IETF Logo Mail Archive

Re: [openpgp] User ID Attribute Subpacket

Derek Atkins <derek@ihtfp.com> Wed, 20 February 2019 16:08 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF2F130ED0 for <openpgp@ietfa.amsl.com>; Wed, 20 Feb 2019 08:08:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XwFMqId3Y0Cm for <openpgp@ietfa.amsl.com>; Wed, 20 Feb 2019 08:08:50 -0800 (PST)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02C23130EF1 for <openpgp@ietf.org>; Wed, 20 Feb 2019 08:08:49 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 87A4BE2044; Wed, 20 Feb 2019 11:08:48 -0500 (EST)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 16261-08; Wed, 20 Feb 2019 11:08:44 -0500 (EST)
Received: from securerf.ihtfp.org (99-46-190-172.lightspeed.tukrga.sbcglobal.net [99.46.190.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (not verified)) by mail2.ihtfp.org (Postfix) with ESMTPS id 8F926E2042; Wed, 20 Feb 2019 11:08:44 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1550678924; bh=HrVUoXO5vAsTHVZgrsoffoI/NtC2+WyywHzszlm84/Q=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=i6l39lWxJo584rQxG0C1rL41Xf91rQuTugal5u9nENfhjyyW3y3lVstHyY9qfaeNA 23CPcaZ26MuDtP/2+yOAPj3J/fsWGebvo3KRigYIMq/gwTJRiN4+LK2W1s74+GghrY sv3mVBqR8Hvz4jucbLeRCbSA/CkQF82pte60BSsk=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.15.2/Submit) id x1KG8eTp016817; Wed, 20 Feb 2019 11:08:40 -0500
From: Derek Atkins <derek@ihtfp.com>
To: Wiktor Kwapisiewicz <wiktor=40metacode.biz@dmarc.ietf.org>
Cc: Justus Winter <justuswinter@gmail.com>, openpgp@ietf.org
References: <CA+t5QVsS871zG30dhW_GZ9ALq8bDASD-D3p0YQp9iGJEXUddmA@mail.gmail.com> <d34d0310-2851-dc4b-b5b3-79c7ec530e73@metacode.biz> <CA+t5QVsTATuw4pRhEdMOogh3YA237Rd2zOzzX3B3tZL04tfE0w@mail.gmail.com> <d7bf74c8-8415-da7a-4bf9-5bd455fb657e@metacode.biz>
Date: Wed, 20 Feb 2019 11:08:39 -0500
In-Reply-To: <d7bf74c8-8415-da7a-4bf9-5bd455fb657e@metacode.biz> (Wiktor Kwapisiewicz's message of "Wed, 20 Feb 2019 11:39:33 +0100")
Message-ID: <sjmwolu30jc.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/DyQqVZYoAKQYE5ihjNVStSF71no>
Subject: Re: [openpgp] User ID Attribute Subpacket
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 16:08:55 -0000

Hi,

Wiktor Kwapisiewicz <wiktor=40metacode.biz@dmarc.ietf.org> writes:

> Hi Justus,
>
> On 20.02.2019 11:30, Justus Winter wrote:
>> Based on these observations I challenge the claim that the proposed
>> subpacket adds any value to the standard, and propose to remove it.
>
> I agree.

Obviously I don't ;)

> Actually from my casual skimming of the device certifications draft I
> see most of the changes can be implemented over what is already in
> OpenPGP.

*CAN*, yes, but there are reasons to minimize.  See below.

> As you've said - User IDs are quite flexible [0] and the other change
> of device certifications - standard notations (that is notation names
> that doesn't contain "@") could just use regular notation names
> (e.g. 'manu' Notation could be 'manu@device-certs.example').
>
> That would keep OpenPGP as small as possible without parts that most
> implementations would basically omit.

Yes, most of what was in the draft could have been implemented using
standard OpenPGP mechanisms.  Indeed, the device-certs draft was not
intended at the time to be incorporated into 4880bis but rather to be a
standalone document that lived along side it.

The main purpose was to enable the smallest certificate possible, but
really the purpose of the device-certs draft was multi-fold:

1) Allow a PGP Key Certificate without a signature key.  The idea here
   is that some small devices may only have a key-agreement key
   available so may not be able to create a signature.  However, 4880
   did not allow this configuration and required a top-level signature
   key and relegated other keys to sub-usage.

2) The reason for the User ID Attribute subpacket was that we wanted to
   have multiple Attribute subpackets included in the certificate in a
   primary signature, but this was not possible with 4880.  My memory is
   hazy on what the exact issue was, but IIRC you could EITHER have a
   UserID packet OR a set of Attribute packets, but not both.  Because I
   wanted both a UserID *AND* additional attributes in a single
   signature, this seemed the best way to do it.

3) Yes, we could have just used FQDN-based notations, but then we're
   litterally adding at least 13 bytes PER NOTATION.  Given the number
   of notations in use, that was adding on the order of 65-130 BYTES to
   the certificate, or about 10-15%!

> Having said that I wasn't around when it was conceived so probably
> there is some rationale for its inclusion.

Indeed.  Honestly, at the time the intent was to progress the
device-certs draft on its own and register those notations that way.
But then the WG stalled, and Werner kindly incorporated those
definitions into 4880bis.

Still, adding these to 4880bis does not add significant complexity to
the draft but DOES make a marked difference in its usability.  Please do
not remove these improvements.

> Kind regards,
> Wiktor
>
> [0] I did experiment with putting URIs in User IDs for extended info
> (https://github.com/wiktor-k/distributed-ids#distributed-ids)

Cool.  But not useful to me ;)

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

v2.23.0 | Report a Bug | By Email