IETF Logo Mail Archive

[openpgp] Encryption subkey selection

Justus Winter <justus@sequoia-pgp.org> Sun, 06 April 2025 10:27 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 61319180FDA7 for <openpgp@mail2.ietf.org>; Sun, 6 Apr 2025 03:27:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -0.697
X-Spam-Level:
X-Spam-Status: No, score=-0.697 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (4096-bit key) header.d=sequoia-pgp.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tJ4R-BNMrTfJ for <openpgp@mail2.ietf.org>; Sun, 6 Apr 2025 03:27:41 -0700 (PDT)
Received: from mailgate02.uberspace.is (mailgate02.uberspace.is [185.26.156.114]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 678B2180FD9F for <openpgp@ietf.org>; Sun, 6 Apr 2025 03:27:40 -0700 (PDT)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) by mailgate02.uberspace.is (Postfix) with ESMTPS id 9B36D17FFDC for <openpgp@ietf.org>; Sun, 6 Apr 2025 12:27:39 +0200 (CEST)
Received: (qmail 619 invoked by uid 500); 6 Apr 2025 10:27:39 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Sun, 06 Apr 2025 12:27:39 +0200
From: Justus Winter <justus@sequoia-pgp.org>
To: openpgp@ietf.org
Date: Sun, 06 Apr 2025 12:27:38 +0200
Message-ID: <87h631mvol.fsf@thinbox>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: -
X-Rspamd-Report: BAYES_HAM(-0.091815) MID_RHS_NOT_FQDN(0.5) SIGNED_PGP(-2) MIME_GOOD(-0.2)
X-Rspamd-Score: -1.791815
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from:to:subject:date; bh=WR0+gPmd4LAGjcdsruI7jg5kpvE42e9tOHfX71oWd6M=; b=OZ/JoQkJJcuyhnT6jqwbJgHDXXiK8dvUfvgjqhDXENRcu8y46IzEOD+HD30OmvHwqWfP0LdPT3 3XIlNU1dRb7zSwZvf6REyrsvaQvy7fo88D7ur9o2OHO06pYn3dgRLtMSA/xlFQHQm/ehElDOB0jS iwV97jm7NdHMupbjCPiskYQp0imOrxMddDsQscpqkpxP9dpRdnrgvk+wpEk7pQj9tCEhs0O/t+At +abXl3oLoCPR4fjvla0j6S2N1lQJoAI1szD1CJa0k1/ulbYch47AWEes/UqkOmM0YbFTIJaw1YeX rQ0clmKPltH/dajGNkZQ+KDjN0YCtuiHekC1N3oFJqia9yh617nYD5u/T8tIjjc2bzOeSSWBvZdL d1zZLPW1JbdmmX3eUzOsPWk/tUDPuz0gBc0L8WTJYFGH7xY3N+XyT2IK6ZdoclLJEzhHr1LMn90h 2aUfaMUU85V0ErKk/9rHB88CnZ2+2AZ2Xw3sJB5Zf5f9c7lkVbRCoJETZNxFLC7yrIUnPjlLU3J1 M29cTJ88SjnHyccy1/ZFww6YvTOhmnffbzCy78/5DS4sl0wH/tHhz9RtLnSzVp+m8ESF1y7tio7K TrvE8IPXQBLwxHWP/yOAPd21qeq3khp8HzdOiVkgehKSY+LyMqPdMdp+5EC5cKfm9+K++4LldwNI c=
Message-ID-Hash: M5ZZLSLSHPIB55AMFNNJX3TFJ5D7QNWN
X-Message-ID-Hash: M5ZZLSLSHPIB55AMFNNJX3TFJ5D7QNWN
X-MailFrom: justus@sequoia-pgp.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Encryption subkey selection
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/FMzCI78v8fcRyGovPHpv8ZvxVnI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hello,

at the OpenPGP email summit, we had a session about encryption subkey
selection.

The question is: given an OpenPGP certificate with more than one
(usable, non-expired, non-revoked) encryption subkey, which one(s) do
you use when encrypting a message for that certificate.

We started by charting the existing implementation behaviors.  We were
aware of three classes of behavior, which we will name Proton,
OpenKeyChain, and GnuPG.  (To clarify, that shouldn't be seen as more
than picking recognizable handles for classes of behavior by reusing
the name of well known implementations/organizations representing
their respective class.)

  - Proton (OpenPGP.js, GopenPGP, RNP) use the key creation time as
    metric, and uses the newest encryption subkey.

  - OpenKeyChain (also all of Sequoia's frontends) use all encryption
    subkeys.

  - GnuPG uses the key creation time as metric, and uses the newest
    encryption subkey, but it also takes the algorithm into account,
    and at least prefers ECC over RSA (this may have changed, or work
    slightly differently, but the point is that there is a more
    complex metric than just looking at the key creation time).

From this survey it seems clear that the status quo is not great: at
least we want the ecosystem to behave consistently and predictably.
But, converging on a single model would be a lot easier if that model
would cater to the various needs.

Then, we formulated properties that we like to have, and asked whether
the above models give us these properties, under the assumption that
the ecosystem agreed to use the given model.

The properties are all from the perspective of the certificate holder,
who we think should have a say over the choice of subkey selection
behavior by the peers encrypting messages for her.

  - Pick one: can the certificate holder express the wish that the
    sender uses at most one subkey?

    - Use cases: this is the status quo for many implementations, and
      the "at most 1" part is important if you hope to do transitions,
      i.e. transition to newer algorithms and stop using older ones).

  - Pick a set: can the certificate holder express the wish that the
    sender uses a set of subkeys?

    - Use cases: some forms of multi-device support.

  - Migrations: can the certificate holder express the wish to migrate
    to newer subkeys?

    - Use cases: opportunistic upgrade to newer algorithms.

Finally, we discussed potential models, and evaluated them under the
properties we identified.

  - Rank: have an explicit rank, and specify an algorithm how to chose
    using that.  The exact details are yet to be determined, but
    notably it should have the property that if subkeys tie on this
    metric, all of them are used.

  - Flag: rank over {0, 1}.

  - List of sets of subkeys: pick the first set that is usable for
    encryption (using all keys in the set).  If there is no such set,
    fail.

These are the results:

    |  Models     |  Pick 1?  |  Pick set?  |   Migrations?  |
    |-------------|:---------:|:-----------:|:--------------:|
    |  Proton     |    ✓*     |     ✗       |       ✓⸸       |
    |  GnuPG      |   (✓)†    |     ✗       |      (✓)†⸸     |
    |  OKC/"All"  |    ✓      |     ✓       |       ✗        |
    |             |           |             |                |
    |  Rank       |    ✓      |     ✓       |       ✓        |
    |  Flag       |    ✓      |     ✓       |       1‡       |
    |  List       |    ✓      |     ✓       |       ✓        |

Where:

  - * By lying about the creation time, potentially
  - ⸸ If you only have a single device/key
  - † If your preference matches GnuPG's hardcoded algorithm preference
  - ‡ One migration at a time is possible; a multi-step migration
    (e.g. RSA -> ECC -> PQC) is not possible

As usual, the devil is in the details, and time was running out, and
we didn't even get to the mechanism discussion yet.  But, the rough
agreement in the room was that the status quo should be improved, the
"Flag" model is probably too restrictive, the "List" model is overly
expressive and doesn't seem to offer an advantage over the "Rank"
model.

To make the discussion more concrete, I'm going to propose a
mechanism.

  - We add a signature subpacket that can be added to subkey binding
    signatures.  The subpacket body is a single octet representing an
    unsigned integer, the rank.

  - When encrypting a message for a cert that uses this mechanism:

    (Where "uses this mechanism" means that all non-expired,
    non-revoked encryption subkeys have a valid binding signature with
    the rank subpacket.)

    1. sort the subkeys by the rank
    2. if the list is empty, fail
    3. consider the subkeys with the highest rank
    4. attempt encryption for the subkeys with the highest rank
    5. if none of the considered subkeys were usable for encryption,
       remove them, and go to step 2
    6. construct PKESK packets for every successful encryption, and
       continue to encrypt the message (i.e. do the same for other
       recipient certs, or encrypt the payload).

  - Open questions (that I can immediately think of, but please speak
    up if you have more):

    - I think this can be extended to encryption subkey selection over
      certificate equivalence groups (see the OpenPGP Key Replacement
      draft) by adding a rank parameter to every equivalence binding
      signature (essrank_cert), then modify the above procedure to
      sort by (essrank_cert, essrank_subkey).

    - What should we do for existing certificates that do not use this
      mechanism?  I guess the path of least resistance is to keep
      doing whatever the implementation currently does.

[Notes from the session:
 https://www.openpgp.org/community/email-summit/2025/minutes/#encryption-subkey-selection-justus ]


Best,
Justus

v2.30.2 | Report a Bug | By Email | System Status