IETF Logo Mail Archive

Re: [openpgp] Overhauling User IDs / Standardizing User Attributes

Leo Gaspard <ietf@leo.gaspard.ninja> Wed, 27 June 2018 14:56 UTC

Return-Path: <ietf@leo.gaspard.ninja>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3273E130DE9 for <openpgp@ietfa.amsl.com>; Wed, 27 Jun 2018 07:56:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=leo.gaspard.ninja
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rAj7mThnCNBH for <openpgp@ietfa.amsl.com>; Wed, 27 Jun 2018 07:56:43 -0700 (PDT)
Received: from smtp.gaspard.ninja (grym.ekleog.org [94.23.42.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42956130DE8 for <openpgp@ietf.org>; Wed, 27 Jun 2018 07:56:42 -0700 (PDT)
Received: by smtp.gaspard.ninja (OpenSMTPD) with ESMTP id dd181a0f for <openpgp@ietf.org>; Wed, 27 Jun 2018 14:56:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=leo.gaspard.ninja; h=subject:to:references:from:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s= grym-20170528; bh=roTotZ5UQiXZ41Idm6iyV5YLApg=; b=GMt3omGAbyVvI9 w2xE26Omj8mIr33d00T+EHnx9lewb8kH0W65OEcFKXXi6j+SFF0rz0yTTwn4X3On eiJTsqpXHHbK5eYBiUmTElSXwU7us80rfsxCKjjLqVahIKlh60xh5lzQb8W5R50J nROM3TVec/hoZ0f0KL95yWbB1V7eE=
Received: by smtp.gaspard.ninja (OpenSMTPD) with ESMTPSA id 99efb2cc (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for <openpgp@ietf.org>; Wed, 27 Jun 2018 14:56:39 +0000 (UTC)
To: openpgp@ietf.org
References: <39e598e1-2bc0-32c9-3489-4bb6ca2a631b@leo.gaspard.ninja> <871sdw24yd.wl-neal@walfield.org> <c2e6bbe7-0694-8193-bb76-dd50fde7d967@leo.gaspard.ninja> <d28d8f8b-b261-eb29-97bc-9c7159a62ce6@leo.gaspard.ninja> <67153bb3-8ec7-5b30-3d11-22fce0681b47@metacode.biz> <2d737acb-0ce9-b703-ceb9-29c9a2ef2c0e@leo.gaspard.ninja> <6f540f57-637c-f94c-4001-96ea9d14007f@metacode.biz> <fcb5b381-b8d2-79a2-383c-b9eb7b556307@leo.gaspard.ninja> <16e7c274-80d2-e35b-2d3a-a70bf39ebddc@metacode.biz> <CAHRa8=VTC1n735fdrBsUHOfBc1PKDKG74J16D9D52Q18Vbeq6Q@mail.gmail.com>
From: Leo Gaspard <ietf@leo.gaspard.ninja>
Message-ID: <60e169b8-7f49-d453-56db-c4220a38cfc2@leo.gaspard.ninja>
Date: Wed, 27 Jun 2018 16:56:39 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <CAHRa8=VTC1n735fdrBsUHOfBc1PKDKG74J16D9D52Q18Vbeq6Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/O8JI6ztT_rckNkLnGNYeboZ0I_o>
Subject: Re: [openpgp] Overhauling User IDs / Standardizing User Attributes
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2018 14:56:47 -0000

On 06/27/2018 03:56 PM, Wyllys Ingersoll wrote:
> The problem I see with all of these suggestions is that there is no way to
> actually "verify" the data that someone puts into these fields without some
> sort of standardized and trusted verification service, which is way out of
> scope for the OpenPGP spec.

Well, verifying the data that someone puts into these fields is out of
the scope of the OpenPGP spec just as much as verifying the data that
people put into User ID fields is out of scope of the OpenPGP spec.

The difference is that currently the spec is actively hostile to any
kind of eg. automated verification of email addresses, by coupling names
with email addresses :)

> Also, adding many more user attributes *will*
> complicate UIs beyond gnupg and enigmail. Consider mobile applications such
> as ipgmail [mine] and others where screen real estate is at a premium and
> users dont want to type lots of info into complex forms that are not well
> understood by the average user.

Indeed it will complicate the code of UIs. But I'm not sure it wouldn't
lead to more usability and security in the end, just because UIs could
still display data “the old way” if they want, but they could also
display a well-thought subset of the information, eg. displaying only
the name if it's validated, or only the email if the email is validated,
thus even winning screen estate.

About “complex forms”, if I compare:

    Name:  [             ]
    Email: [             ] [+]

With:

    User ID: [ type in your User ID in Name <Email> format ] [+]

Then I know I find the first much easier :) And actually it even wins
screen horizontal real estate, which is quite a bit more precious than
screen vertical real estate on mobile devices.

> The whole "web of trust" is not really
> codified or enforced in a formal way, its pretty much up to individuals to
> decide on the trust level they want to assign to a key (or userids
> associated with the key), many users ignore it entirely and happily use the
> key and assume the UID is correct.  Why would this be any better?

Well, if users just assume the User ID is correct, then splitting the
User ID into User Attributes isn't going to help them (but won't make
them worse off).

However, for people who actually check things before they sign keys and
verify validity of the keys, then the change would make signature much
easier, and thus would increase the likelihood of having a validated key
for a random email address they'd want to speak to.

(note: I've answered this part of your message by assuming by “trust
level” you meant “validity”, if that wasn't what you meant then I'm
sorry I misunderstood)

> Im not convinced that the proposal to break up the UID into lots of
> separate attributes is enhancing the security or usability for the general
> PGP user community, though I can see it having value in some specialized
> cases and perhaps it could be a foundation for building a better
> trust/verification system.

Well, for direct users, it should change relatively little, apart from
at signature time, where “to be signed” elements would be presented by
User Attribute and not by User ID.

It could change a bit in interfaces, where an example UI would be to
only display validated User Attributes that match the From: header, for
instance, for emails.

It could also help projects, where, if I'm a project and I sign the key
of a contributor, I want to sign their key as “yes this is a member of
the project”, not to sign their identity, because I maybe haven't
checked the real-world identity of the developer I'm giving commit
rights, and only looked at the key's history of making good commits.

All this could help particularly in relation to scoped trust, allowing
to trust certain keys only for signatures on certain User Attributes,
eg. allowing a GitHub official key to sign all “free form tag=value”
User Attributes for which “tag” is “github”. Which would be next to
impossible to do without at least a minimal amount of standardization in
User Attributes, as is currently the case with everyone misusing User
IDs everyone with their custom scheme for this purpose :)

v2.23.0 | Report a Bug | By Email