Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revocation Key", replacing with full-key "Designated Revoker"

"Neal H. Walfield" <neal@walfield.org> Wed, 31 July 2019 20:55 UTC

Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95B0112006D for <openpgp@ietfa.amsl.com>; Wed, 31 Jul 2019 13:55:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIoLF7_2RAvq for <openpgp@ietfa.amsl.com>; Wed, 31 Jul 2019 13:55:14 -0700 (PDT)
Received: from mail.dasr.de (mail.dasr.de [217.69.77.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1700E12002F for <openpgp@ietf.org>; Wed, 31 Jul 2019 13:55:13 -0700 (PDT)
Received: from p57b2294e.dip0.t-ipconnect.de ([87.178.41.78] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from <neal@walfield.org>) id 1hsvct-00066f-Tq; Wed, 31 Jul 2019 20:55:11 +0000
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1hsvct-0007fr-BX; Wed, 31 Jul 2019 22:55:11 +0200
Date: Wed, 31 Jul 2019 22:55:11 +0200
Message-ID: <87v9vh53gw.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: IETF OpenPGP WG <openpgp@ietf.org>
In-Reply-To: <20190731203444.4822-1-dkg@fifthhorseman.net>
References: <87iocqepta.fsf@littlepip.fritz.box> <20190731203444.4822-1-dkg@fifthhorseman.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (Gojō) APEL/10.8 EasyPG/1.0.0 Emacs/26 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/CWsb0sZ3c_v1osY-psPGIBFh5xI>
Subject: Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revocation Key", replacing with full-key "Designated Revoker"
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2019 20:55:20 -0000

Hi Daniel,

Justus proposed an embedded TPK subpacket for cases like this with
this as a motivating example.  See:

  Subject: [openpgp] Embedded TPK subpacket
  From: Justus Winter <justuswinter@gmail.com>
  Date: Mon, 25 Mar 2019 10:20:45 +0100
  Message-ID: <87ef6v71jm.fsf@europa.jade-hamburg.de>

  https://mailarchive.ietf.org/arch/msg/openpgp/F1Wdrldzd3k9tqOos4hmokOV0r0

Do you think a point solution is better?

Thanks,

:) Neal

On Wed, 31 Jul 2019 22:34:44 +0200,
Daniel Kahn Gillmor wrote:
> 
> The "revocation key" subpacket is problematic.  It is the the most
> fragile piece of the specification wrt the fingerprint (collisions
> against a fingerprint can create surprising revocation effects).  And
> it is potentially difficult to rely on for clients which might not be
> able to find the revoking key (for example, if keyservers are
> unavailable).
> 
> It is also not currently widely used.
> 
> This patch to the spec deprecates the "revocation key" subpacket and
> replaces it with a "designated revoker" subpacket that includes the
> full key, rather than the fingerprint.
> 
> The only cost here appears to be slightly increased size of the new
> subpacket type by comparison, which is an entirely reasonable cost
> that the (rare) users of this feature should be able to bear.
> 
> I've cargo-culted in the "class" octet from "Revocation Key".  I'm not
> sure that octet is particularly useful, and i'd be happy to drop it if
> folks want to, but i didn't want to muddle the waters with a semantic
> change in addition to this mechanical change.
> 
> Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
> ---
>  middle.mkd | 61 ++++++++++++++++++++++++++++++++++++++++--------------
>  1 file changed, 46 insertions(+), 15 deletions(-)
> 
> diff --git a/middle.mkd b/middle.mkd
> index 51f71a6..a2d3ae6 100644
> --- a/middle.mkd
> +++ b/middle.mkd
> @@ -757,7 +757,7 @@ These meanings are as follows:
>        directly on a key.  It binds the information in the Signature
>        subpackets to the key, and is appropriate to be used for
>        subpackets that provide information about the key, such as
> -      the Revocation Key subpacket.  It is also appropriate for
> +      the Designated Revoker subpacket.  It is also appropriate for
>        statements that non-self certifiers want to make about the
>        key itself, rather than the binding between a key and a
>        name.
> @@ -766,7 +766,7 @@ These meanings are as follows:
>    :   Key revocation signature. The signature is calculated
>        directly on the key being revoked. A revoked key is not to
>        be used.  Only revocation signatures by the key being
> -      revoked, or by an authorized revocation key, should be
> +      revoked, or by a designated revoker, should be
>        considered valid revocation signatures.
>  
>  0x28
> @@ -774,7 +774,7 @@ These meanings are as follows:
>        directly on the subkey being revoked. A revoked subkey is
>        not to be used.  Only revocation signatures by the top-level
>        signature key that is bound to this subkey, or by an
> -      authorized revocation key, should be considered valid
> +      designated revoker, should be considered valid
>        revocation signatures.
>  
>  0x30
> @@ -782,7 +782,7 @@ These meanings are as follows:
>        earlier User ID certification signature (signature class
>        0x10 through 0x13) or direct-key signature (0x1F).  It should
>        be issued by the same key that issued the revoked signature
> -      or an authorized revocation key.  The signature is computed
> +      or a designated revoker.  The signature is computed
>        over the same data as the certificate that it revokes, and
>        should have a later creation date than that certificate.
>  
> @@ -1039,7 +1039,7 @@ The value of the subpacket type octet may be:
>             9   Key Expiration Time
>            10   Placeholder for backward compatibility
>            11   Preferred Symmetric Algorithms
> -          12   Revocation Key
> +          12   Revocation Key (deprecated)
>      13 to 15   Reserved
>            16   Issuer
>      17 to 19   Reserved
> @@ -1058,6 +1058,7 @@ The value of the subpacket type octet may be:
>            32   Embedded Signature
>            33   Issuer Fingerprint
>            34   Preferred AEAD Algorithms
> +          35   Designated Revoker
>    100 to 110   Private or experimental
>  
>  An implementation SHOULD ignore any subpacket of a type that it does
> @@ -1294,18 +1295,48 @@ description of the syntax is found in [](#regular-expressions) below.
>  
>  #### Revocation Key
>  
> -(1 octet of class, 1 octet of public-key algorithm ID, 20 or 32 octets
> -of fingerprint)
> +(1 octet of class, 1 octet of public-key algorithm ID, 20 octets
> +of v4 fingerprint)
>  
> -V4 keys use the full 20 octet fingerprint; V5 keys use the
> -full 32 octet fingerprint
> +This mechanism is deprecated.  Applications MUST NOT generate such a
> +subpacket.  An application that wants this functionality SHOULD
> +instead produce a Designated Revoker subpacket described in
> +[](#designated-revoker).  The advantage of the Designated Revoker
> +packet is twofold: it can be used unambiguously to validate
> +revocations without causing an extra lookup; and it is resistant to
> +any flaws found in the fingerprint.
>  
> -Authorizes the specified key to issue revocation signatures for this
> -key.  Class octet must have bit 0x80 set.  If the bit 0x40 is set,
> -then this means that the revocation information is sensitive.  Other
> -bits are for future expansion to other kinds of authorizations.  This
> -is only found on a direct-key self-signature (type 0x1f).  The use on
> -other types of self-signatures is unspecified.
> +This packet authorizes the specified v4 key to issue revocation
> +signatures for this key.  Class octet must have bit 0x80 set.  If the
> +bit 0x40 is set, then this means that the revocation information is
> +sensitive.  Other bits are reserved and MUST be 0.  This is only found
> +on a direct-key self-signature (type 0x1f).  The use on other types of
> +self-signatures is unspecified.
> +
> +If the "sensitive" flag is set, the keyholder feels this subpacket
> +contains private trust information that describes a real-world
> +sensitive relationship.  If this flag is set, implementations SHOULD
> +NOT export this signature to other users except in cases where the
> +data needs to be available: when the signature is being sent to the
> +designated revoker, or when it is accompanied by a revocation
> +signature from that revoker.  Note that it may be appropriate to
> +isolate this subpacket within a separate signature so that it is not
> +combined with other subpackets that need to be exported.
> +
> +#### Designated Revoker
> +
> +(1 octet of class, N octets of public key)
> +
> +Authorizes the embedded public key to issue revocation signatures for
> +this key.  Class octet must have bit 0x80 set.  If the bit 0x40 is
> +set, then this means that the revocation information is sensitive.
> +Other bits are for future expansion to other kinds of authorizations.
> +This is only found on a direct-key self-signature (type 0x1f).  The
> +use on other types of self-signatures is unspecified.
> +
> +The remaining N octets of the of the packet MUST consist of a complete
> +Public-Key Packet (tag 6) that can be used to verify revocation
> +signatures.
>  
>  If the "sensitive" flag is set, the keyholder feels this subpacket
>  contains private trust information that describes a real-world
> -- 
> 2.20.1
> 
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
>