[openpgp] Clarification re subkey binding sigs?

Andrew Gallagher <andrewg@andrewg.com> Mon, 15 May 2023 16:36 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A4A5C17CE93 for <openpgp@ietfa.amsl.com>; Mon, 15 May 2023 09:36:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aEKUHjRspg_4 for <openpgp@ietfa.amsl.com>; Mon, 15 May 2023 09:36:51 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DB59C14CEFF for <openpgp@ietf.org>; Mon, 15 May 2023 09:36:50 -0700 (PDT)
Received: from smtpclient.apple (unknown [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by fum.andrewg.com (Postfix) with ESMTPSA id DF0145F72E for <openpgp@ietf.org>; Mon, 15 May 2023 16:36:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1684168607; bh=GHo3nf6oOu62sBuxyXm0sjSfw5qA4WJ66GLQ/rpg0Hw=; h=From:Subject:Date:To:From; b=XQCC16CPcm0LAEZPDUi89vEZouWtEfREQVjRV/jGiGmSSXlaPAJnLdFCIAwccyOaG zpysIbpemwKscJKHAjjUraHsR72YhqiKzMtunxDrQ3Z1Ggyb2jXX6WJ5QKHadbY8M+ p4EPurxWjYka4mKNltj2u/5A4L+OOgrKOvBPn4DTEtNiXMV51exiXqJ18Ha55ISTTR FT5P4KEsqnW8hBX8tCugV4s9kHd8fLUbU66E5nMymX2gKg2Zi5ZW/Tx5U3IfbBqHC+ Qei8iZw2SfYd3ENLFUPVMMSuWYy3FjLdwNIIGLQTPcLJMVQffycZD1RjZabeSeghGI Neexihvp8L2hw==
From: Andrew Gallagher <andrewg@andrewg.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_8894F038-2553-4126-BE92-26C69935A6C6"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Message-Id: <EC32FB38-DD71-4DE1-8E9D-70E5D3DD2E9D@andrewg.com>
Date: Mon, 15 May 2023 17:36:28 +0100
To: IETF OpenPGP WG <openpgp@ietf.org>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/EL5DpfmUnN2juG_mvQR7uIKlVh0>
Subject: [openpgp] Clarification re subkey binding sigs?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2023 16:36:55 -0000

Hi, all.

I notice that the latest draft does not include a paragraph about subkey binding signatures in the V6 TPK definition (section 11.1.1) to match the one in V4 (11.1.2). The V4 text reads:

```
A subkey always has at least one subkey binding signature after it that is issued using the primary key to tie the two keys together. These binding signatures may be in either v3 or v4 format, but SHOULD be in v4 format. Subkeys that can issue signatures MUST have a v4 binding signature due to the REQUIRED embedded primary key binding signature.
```

I believe we should insert a similar, but stricter, statement in section 11.1.1:

```
A subkey MUST have at least one subkey binding signature.
A subkey binding signature MUST be a self-signature.
Every self-signature on a v6 key MUST be a v6 signature.
```

It makes no sense for a self-sig to be of a different version than its key, yet there are several v4 keys in the wild that use v3 sbind sigs, which has had confusing consequences now that v3 is deprecated but not v4. I would prefer to lock this edge case down in advance for v6.

It might also be advisable to explicitly state that v6 keys MUST only ever make v6 signatures in any context.

A