Re: [openpgp] Key expiration ambiguity in rfc4880
Andrew Gallagher <andrewg@andrewg.com> Thu, 13 January 2022 11:23 UTC
Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 942143A012A for <openpgp@ietfa.amsl.com>; Thu, 13 Jan 2022 03:23:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.813
X-Spam-Level:
X-Spam-Status: No, score=-2.813 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 819K6gr9eOXZ for <openpgp@ietfa.amsl.com>; Thu, 13 Jan 2022 03:23:16 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB3E63A0126 for <openpgp@ietf.org>; Thu, 13 Jan 2022 03:23:15 -0800 (PST)
Received: from [IPv6:fc93:5820:7375:ee79:1300::1] (fred [IPv6:fc93:5820:7375:ee79:1300::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 636965EC51 for <openpgp@ietf.org>; Thu, 13 Jan 2022 11:23:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1642072990; bh=bVI/8UlZy3dUCc6AS/MyO5P2hQnqHdMaHyW9Lo971fo=; h=To:References:From:Subject:Date:In-Reply-To:From; b=ICAqsg5JJqlhp3lO7iR63GtHDpHCvPi4ruvooyEjSmB2tl/sZuzvgG6WAFOun0NII ISJLYgm2HvgtOFsTVjWsPA2Jl59UaGTg2GV6Nv37vYF1DuqC1wjKEwu+PyDUnFpzMV qhhysn2y0q1GIe91u61XEL1QS4znoyRhnAMlz++3rWSIiWnTVvQO+FIyQ8qdLBLOmM /cJ41Y3vI39hsEcmjtiFVCkVqIjvMM0ic6Hhy6k781Wo8SAEhGM+G8ibd+RDDmovjf 8XnzsHnJys9F3Ra/b1m4d5WFrkt3UbRaQHSc3i/PPD7CciWNTxBUw0Tg/rORhhW27x W7Yp3Qw/dYdug==
To: openpgp@ietf.org
References: <fb1297d3-2aaa-1a2d-00a3-90f5e591143a@andrewg.com> <d478c4a5-e7f3-6935-83f8-f4145ba97a1c@andrewg.com>
From: Andrew Gallagher <andrewg@andrewg.com>
Message-ID: <340cd979-e799-c6a1-ff17-a7e7006dbbbc@andrewg.com>
Date: Thu, 13 Jan 2022 11:23:08 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <d478c4a5-e7f3-6935-83f8-f4145ba97a1c@andrewg.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="qcatrLV2HjvVSrkWqkNFzdSkGlyEcM4Ue"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/F9U95U2GOcjPR9DIoF5LNc4pLAU>
Subject: Re: [openpgp] Key expiration ambiguity in rfc4880
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jan 2022 11:23:19 -0000
On 08/01/2022 18:55, Andrew Gallagher wrote: > > I have opened a further issue 71 [1] to propose deprecating the tricky > and redundant "Key Expiration Time" subpacket in V5 signatures. The more often I re-read section 5.2.3.3 the more convinced I am that it should be rewritten in its entirety. We may not wish to be prescriptive about how signatures should be interpreted in an application context, but it is crucial for determining the properties of public keys themselves that *self*-sigs convey the intent of the key owner precisely and accurately. These are not crypto-refresh issues, so IMO we should park V5 sigs for now and wait for a re-charter so that we can unambiguously define the semantics of V5 self-sigs at the first attempt. Some obvious problems in the existing text include: ``` If the key is located by Key ID, the algorithm of the primary User ID of the key provides the preferred symmetric algorithm. ``` What happens if the self-sig over the primary user ID has expired but there are other unexpired UIDs? What if the other UID sigs disagree with each other? What if there is a direct sig? ``` An implementation that encounters multiple self-signatures on the same object may resolve the ambiguity in any way it sees fit, but it is RECOMMENDED that priority be given to the most recent self- signature. ``` IMO this should be a hard MUST. Further, we should state explicitly that multiple self-sigs over the same object MUST NOT have the same creation date, to avoid any ambiguity in the interpretation of their subpackets. As currently phrased, implementations are free to disagree on critical properties such as expiration dates. It has been argued that a key owner should be able to use multiple same-creation-date self-sigs to declare complex future scenarios (e.g. that different properties of a signable packet expire at different future dates) but IMO this adds significant and needless complexity - if you want to change the properties on some future date, then you can create a new self-sig on that date. We should also state explicitly how to interpret self-sigs with a creation date in the future - if for example they were allowed but silently ignored, then this would be a *much* more robust means of achieving the same effect. (Again and to be clear, applications may allow more complex signature semantics if it makes sense in the context; I am only talking here about self-sigs) ``` Revoking a self-signature or allowing it to expire has a semantic meaning that varies with the signature type. Revoking the self- signature on a User ID effectively retires that user name. The self- signature is a statement, "My name X is tied to my signing key K" and is corroborated by other users' certifications. If another user revokes their certification, they are effectively saying that they no longer believe that name and that key are tied together. Similarly, if the users themselves revoke their self-signature, then the users no longer go by that name, no longer have that email address, etc. Revoking a binding signature effectively retires that subkey. Revoking a direct-key signature cancels that signature. ``` This entire paragraph could be more efficiently and clearly expressed as: ``` Revoking a self-signature or allowing it to expire means that the self-signature MUST NOT be used after its expiry or revocation date, except for the purpose of validating a historical event (for example, to determine whether a document signature was valid at the time of its creation). ``` And I would consider adding something along the lines of: ``` However, if the Reason for Revocation subpacket of a revocation self-signature indicates "Key material has been compromised", then all self-signatures over the same packet MUST be treated as if they were never valid, even in a historical context. ``` We should also forbid all kinds of certification self-sig other than Positive Certification. What does it mean to make a Persona self-signature over a UID for example? That we aren't sure what our own name is? IMO there is sufficient ambiguity in the current specification of self-signature semantics that it is not always possible to definitively validate an arbitrary well-constructed TPK, so implementations are left to make their own guesses at how to treat corner cases. We should avoid carrying these problems forward into V5 self-sigs, and if we can't backport every clarification to V4 sigs due to existing implementation differences, at least state that it is RECOMMENDED to interpret V4 self-sigs in the same way as V5 wherever possible. -- Andrew Gallagher
- [openpgp] Key expiration ambiguity in rfc4880 Andrew Gallagher
- Re: [openpgp] Key expiration ambiguity in rfc4880 Andrew Gallagher
- Re: [openpgp] Key expiration ambiguity in rfc4880 Andrew Gallagher