[openpgp] Re: Splitting replacement keys subpacket into related keys and trust equivalence?
Daniel Huigens <d.huigens@protonmail.com> Fri, 13 September 2024 12:01 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57304C180B5C for <openpgp@ietfa.amsl.com>; Fri, 13 Sep 2024 05:01:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q18LMUU6Qfix for <openpgp@ietfa.amsl.com>; Fri, 13 Sep 2024 05:01:51 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5591C1654FE for <openpgp@ietf.org>; Fri, 13 Sep 2024 05:01:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1726228908; x=1726488108; bh=+S1oyGeH3KP5HInsdaM1XblRNoN3lJaJ/U+KkqaUGGk=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=afjCExz565okx9u1XUTfq+n5iqr2EumUMPzIijafRUH1sTuJxLDKhZVDIaSRSFoDE /C8DMFuhLpoI9ovrefwyso1wsE113iXnzxLatsiIZpbjC0oaSzwXhlgmYOaAeOgaMl Abq4ZfmudpD/lBk+Y8oQinw/YuEAa1D70kDeHy0RBSyxuRe4zuUwLghU4GzQb+Ti9v +HtMh37ELWe+4EHKySfZ15Z6/y26xe8kdEDYCEbvLBd5q5BM6tQC14UZEaduwnKZ3O BGdAuCJCJNha/sHjg1CEZk8wET/ZzySB5DachvDa4B4fpEfuTSInHWyh4aN5uQk5yP 0sIeAvMvqdfXw==
Date: Fri, 13 Sep 2024 12:01:43 +0000
To: Heiko Schäfer <heiko.schaefer@posteo.de>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <ePUGJvmji5T0hgZwyaCC6nYVhgPdTgd0wl_vaLWZFlkYUW_T5B13fTUevlWsxYEGeoSFtNvrkUjiENZSUG1BBhcijebhkI9hIWIZ4DX0zk0=@protonmail.com>
In-Reply-To: <0aa16b8d-e217-481a-b039-c64f3b92937f@posteo.de>
References: <I1AVKcpZIk0c47n7JbfpMHn0RmQv7YTkXvRC7JbH_MRPfKvd4V6jn50E0pIcaANbAZ4-khxFgIGLk5D1rDsJgPTQgvNoqbPzbj5WEd5rUc0=@protonmail.com> <5ED82E08-5973-4C4D-8726-49B24646DF2D@andrewg.com> <8dasmNRbHHCaM5m_appBMcCDLKuk4fT1CMnWZMmzAK77m_C4lRKIR1dlYqBzL9zW5CdFXUfv5LPuU46w5uMEGMtnN-cCxJaeGRzks0gQYC0=@pm.me> <0aa16b8d-e217-481a-b039-c64f3b92937f@posteo.de>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: 70db842f5d8871cc1e24e3d23e0a8e7916075312
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_cKmL4RosJNEADCfVzT0r4lTP1PgNEuY1lUHXHRdo"
Message-ID-Hash: 33I3KMI4KLDHPSCQO23QJ7DIFEP4S6MU
X-Message-ID-Hash: 33I3KMI4KLDHPSCQO23QJ7DIFEP4S6MU
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: openpgp@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: Splitting replacement keys subpacket into related keys and trust equivalence?
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Hj17iRnxOy47zYovK5D0K62XqYc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
OK, fair enough. Then, I want to try to go back to my original point: some people want this part, some people don't want it; ergo, should we split it up? :) Best, Daniel On Friday, September 13th, 2024 at 13:56, Heiko Schäfer <heiko.schaefer@posteo.de> wrote: > As Andrew outlined, in some of the existing PKI mechanisms, the fingerprint is currently the best/most specific lookup key. > It would seem unfortunate to me not to include the fingerprint in a replacement key mechanism (which is presumably often going to involve client software attempting to do PKI lookups). > > Heiko > > On 9/13/24 1:48 PM, Bart Butler wrote: > >> I’m fairly agnostic on this as long as we don’t make it optional and introduce yet another degree of freedom. One other advantage of not including the fingerprint would be to force implementations to verify using the imprint. But either approach is fine. >> >> On Fri, Sep 13, 2024 at 11:01 AM, Andrew Gallagher <[andrewg=40andrewg.com@dmarc.ietf.org](mailto:On Fri, Sep 13, 2024 at 11:01 AM, Andrew Gallagher <<a href=)> wrote: >> >>> On 13 Sep 2024, at 08:42, Daniel Huigens [<d.huigens@protonmail.com>](mailto:d.huigens@protonmail.com) wrote: >>>> >>>> In the email case specifically, you _could_ take it as a signal to say, >>>> "oh there's a replacement key, but I don't know where/which it is, >>>> so I need to go fetch this contact's keys again (by email address)". >>> >>> Sure, but I’m thinking specifically of the cases where lookup by email address isn’t efficient, e.g. if there is no WKD on the domain and there are a number of fake keys on the keyservers. If we compare with the design goal of trying to match the behaviour of subkeys as much as possible, leaving out fingerprints does complicate the lookup process in the general case. >>> >>> A >>> _______________________________________________ >>> openpgp mailing list -- openpgp@ietf.org >>> To unsubscribe send an email to openpgp-leave@ietf.org >> >> _______________________________________________ >> openpgp mailing list -- >> openpgp@ietf.org >> To unsubscribe send an email to >> openpgp-leave@ietf.org
- [openpgp] Splitting replacement keys subpacket in… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… iang
- [openpgp] Re: Splitting replacement keys subpacke… Justus Winter
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… Bart Butler
- [openpgp] Re: Splitting replacement keys subpacke… Andrew Gallagher
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… Andrew Gallagher
- [openpgp] Re: Splitting replacement keys subpacke… Heiko Schäfer
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… Bart Butler
- [openpgp] Re: Splitting replacement keys subpacke… Andrew Gallagher
- [openpgp] Re: Splitting replacement keys subpacke… Bart Butler
- [openpgp] Re: Splitting replacement keys subpacke… Neal H. Walfield
- [openpgp] Re: Splitting replacement keys subpacke… Justus Winter
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens