IETF Logo Mail Archive

Re: [openpgp] Clarify status of subkeys with certification use

Werner Koch <wk@gnupg.org> Mon, 28 May 2018 12:12 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E78A41200C5 for <openpgp@ietfa.amsl.com>; Mon, 28 May 2018 05:12:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29iAnGyIt9gg for <openpgp@ietfa.amsl.com>; Mon, 28 May 2018 05:12:56 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DDBC124D37 for <openpgp@ietf.org>; Mon, 28 May 2018 05:12:56 -0700 (PDT)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1fNH1B-0005v1-S1 for <openpgp@ietf.org>; Mon, 28 May 2018 14:12:53 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1fNGt0-0003LK-4V; Mon, 28 May 2018 14:04:26 +0200
From: Werner Koch <wk@gnupg.org>
To: "Neal H. Walfield" <neal@walfield.org>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, IETF OpenPGP <openpgp@ietf.org>, Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com>, Justus Winter <justus@sequoia-pgp.org>
References: <c37c7f94-edef-7f2d-9151-787112abcbfc@sumptuouscapital.com> <8736yg2gz3.wl-neal@walfield.org> <87h8mvfqth.fsf@fifthhorseman.net> <87y3g615ko.wl-neal@walfield.org>
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: "Neal H. Walfield" <neal@walfield.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, IETF OpenPGP <openpgp@ietf.org>, Kristian Fiskerstrand <kristian.fiskerstrand@sumptuouscapital.com>, Justus Winter <justus@sequoia-pgp.org>
Date: Mon, 28 May 2018 14:04:25 +0200
In-Reply-To: <87y3g615ko.wl-neal@walfield.org> (Neal H. Walfield's message of "Sat, 26 May 2018 23:15:51 +0200")
Message-ID: <871sdwj8ae.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=9/11_genetic_asset_insurgency_CIDA_jihad_threat_AIEWS_Project_Monarc"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/DVJTcOIfHDHJ8eL1qshdE351XX0>
Subject: Re: [openpgp] Clarify status of subkeys with certification use
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 May 2018 12:12:59 -0000

On Sat, 26 May 2018 23:15, neal@walfield.org said:

> First, OpenPGP foresees two types of encryption keys:
>
>   0x04 - This key may be used to encrypt communications.
>   0x08 - This key may be used to encrypt storage.

Which was done to mimic the X.509 usage.  X.509 required such a flag to
differentiate between a sinnging and an encryption certificate.  Even in
the case that two certificates are issued (additional costs to the user)
there is no fine grained distinction.  Note that I am talking about
certificates for mail processing.

OpenPGP does not need this because subkeys are a more useful thing than
trying to find matching certificates.  Fine grain key usage flags
doesn't gain you anything than complexity and unclear semantics.  See
X.509's keyUsage and extendedKeyUsage extensions to see where it will
lead.

> the newest one, AFAIK.  But, there is precedence for encrypting to all
> valid encryption capable subkeys: this is what OpenKeychain does.

I doubt that this has any practical security gain over copying all
needed subkeys to all devices.  After all you want to read with all
devices and the sender has no way to tell which device you are currently
using.  Rotating the keys is a much cleaner way to limit damage in case
of a device compromise.

> advance.  For instance, we will create keys covering, say, the next 6
> months.  By setting the creation time and expiration time
> appropriately, only one key per device will be valid at any given
> time.  AFAIUI, recent versions of GnuPG respect this.

Actually this was implemented ~20 years ago after consultation with
Caspar Bowden of FIPR and Ben Laurie.  The use case back then was to
limit the damage done by the RIPA.


Salam-Shalom,

   Werner


p.s.
Proper key rotation requires a lot of OPSEC and diligent use of
comminucation tools.  The problem we have are not forward secrecy but
the general non-use of encryption and, worse, the insecurity of the
equipment.

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

v2.23.0 | Report a Bug | By Email