IETF Logo Mail Archive

[openpgp] v5 interoperability

Andrew Gallagher <andrewg@andrewg.com> Tue, 02 April 2024 18:50 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC7B6C14F680 for <openpgp@ietfa.amsl.com>; Tue, 2 Apr 2024 11:50:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h2J3M8LrxYAm for <openpgp@ietfa.amsl.com>; Tue, 2 Apr 2024 11:50:43 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3560EC14F6AD for <openpgp@ietf.org>; Tue, 2 Apr 2024 11:50:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1712083839; bh=kKYpLgmVBa4dLyHdx+VPbHm6OQudeV70qXtJsgIPoHo=; h=From:Subject:Date:To:From; b=oMebOHg2JQ40Z7U2rRIlqUMx+dAB8pmqQzlV1cKR2DDnXij+2COgXl76jMTrLkXxK IFWUn8q91Ddzaz5L1tEMHL9301taTKezj/gZBGAtn4/eFKaoWWs0KXpUN3ZA3l9km7 2hMyG1xZgdFFjvIkhO4YJ3ZvJ9q9lBj5h5qy6guFkfhMDjAbWQ7xK0l0+BlpGfyh5y n670SPrkq1XSJv0VF9Rda+5utEjsjyvdEjqJafvQz90ATpBkebF7S8P9W5QIhpQPP5 xxBEYsFvrl5Tzb5ziwU2xRZgcSOCzSmVk0WIOGpdED67AQu9thX3q5P0qK8vMw3hXT cTEuqklcJQiQg==
Received: from smtpclient.apple (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 937E45DC4C for <openpgp@ietf.org>; Tue, 2 Apr 2024 18:50:39 +0000 (UTC)
From: Andrew Gallagher <andrewg@andrewg.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_4EA38216-95C5-4969-A135-E519FCFCCD1E"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
Message-Id: <EAE8D81F-05F6-4551-8878-80555709A4EF@andrewg.com>
Date: Tue, 02 Apr 2024 19:50:21 +0100
To: IETF OpenPGP WG <openpgp@ietf.org>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/OmrGaDWxZ48JX73MAPguAmtNOUE>
Subject: [openpgp] v5 interoperability
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 18:50:48 -0000

Hi, all.

It came to my attention recently that recent versions of GnuPG are (under certain conditions) creating v5 subkeys and binding them to v4 keys. The use of mismatched subkey versions was not explicitly forbidden by rfc4880, but is forbidden in crypto-refresh.

So what is the proper way to treat such keys? They exist in the wild already, so cannot be ignored. I have been working on the assumption that v5 keys are orthogonal to crypto-refresh, and can therefore safely be treated in parallel, however a strict reading of crypto-refresh would mandate that such v5 subkeys should invalidate the key they are attached to:

> Every subkey for a v4 primary key MUST be a v4 subkey.

https://openpgp-wg.gitlab.io/rfc4880bis/#section-10.1.3

This would appear to mean that if a keyserver presents a v4 key with a v5 subkey to a crypto-refresh compliant client, that client MUST ignore the entire key, which feels like overkill. Or should it merely ignore the offending subkey? If so, should we issue guidance to that effect?

In a thread on gnupg-users, Werner indicated that such mixing of subkey versions is longstanding behaviour, however there are vanishingly few historical examples in the wild:

https://lists.gnupg.org/pipermail/gnupg-users/2024-April/067039.html

A

v2.23.0 | Report a Bug | By Email