IETF Logo Mail Archive

Re: [openpgp] primary key binding signature requirement

Aron Wussler <aron@wussler.it> Fri, 02 December 2022 22:38 UTC

Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2222EC14CF14 for <openpgp@ietfa.amsl.com>; Fri, 2 Dec 2022 14:38:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kEEVZEDpQ4wp for <openpgp@ietfa.amsl.com>; Fri, 2 Dec 2022 14:38:18 -0800 (PST)
Received: from mail-4323.proton.ch (mail-4323.proton.ch [185.70.43.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0332AC14F748 for <openpgp@ietf.org>; Fri, 2 Dec 2022 14:38:17 -0800 (PST)
Date: Fri, 02 Dec 2022 22:38:05 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail3; t=1670020694; x=1670279894; bh=V5DSYDxQ/XX5jXfE3C2D8TEWDrSv0GBpgdnIHDkOnYw=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=k1TUFDjPQ5ioVAEgqo4FWS4BruZSKFtT1wRnpbhTrGfn5j3PTfK4twDLkYaAJm8xf yqIdWXtEE1j0t6ze7e9fDJTeltOUX5xNqzqbdi2O77U7VhWRSEay/zbjiM1DsY70kW OB8EIfj8CGj1L2QTUupNp9KGM8ZG9WN4bwXBgfeeTgGNZdSt3Qa7Eh8YjZNI+1vitr TVnrMAIxha4Yc7/Yoe2JJVn/hoabQUsUEYOBxjAJbGFeyWotjPfsWduu9Z1XUqAmrA 2s4PZyVeqc3DWaBaJq1tu/9YqWsjnFRbErOZ02nTHSRSrGExaCTkkWJ6LuzrbcaxN2 UhKRZhWyTGX3Q==
To: "Neal H. Walfield" <neal@walfield.org>
From: Aron Wussler <aron@wussler.it>
Cc: IETF OpenPGP WG <openpgp@ietf.org>
Message-ID: <4xf4guGg2quiLcVvBQI78yHRQmwuV3NK-tyKFMw9pdwv5MXBmgnAUIu0vDxYK0L8dz3zQdwV5JoPozx98gIoCtgFVbNBg03UQSt8YfE_7YM=@wussler.it>
In-Reply-To: <87v8mv4gfe.wl-neal@walfield.org>
References: <87v8mv4gfe.wl-neal@walfield.org>
Feedback-ID: 10883271:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------a1af6c9bc585f8ef3ef8876e9841d7dfc1747cb12a4f997940fe7dbbb379d25b"; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/LI8wzT_51O583nSIO8-1l1z2QfE>
Subject: Re: [openpgp] primary key binding signature requirement
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 22:38:23 -0000

Hi Neal,

> if a subkey binding signature includes the Key Flags subpacket and
> the certification capability (0x1) or the signing capability (0x2)
> is set, then the subkey binding signature must also contain a valid
> primary key binding signature issued by the subkey over the primary
> key.

I agree with this.

As a side note, I don't know whether we should allow subkeys to issue certifications.

In real life I found poor support for subkeys with certification capability. I found no real way to create such keys (without messing with them manually) and other implementations didn't understand certifications made from that key.

Maybe we should either forbid that entirely or explicitly support it.

Cheers,
Aron


--
Aron Wussler
Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930



------- Original Message -------
On Thursday, December 1st, 2022 at 10:33, Neal H. Walfield <neal@walfield.org> wrote:


> Section 11.1.1 Common requirements says:
> 

> Each Subkey packet MUST be followed by one Signature packet, which
> should be a subkey binding signature issued by the top-level key.
> For subkeys that can issue signatures, the subkey binding signature
> MUST contain an Embedded Signature subpacket with a primary key
> binding signature (0x19) issued by the subkey on the top-level key.
> 

> https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-11.1.4
> 

> What does it mean for a subkey to issue signatures? I think
> authentication subkeys technically issue signatures, but they don't
> normally include a primary key binding signature. For instance,
> here's the `sq packet dump` output for an authentication-capable
> subkey created using gpg 2.2.27:
> 

> Public-Subkey Packet, old CTB, 397 bytes
> Version: 4
> Creation time: 2022-12-01 09:26:21 UTC
> Pk algo: RSA
> Pk size: 3072 bits
> Fingerprint: 136ABFA01DD47269514F757B10F4A631F1CB5D14
> KeyID: 10F4A631F1CB5D14
> 

> Signature Packet, old CTB, 438 bytes
> Version: 4
> Type: SubkeyBinding
> Pk algo: RSA
> Hash algo: SHA512
> Hashed area:
> Issuer Fingerprint: 188A993D54814E76FF988779E962990F14D5ACA4
> Signature creation time: 2022-12-01 09:26:21 UTC
> Key flags: A
> Unhashed area:
> Issuer: E962990F14D5ACA4
> Digest prefix: 3C63
> Level: 0 (signature over data)
> 

> Should authentication-capable subkeys include a primary key binding
> signature? If not, perhaps it makes sense to change the language in
> 11.1.1 to say something like:
> 

> if a subkey binding signature includes the Key Flags subpacket and
> the certification capability (0x1) or the signing capability (0x2)
> is set, then the subkey binding signature must also contain a valid
> primary key binding signature issued by the subkey over the primary
> key.
> 

> Neal
> 

> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email