IETF Logo Mail Archive

Re: [openpgp] To bind or not to bind

Justus Winter <justus@sequoia-pgp.org> Wed, 27 March 2024 11:03 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F4B1C14F694 for <openpgp@ietfa.amsl.com>; Wed, 27 Mar 2024 04:03:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKC_nJuMhY-V for <openpgp@ietfa.amsl.com>; Wed, 27 Mar 2024 04:03:42 -0700 (PDT)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ACB1C14F68C for <openpgp@ietf.org>; Wed, 27 Mar 2024 04:03:40 -0700 (PDT)
Received: (qmail 17169 invoked by uid 500); 27 Mar 2024 11:03:38 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Wed, 27 Mar 2024 12:03:38 +0100
From: Justus Winter <justus@sequoia-pgp.org>
To: Falko Strenzke <falko.strenzke@mtg.de>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>
Cc: Aron Wussler <aron@wussler.it>, openpgp@ietf.org
In-Reply-To: <14a80b96-9860-461d-b9fe-e38e3bf651b1@mtg.de>
References: <87a5mqi0xi.fsf@europ.lan> <23B46D65-EAF7-43D0-A5F1-04D28B698559@andrewg.com> <87sf0h32d3.fsf@fifthhorseman.net> <cd9a18d9-2d13-48d2-98e0-2ae268f68215@mtg.de> <87y1a6has4.fsf@europ.lan> <14a80b96-9860-461d-b9fe-e38e3bf651b1@mtg.de>
Date: Wed, 27 Mar 2024 12:03:36 +0100
Message-ID: <87v858gcmv.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: ---
X-Rspamd-Report: BAYES_HAM(-2.122106) SIGNED_PGP(-2) MIME_GOOD(-0.2) R_MISSING_CHARSET(0.5)
X-Rspamd-Score: -3.822106
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from:to:cc:subject:date; bh=T7MxuO4W6ps9d5cl5XSq+RhZ68yLnxJKjrI8u1Ue3Nk=; b=g345Y/9tnbOW3vE4qlIRbvYEzaUz5Oj3nyAQTc8cMXTYnAcDy0mMqmhdtxZ7ZiVpUV/bOk/r/f OdNaXCLK3um5t2LC7m3w+z8qDHRQmyacTAJ8RFkofbw/3s/vmPCdp2MiSxCnvYeq7RqpBxPZgvgV tRO/LWysugpZUuNyKNbRX3JpNUi6jTvtCLAl522lcb4di0MbAdCbUANxPjDpZtBsXybkEqPbyPfa /KbsVAWSzR8704+OPpTQXomNB1pg6Ncm02zmkAeLIkYFM0wPHye1e/GL0058JdH8FU20EC0UOITg pmuk5+L0gynIiu2GCUXr7B02yZXDvxRnN+v6c18N5WWsZ32RjKJW3pIKX02rcOTK1FZVprRihWvI PbOiXm7VP4YpkM3DT+efgu++Pb/KhvAFNgJH8Ro+UEjKE0Aa3stLiTURUC5ucVUzVnfK6HMPFKL/ n2p/1DhQ6r2gqDIvTi5LlWged+XilbPSapIGV7j0EemfRInjT2gn9UUwiDk8hJ4MajEUhkXi3uzc N+MCFb0/qOmD4yMcMQNvxIq2itBVkjsi0JCpP5PE5DHbeOyGlvV10LvEAMfbXVbg4sCX1UpWyE+M vq7gYrYlSRBEdVZZH678mDY1p3VORPS/OoPVSkdz8T8NqHSlqUgZKa/7U7kTYOgxfy2SvBL6Ymst c=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/GOH-Cc2nxsrCPYlD3pfpdoCyfXU>
Subject: Re: [openpgp] To bind or not to bind
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 11:03:47 -0000

Hi Falko :)

Falko Strenzke <falko.strenzke@mtg.de> writes:

> Am 25.03.24 um 11:21 schrieb Justus Winter:
>>> Based on what you write and what I can see in PGPy's GitHub repository,
>>> it seems PGPy has to be considered as unmaintained. In that case it
>>> should not be considered in the interop tests.
>> We're trying to understand how the existing v4 ecosystem will react to
>> introducing an as-of-yet unknown algorithms with as-of-yet unseen
>> artifact encodings to v4 certificates.
>>
>> Whether or not an implementation is actively maintained seems to be
>> irrelevant to that question.
>>
>> Or, one could even argue that not inadvertently breaking unmaintained
>> implementations is more important.  Along those lines, Aron has been
>> arguing that gopenpgp reacting badly to unknown algorithms isn't that
>> bad because gopenpgp is actively maintained.
>
> But here we are weighing the two possibilities
>
> 1) introduce PQC encryption already in v4
> 2) introduce PQC encryption only in v6.
>
> PGPy being unmaintained will block either route. So I don't see that the 
> failing interop test is an argument for for 2).

It is true that if I create a new v4 key and add a PQC encryption subkey
to it, it will not work with current versions of PGPy (or GopenPGPv2),
and that is true also if I create a new v6 key (with or without PQC
encryption subkey).

But, I could also add a PQC encryption subkey to my *existing* v4 key.
In this case, I think it is not unreasonable to expect it to continue to
work with PGPy (or GopenPGPv2), but it does not.  Worse, when a user
discovers this, it is hard to impossible to undo this mistake: revoking
the PQC encryption subkey (likely, I haven't checked) does not help, and
manually stripping the PQC encryption subkey and binding signature may
help, but can be undone at any point by any kind of cert
synchronization.

Therefore, I believe that allowing PQC encryption subkeys being added to
v4 keys is a giant footgun that inflicts irreparable damage to peoples
existing v4 keys.

Best,
Justus

v2.23.0 | Report a Bug | By Email