IETF Logo Mail Archive

Re: [openpgp] v5 interoperability

Daniel Huigens <d.huigens@protonmail.com> Wed, 03 April 2024 09:33 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB20AC15108E for <openpgp@ietfa.amsl.com>; Wed, 3 Apr 2024 02:33:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iI6nCDSVh7pE for <openpgp@ietfa.amsl.com>; Wed, 3 Apr 2024 02:33:18 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E3B6C14CE29 for <openpgp@ietf.org>; Wed, 3 Apr 2024 02:33:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1712136796; x=1712395996; bh=ais+GloHJGXGSRQhtnMVPvEJTLgicxZCLz1qqTxi8eE=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=HMBzwCmcxT50tMVoP/YtCbSTBozqWJjWQRVeMTnSBOmeyPf5QRiW0t87EihXqUoKh pLeq2Zz+XJM9q0xA2VVRbtH3Men/XsqGug2J8/452N4r+jkIVWbDNIuqmr+1EnRLBz 2qA7RZ4TB4ftR5JdV5ip8TNv6aOwUdZUERKUB9+q0Cs+IbmXInsy+qWZLfEx3YZHYc njPxBT+YtEoqeJSSbdQ+4jeUrzjtzo0nUngIVt1oz9xndLTIPUTbrIBjkwY03Xh259 f9MYY97B5cWg8XlZvaZcBI6osgTbp00EO4gmDmHVf8oqe3N0oCypAYxN5B+HMKhkfP 5qIITr2UDvsxA==
Date: Wed, 03 Apr 2024 09:33:11 +0000
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: IETF OpenPGP WG <openpgp@ietf.org>
Message-ID: <2OonUbUZ9iR9hDOxXli1u20qpPYokvk2XJ5-7O6XNryRr02pfydpgMFcyfwzYGb2NgmsD-H9cqvIc2CpW8CQlHu2i-E3Dqsts4ch1ECvs_A=@protonmail.com>
In-Reply-To: <EAE8D81F-05F6-4551-8878-80555709A4EF@andrewg.com>
References: <EAE8D81F-05F6-4551-8878-80555709A4EF@andrewg.com>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/KDz1b9nOCauxSCfdTkn4WgkcAVk>
Subject: Re: [openpgp] v5 interoperability
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 09:33:23 -0000

Hi Andrew,

The crypto refresh (officially speaking) doesn't know about the
existence of v5 keys. Thus, I'd argue v5 keys are by definition not
compliant with the crypto refresh (regardless of whether it's the whole
key or just a subkey). However, if you want to also implement another
standard or draft (e.g. draft-koch-librepgp) that declares such keys
legal, I'd say the crypto refresh by itself shouldn't stop you.

So practically speaking I would say, librepgp keys can be treated as
being orthogonal/parallel to crypto refresh keys, but to detect whether
something is a librepgp key, I guess you have to check whether any of
the key packets are v5, not just the primary key packet.

Best,
Daniel


On Tuesday, April 2nd, 2024 at 20:50, Andrew Gallagher wrote:

> Hi, all.
> 
> It came to my attention recently that recent versions of GnuPG are (under certain conditions) creating v5 subkeys and binding them to v4 keys. The use of mismatched subkey versions was not explicitly forbidden by rfc4880, but is forbidden in crypto-refresh.
> 
> So what is the proper way to treat such keys? They exist in the wild already, so cannot be ignored. I have been working on the assumption that v5 keys are orthogonal to crypto-refresh, and can therefore safely be treated in parallel, however a strict reading of crypto-refresh would mandate that such v5 subkeys should invalidate the key they are attached to:
> 
> > Every subkey for a v4 primary key MUST be a v4 subkey.
> 
> 
> https://openpgp-wg.gitlab.io/rfc4880bis/#section-10.1.3
> 
> This would appear to mean that if a keyserver presents a v4 key with a v5 subkey to a crypto-refresh compliant client, that client MUST ignore the entire key, which feels like overkill. Or should it merely ignore the offending subkey? If so, should we issue guidance to that effect?
> 
> In a thread on gnupg-users, Werner indicated that such mixing of subkey versions is longstanding behaviour, however there are vanishingly few historical examples in the wild:
> 
> https://lists.gnupg.org/pipermail/gnupg-users/2024-April/067039.html
> 
> A
> 
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email