf.org, or so. Or, whatever the protocol wants, really, as long as it's confident that other applications or protocols won't accidentally use the same value. And, to simplify things, we can say that for existing applications, the application string is initially assumed to be empty, unless there is some specification or application-side migration that starts making use of it, and signals as much with an email header or some such, but for the OpenPGP spec itself it should be out of scope. --- The above could be achieved by adding an "application" parameter (prefixed by its length, perhaps) into the hash for signatures, and into the additional data for messages. Then, if we want to be future-proof, we could also add an application- specific "context" parameter, after that; or we could have a single parameter with some guidance on how to format it; e.g. something like example.com:application-specific-context. Let me know if this sounds reasonable, and if so, which variant you prefer, then I can write up some text for this. Or, if you think this is still too much work for the WGLC, that's fair enough as well, though personally I think it would be nice to have this for v6 signatures, already (if we end up bumping the version numbers, indeed). Thanks! Best, Daniel
- [openpgp] A more modest proposal for domain separ… Daniel Huigens
- Re: [openpgp] A more modest proposal for domain s… Daniel Kahn Gillmor
- Re: [openpgp] A more modest proposal for domain s… Daniel Huigens
- Re: [openpgp] A more modest proposal for domain s… Wiktor Kwapisiewicz
- Re: [openpgp] A more modest proposal for domain s… Daniel Kahn Gillmor
- Re: [openpgp] A more modest proposal for domain s… Wiktor Kwapisiewicz
- Re: [openpgp] A more modest proposal for domain s… Ángel
- Re: [openpgp] A more modest proposal for domain s… Marcus Brinkmann
- Re: [openpgp] A more modest proposal for domain s… Marcus Brinkmann