Re: [openpgp] 1PA3PC: first-party attested third-party certifications (making Key Server Prefs no-modify actionable)
Werner Koch <wk@gnupg.org> Wed, 28 August 2019 07:55 UTC
Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAE25120124 for <openpgp@ietfa.amsl.com>; Wed, 28 Aug 2019 00:55:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gnupg.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vlkc9XyDwmyc for <openpgp@ietfa.amsl.com>; Wed, 28 Aug 2019 00:55:10 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FFC01200A4 for <openpgp@ietf.org>; Wed, 28 Aug 2019 00:55:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org; s=20181017; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iJae0fFCq379T/N+71d7VTyxqBX4dCz6EB/k01UGTy0=; b=e+Xq5UwtwFxbytIGP5YpwceDIa adfiU/dk6/+u+OaDzhJ3CD7WH7VmLbQUouvPVOiA2s8F0NGbYUDMt9MnBgGRpHlpcd1Kjvqti5SHu okHRnU7/F/Bz+and/qVDO2jDU9ex13YdgPBkm6Dj0vK4TnqrQTYhle2H+hhphXmhLKSA=;
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.89 #1 (Debian)) id 1i2snN-000075-1h for <openpgp@ietf.org>; Wed, 28 Aug 2019 09:55:09 +0200
Received: from wk by wheatstone.g10code.de with local (Exim 4.92 #5 (Debian)) id 1i2slw-00055M-8t; Wed, 28 Aug 2019 09:53:40 +0200
From: Werner Koch <wk@gnupg.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: openpgp@ietf.org, Heiko Stamer <HeikoStamer@gmx.net>
References: <87tva1am9t.fsf@fifthhorseman.net>
Organisation: GnuPG e.V.
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
Mail-Followup-To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, openpgp@ietf.org, Heiko Stamer <HeikoStamer@gmx.net>
Date: Wed, 28 Aug 2019 09:53:39 +0200
In-Reply-To: <87tva1am9t.fsf@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Wed, 28 Aug 2019 01:31:42 -0400")
Message-ID: <87blw94tfg.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=SGI_Emergency_e-bomb_S/Key_Recce_SAR_chameleon_man_dedicated_denial_"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/FReSXvA6UJhcw3MVO7_ZP7R7pUA>
Subject: Re: [openpgp] 1PA3PC: first-party attested third-party certifications (making Key Server Prefs no-modify actionable)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 07:55:13 -0000
Hi, your idea is similar to what I had in mind and recently talked about with Kristian. I have some remarks so: Putting this into a standard-self signature is troublesome because this requires to update and distribute the self-signature as soon as one uploads to a keyserver. We need to have a way do include more key signatures. This can easily be done with several of such self-signatures using the same creation date or another mechanism to connect them. An upper limit on the number of such self-signatures may be suggested in the implementation nits. The requirement to sort the hashes is not really helpful because that requires that the implementation must check the order and decide what to do if they are not sorted. In practice the implementation will sort them anyway (in particular if several self-signatures are required). It should also be up to the implementation on how to match them. To accomplish this a new signature-class can be used just for this purpose. The subpacket definition should include a version number or digest algorithm to be future prove. We should of course use SHA-256 and not SHA-512. | #### Attested Certifications | | (1 octet with version number, | N octets of certification digests) | | The version octet MUST be 1 and the certification digests consists of | an array of 32 octets of a SHA-256 digest, each. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
- [openpgp] 1PA3PC: first-party attested third-part… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Werner Koch
- Re: [openpgp] 1PA3PC: first-party attested third-… Vincent Breitmoser
- Re: [openpgp] 1PA3PC: first-party attested third-… Vincent Breitmoser
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Ángel
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Werner Koch
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Benjamin Kaduk
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Werner Koch