Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey
Andrew Gallagher <andrewg@andrewg.com> Wed, 24 April 2024 14:41 UTC
Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 251DFC15152E for <openpgp@ietfa.amsl.com>; Wed, 24 Apr 2024 07:41:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yHKbXqIIv5bZ for <openpgp@ietfa.amsl.com>; Wed, 24 Apr 2024 07:41:39 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12B2EC151099 for <openpgp@ietf.org>; Wed, 24 Apr 2024 07:41:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1713969691; bh=692vgHfTn4u7Pp6LeP5tWXTiLd/99tHL0DlLb2IWr6g=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=cwrpqrcQiykXZlZrELBhfxJ3OnOu0yCmRN/cnHkiwrp4D5XALc+tQKzAbNnuGhAiE q435LTAcO2+cg+DU/66WXoHt3F375hh0ZTty1jAVGwlgucz2o4ysRZIR+qU3tU7H+j /DBgwlgdPHB/Piqyj2OAlP7WhZhDGKoc4+UK05Ca5IorgqNJWxymAxe0Tp9/iabOg8 T6TlwKvcPfmQaiaMkQR08ldZ6k50n46An3Jx04nu4Ex12YWqJwgQ/GaQA7JvffhPY0 FbwlTZ6cB1okOqPNQlhpLuxbRaC4D3A/SptDAC1M3ZUnKOqbkBnYvdcyvyxkrXfs26 +mNS4yjHMPxfg==
Received: from smtpclient.apple (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 1C1505DCA6; Wed, 24 Apr 2024 14:41:31 +0000 (UTC)
Content-Type: multipart/signed; boundary="Apple-Mail=_781B805C-5664-4207-8328-109344F45985"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87frvhnhx0.fsf@fifthhorseman.net>
Date: Wed, 24 Apr 2024 15:41:12 +0100
Cc: Simon Josefsson <simon@josefsson.org>, openpgp@ietf.org
Message-Id: <74AAE7BF-BD6C-4F27-9BFF-A4AA972056A4@andrewg.com>
References: <87o7anhybr.fsf@fifthhorseman.net> <87jzkunest.fsf@fifthhorseman.net> <87y199g67k.fsf@kaka.sjd.se> <A0B535B4-215B-4159-9F39-0D33C24ECF2F@andrewg.com> <87frvhnhx0.fsf@fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/G5jEMfQE-yB2q_YnAdQ9DhJkwYM>
Subject: Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2024 14:41:44 -0000
On 19 Apr 2024, at 22:47, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > > On Fri 2024-04-19 11:59:52 +0100, Andrew Gallagher wrote: >> On 19 Apr 2024, at 08:30, Simon Josefsson wrote: >>> Two rough outlines of problem statements: >>> >>> 1) replace human written key transition documents >>> >>> 2) enable automatic non-interactive upgrades to PQ keys > > […] > >> I don’t believe that use cases 1 and 2 are in conflict, I think they >> are clearly distinguished by whether the old key remains valid or is >> expired/revoked. > > fwiw, i don't expect an OpenPGP tranition document (case 1) to require > that the old key be expired/revoked. Common practice for a transition > document for Alice seems to be that Alice leaves her old certificate > valid while she gathers certifications on her new certificate. You’re using “transition document” to mean the document that asks people to *sign* the new key, not the one that tells people to *use* the new key. I see the transition process as starting with scenario 2 (original key not revoked) and migrating to scenario 1 (revoked) over time. While this proposal would not be able to automate the process of gathering third-party signatures, it does represent the relationship between the old and new keys in a standard form. > There may well be multiple stages to a transition. From the perspective > of the keyholder, here's an exhaustive list of the possible steps i can > think of, roughly in the order that it seems reasonable to take them: > > 1. publish intent-to-expire on old cert > 2. create new cert If “intent to expire” means “I intend to expire this key at some point in favour of another key”, then this is equivalent to scenario 2 above - but we have to create the new key first so we can include its fingerprint in the replacement key subpacket. > 3. configure local tooling to use new cert as well as old for decryption > 4. distribute new cert to gather 3rd-party certifications ("transition document") This document would need to be signed by the old key (at least), and include both certs (including the replacement key subpacket). Is there a standard format? > 5. configure local tooling to use new cert as well as old for signing > 6. publish new cert (with 3rd-party certifications) in standard(?) channels > 7. add replacement information to old cert, re-publish old cert We shouldn't wait until this stage to publish the replacement-key indirection, it should be done at step 2 above. The replacement-key subpacket on the self-sig is sufficient for both purposes - it won’t be publicly available and/or verifiable until step 6, so in general clients shouldn’t be using it before then. > 8. configure local tooling to not use old cert for signing > 9. revoke old cert At this point we move to scenario 1. > 10. destroy signing-capable secret key material from old cert > 11. publish revoked old cert > 12. harvest and retain session keys for encrypted data deemed worth keeping > 13. destroy decryption-capable secret key material from old cert The order of these parts are flexible, and well outside the scope here :-) > And, depending on the outcome of some of these steps, you might want to > roll the process back somehow. Up until the point that the old key is revoked, the indirection can be rolled back by making a new self-sig that lacks the RK subpacket. > Do you think the use cases section (in the pending MR) of the draft > could be a place to work through these steps, from the keyholder side? Potentially yes, but I’m wary of turning this draft into a HOWTO document… :-) > It would be useful to think through the interactions between the > keyholder's steps and the steps taken by the peer, who is relying on the > certificate(s) as well. Which peer is this? If you mean the certifying peer, then it might be better dealt with elsewhere - key signing best practices are a whole other set of processes and questions. If you mean an arbitrary correspondent, then their software should be able to update automatically. >> A receiving implementation that first validates both keys and then >> orders them according to the replacement key indirection will behave >> sensibly in either case. > > I think teasing that apart a bit more could be useful. > > In practice, it isn't uncommon for people use OpenPGP in a sort of TOFU > (or YOLO) fashion, where "meh, it's better than cleartext, we'll see > whether it works" seems to be the operating principle. Key distribution methods that carry implicit trust (such as Autocrypt and WKD) do not strictly require a key replacement mechanism, however implementations that perform TOFU should(!) normally warn if they see that a key has changed. In such a scenario the key replacement subpacket could suppress the TOFU key-change warning. Distributing the sig with the replacement key subpacket would be an interesting challenge though - for example WKD does not allow for both the old and new keys to be served simultaneously. GnuPG’s WKD implementation does allow for martian sigs to be appended to the served key, and reattached to the correct key on receipt. IMO this is kludgy and should be properly specified in the WKD draft using a more robust mechanism. Autocrypt would probably support the inclusion of two keys in principle, although space constraints may be a concern. A
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- [openpgp] Call for adoption of draft-gallagher-op… Daniel Kahn Gillmor
- Re: [openpgp] Call for adoption of draft-gallaghe… Stephen Farrell
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Kahn Gillmor
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Heiko Schäfer
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Kahn Gillmor
- Re: [openpgp] Call for adoption of draft-gallaghe… Falko Strenzke
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Kahn Gillmor
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Huigens
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Huigens
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Huigens
- Re: [openpgp] Call for adoption of draft-gallaghe… Bart Butler
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Daniel Huigens
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Falko Strenzke
- [openpgp] Re: Call for adoption of draft-gallaghe… Falko Strenzke
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Simon Josefsson
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Falko Strenzke
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher