Re: [openpgp] Profiles in SOP [was: Re: Code-signing in OpenPGP]
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 April 2024 23:26 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 140A9C14F6B7 for <openpgp@ietfa.amsl.com>; Wed, 3 Apr 2024 16:26:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="3J5zQccu"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="0VH6H1Vh"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id syD1s2wAW_1F for <openpgp@ietfa.amsl.com>; Wed, 3 Apr 2024 16:26:40 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93C1AC14F6B6 for <openpgp@ietf.org>; Wed, 3 Apr 2024 16:26:40 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1712186798; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=opGOUo5hTK5uSW+n5XeEOxTEdQt8pV3dLYQCiF6Y8eo=; b=3J5zQccu0LNcw8yijV1caEdyFYphtL9TU4DsvVWCJ/9d6f5fyh9FfeTFmt7OGTQ3MvQrB gliKESC62mIxIVDAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1712186798; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=opGOUo5hTK5uSW+n5XeEOxTEdQt8pV3dLYQCiF6Y8eo=; b=0VH6H1Vhh1BkqenVYVJKRxvz9NRxx5Fxiq/l81i/NJzikaxX82oTIUnXuQjhDNj/0nsaI fVPBOQm5wpI0g8JHTUeSGLGPeb8Rqr+5nImho4hMzRFYzrydHZrG4G8LthofSinQijtDZqv V/6z7SaAsKHc/O3PXA/cU9tayUQMjMCZO5JnXDbNFDjWA0frdLZ1D36pH/k3PME0zlsrB5w V4tpQ7ACA22EqLpBuz1CyZJwyunWexk27EJxCYRfGru9tHg0eb1bjrKXBLNqTCODk8rLAYK bnSgpGJ2fA7SoQZNxxPwiB9JLfQd6X0xwEugNdd9AqdknWtxd+jZFNE/RNZA==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 843AEF9E6; Wed, 3 Apr 2024 19:26:38 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id DFBB020697; Wed, 3 Apr 2024 18:48:25 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Daniel Huigens <d.huigens@protonmail.com>
Cc: IETF OpenPGP WG <openpgp@ietf.org>
In-Reply-To: <IOsqTlabHoAS0bRML1H9vWe-gMTjKo00lBtR5VMaE0oUIeZC1y_TdiSjgyfkyjtq0ZuGbhd2vXTIBcfQXFj8JXiSi26flHQDHePI04EYVuo=@protonmail.com>
References: <IOsqTlabHoAS0bRML1H9vWe-gMTjKo00lBtR5VMaE0oUIeZC1y_TdiSjgyfkyjtq0ZuGbhd2vXTIBcfQXFj8JXiSi26flHQDHePI04EYVuo=@protonmail.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/YO+5Zi7HCi QQfFgoAMQWCZadnIAUJBdtHCwMLCQcDFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu36RAUlea/ cACgkQu36RAUlea/edDQD+M2QjnoEyu/TjI+gRXBpXQ5jCsnnp9FdYhaSSUW/vZ8kBAJByWlj A9aMfVaVrmvgcYw7jzJz+gmZspBRB++5LZ20NzRc8ZGtnQGZpZnRoaG9yc2VtYW4ubmV0PsLA EQQTFgoAeQMLCQdHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEu/CS CeyWwC6j4ihJr2u/z6delsF1pvYW3ufgf1L538DFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu3 6RAUlea/cFAmWnX5AFCQXZ8EUACgkQu36RAUlea/cjVwD+ONjdHM74rAa6EEiiqaPjlptiaZx CVqFYXnib6EbZARkBAPnnR8pW8vCBnDXHKu65jNqwF3aH761NaOqqMFfppg8GzjMEZXEJyxYJ KwYBBAHaRw8BAQdAjX25Fq2Q9IUFeHy6yByIQPBnFOedFliuEiCIUzJsENDCwMUEGBYKAS1HF AAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnwqKWsw56uoWVLIFcs7ZecJ gwpsSNevWCzbviKQ8yRLUCmwK+oAQZFgoAbwWCZXEJywkQdy0WHjXNS4FHFAAAAAAAHgAgc2F sdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEIJSOxuw2y/UJmg5M3BLpN0JYjODZpXiEVFu 1byARzMWIQR0vATEPYYIS+hnLAZ3LRYeNc1LgQAAsH8BAKg1C5LK/D7pSkXCD+jfTSP+CqM58 iHLjh4vKhpOKsTJAQCHldtEjxJ1ksPTFgG9HihHH7qc6/wvvLw77ETMpwlrAxYhBNR3BAxwwh VqXCmFSbt+kQFJXmv3BQJlp1+rBQkCF4lgAAoJELt+kQFJXmv3ydsA/2roQZ2Jm/7iUrg/2C5 ClWA/xbvPC31LyMkGGH2/rq8tAP9BgqLuCPnNTVPqeX9+9qqMmaFq7wmvjq5I+yycAw9CDc44 BGVxCcsSCisGAQQBl1UBBQEBB0BZMsRrRaaeFSYMF1ZdfRmVgBriDUIr99eDQ085BK14DgMBC AfCwAYEGBYKAG5HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnsazAWX tEHUPmSTmcRZAIsAsNiO8k0hdjsfRlRVipgJgCmwwWIQTUdwQMcMIValwphUm7fpEBSV5r9wU CZadfqwUJAheJYAAKCRC7fpEBSV5r90AjAPwLgY1iKiFJEj32SVD5f721929l79VxQB5FlQss x1n5kQEA6Uct2tPvbB6T7p5KG3Gl+tbi7oJAuxFmpkpW5/N2Owg=
Date: Wed, 03 Apr 2024 18:48:24 -0400
Message-ID: <87sf0212rr.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/DVRG9F2JjbuaLTxjmSJYZsZTPyY>
Subject: Re: [openpgp] Profiles in SOP [was: Re: Code-signing in OpenPGP]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 23:26:45 -0000
Hi Daniel--
On Wed 2024-04-03 10:45:32 +0000, Daniel Huigens wrote:
> On Friday, March 29th, 2024 at 19:11, Daniel Kahn Gillmor wrote:
>> If a bunch of different implementations all coalesce around the same
>> narrowly-chosen set of profile behaviors for key generation and
>> encryption, that would be an interesting outcome.
>
> Looking at the interop test suite results [1], the profiles SOP
> implementations have landed on are: (with their meanings for keygen)
>
> - rfc4880: use RSA
> - draft-koch-eddsa-for-openpgp-00: use EdDSA & ECDH over Curve25519
> - draft-ietf-openpgp-crypto-refresh-10: use Ed25519 & X25519
agreed, these are the current profiles for generate-key that
implementers have offered so far.
> I.e. only the IETF namespace seems to be used, not the user namespace.
> And none of them offer an option to use Ed448 & X448, for example.
I'd welcome those profiles :) I suspect some implementation just needs
to lead by example.
fwiw, my intent behind the profiles was never to deliberately expose
them to the user. Rather, it was to provide a little bit of flexibility
for implementations that they could use as discretion to nudge other
implementations for interop testing.
For example: a simple test would be to create a key with each profile
offered by each implementation, and then confirm whether the other
implementations could consume it.
> Instead, the questions the options I proposed (--security & --longevity)
> would answer are "how secure do you want your artifacts to be" and
> "how long do you want your artifacts to be secure for", respectively.
> And those are potentially closer to being answerable by an end user.
Any sensible user will answer these questions with "as secure as
possible" and "as long as possible", so these are not helpful questions
to ask. Without knowing what is being traded off (CPU time to generate,
CPU time to consume, wire format space, likelihood of interop failures
in today's environment, etc), it's nearly impossible for a user to make
these choices.
> - lightweight@...: for daily emails, git commits, etc.
> - heavyweight@...: for announcement emails, git tags, tarballs, etc.
>
> (adapted from your first email) - which probably is indeed even
> better.
This would at least give some vague sense of what the tradeoffs are, but
maybe not all of them (e.g. i don't know how much it describes
present-day interoperability). My main preference is to avoid punting
any of this to the user, or even to the application, as much as
possible.
> All of that being said, before --profile was added, my position was
> that the current use of --profile (i.e. to select a standard to follow)
> should be covered either by an env variable or by having different
> variant of the sop binary, e.g. you could have gosop-crypto-refresh
> and so on. That way, it's more clear that it's something that should be
> selected by the application (or for testing only) rather than the user.
The different variants of the sop binary do of course have different
profiles by default. The profile mechanism present in the draft allows
the creation of a single sop binary that can make *some* discretionary
choices, but tries to nudge implementers to make a narrow range of
likely-useful choices, rather than throwing up their hands and saying
"let the user have access to a full airplane cockpit", which is a
pattern that i've observed being actively harmful for interoperability
and usability.
With the different profiles, a single implementation can also signal an
interest in an upcoming approach, and encourage interop with it, without
committing to it as the default behavior.
> And, it's arguably also a variant of the SOP standard (not just its
> implementation), since the SOP spec references RFC4880 explicitly - so
> if `sop generate-key --profile=draft-ietf-openpgp-crypto-refresh-10`
> generates a v6 key, that's technically not compliant with SOP, which is
> a bit surprising. So, a variant of the binary could claim to implement
> a variant of SOP (which would refer to the crypto refresh instead).
fwiw, the sop draft will certainly be updated to reference the RFC when
the crypto-refresh is released. There are some minor changes that will
need doing there (e.g. the definition of SESSIONKEY needs updating to be
able to represent sense of v6 ESK), but i hope any sop implementer will
actively identify any potential problems, and propose fixes that seem
reasonable.
> Perhaps we could still do that; but then, I would propose to drop the
> IETF namespace, and also drop the requirement for an @domain after the
> user space profiles - every profile name would just be specific to the
> variant & implementation by definition.
Every implementation can already make up their own profile names. I
also want a shared namespace so that implementations can coalesce around
consensus standards. I don't really see that changing the syntax or
semantics of profiles would help to achieve either of those goals.
Maybe implementers just need to start exercising them?
Thanks for the thoughtful discussion on this!
--dkg
- [openpgp] Profiles in SOP [was: Re: Code-signing … Daniel Huigens
- Re: [openpgp] Profiles in SOP [was: Re: Code-sign… Daniel Kahn Gillmor