IETF Logo Mail Archive

[openpgp] Re: Encryption subkey selection

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 05 May 2025 22:57 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2DC192513CE8 for <openpgp@mail2.ietf.org>; Mon, 5 May 2025 15:57:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="19aaI2RJ"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="UOgB62Q6"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OI3H1w0nP9Mo for <openpgp@mail2.ietf.org>; Mon, 5 May 2025 15:57:52 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CE9B42513CE0 for <openpgp@ietf.org>; Mon, 5 May 2025 15:57:52 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1746485872; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=Ni2tmqqAjOFzPfnjrBvKzAnax0NzaVBaSSvffUlm0e8=; b=19aaI2RJdxINyplmZs5MclUYfMkb71bZej3aOubiL4Ei618CKk+Y6JZBsRHRQw16hoEDX M7KMkoNdAQ1aBfpAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1746485871; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=Ni2tmqqAjOFzPfnjrBvKzAnax0NzaVBaSSvffUlm0e8=; b=UOgB62Q6Hiu6qmqjPlGxK9t6KyLOwgP/yqFEQRQlxgDJ8dQnmv7T386wIlg/0odSgN2kR L6ZlWKzwDI5mYWV49OzRf7gp7yNIxTuZQFtpM2HwLNDd9XaZSridszIGxGf38r4UebuLMWQ A9SS4RQFc4GZyP3XbEE9aPnkE76NGmKKrk72li7jpe1+5j5e6zBNRLImfJtJTCTaY1duI7u 9DddHqHkzKw6195oeMw9rjm4WB5acfZtj+nvucnM1opD8Wfx4XtmOW8bdBn42kTuwlBnqQn a5pBo6O8yY36sPaWW+HcJAz5CyF+NbL4r+t1hnhCIwLaRqzSjaLAKLSgb9+g==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id DCF21F9B1 for <openpgp@ietf.org>; Mon, 5 May 2025 18:57:51 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 30CAB13F6A6; Mon, 05 May 2025 18:57:49 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <ToH9iWOoC_CgdIu1k9gaMAaNzpZ5nwHbPScoiuJr_RIQpz6Wv1Z7qY9iaKepYMwLlynVkNytyotr-FWEFRBA5saNHy7N_1dmbcMC310quFM=@protonmail.com>
References: <87h631mvol.fsf@thinbox> <dI4YtuyWCyCqKizRafc2sNHBFSRSuQEt-03l8CBI-bRD4SPN7701nRDLFYtu0hwve96cG3Q4kIglx6oVTIAiJbVJseQRzLrt2AoKpSLes28=@protonmail.com> <87ecxupx9w.fsf@europ.lan> <ToH9iWOoC_CgdIu1k9gaMAaNzpZ5nwHbPScoiuJr_RIQpz6Wv1Z7qY9iaKepYMwLlynVkNytyotr-FWEFRBA5saNHy7N_1dmbcMC310quFM=@protonmail.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/YO+5Zi7HNFzxk a2dAZmlmdGhob3JzZW1hbi5uZXQ+wsARBBMWCgB5AwsJB0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmcS78JIJ7JbALqPiKEmva7/Pp16WwXWm9hbe5+B/UvnfwMVCggCmwEC HgEWIQTUdwQMcMIValwphUm7fpEBSV5r9wUCZadfkAUJBdnwRQAKCRC7fpEBSV5r9yNXAP442N0c zvisBroQSKKpo+OWm2JpnEJWoVheeJvoRtkBGQEA+edHylby8IGcNccq7rmM2rAXdofvrU1o6qow V+mmDwbOMwRnio4OFgkrBgEEAdpHDwEBB0Cw9HzJFl9lZn3UBaUqSMSgxjcdbd0MwNVcGZ8t8wdN EcLAvwQYFgoBMQWCZ4qODgkQu36RAUlea/dHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p YS1wZ3Aub3JnhcN+tn41cAg01Kk56zcAfpdsh8j98PDe00mqKPfFvaYCmwK+oAQZFgoAbwWCZ4qO DgkQeAuFTtnCtJZHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnxsD8Sk5P Wgx8c/Zseo6OlCjyDC+Ogm17gTaUUIpxjWYWIQRjrBGOWy5dZsiKhad4C4VO2cK0lgAAdcQA/1RG dmrmvVxkBY2qNPjtERNwPga8Pf4IdlenrZ03NXM4AQC+TDHMpD7d5obEvUy8GYI3oThzYItPP8vv ChY+wbaIBRYhBNR3BAxwwhVqXCmFSbt+kQFJXmv3AAAKbgD+K1MZXnRKPdmA8DgNysyGRZY8cSVH HQcC7ZAAtV3i2+wA/0CyOYrbFYbyTRALgoERR07OHFoP+fJopQLMNQARVUELzjgEZ4qN+RIKKwYB BAGXVQEFAQEHQDTGlR+Qmn334e+bPqvojJVdFsiBf0leAAHP+ESqop8NAwEIB8LAAAQYFgoAcgWC Z4qN+QkQu36RAUlea/dHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnA5Lw b3wOOcoodImuVNw4PYq1U65FDC1Q2JMFIcJXqF0CmwwWIQTUdwQMcMIValwphUm7fpEBSV5r9wAA 6egA/j3QANSmogZ5VTF5KlI+BBye9ud/w9j7RLcCHU6u8AA1AQC3FGaNuv+uWOSa+eeEoI/aZrGd X5el8b/m6aXDDxDjDg==
Date: Mon, 05 May 2025 18:57:48 -0400
Message-ID: <878qnahdhv.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Message-ID-Hash: V2UEKSJJD5QPOKO3O2ZABZQBLL27MXGT
X-Message-ID-Hash: V2UEKSJJD5QPOKO3O2ZABZQBLL27MXGT
X-MailFrom: dkg@fifthhorseman.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Encryption subkey selection
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/P2r3t2Er8YJx5ld2umx1XoMOMww>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi Daniel--

Thanks for this concrete proposal.  With no hats on, I really like the
simplicity.  A few questions below about wire format, algorithmic
selection details, and semantics.

I note that this proposal is a mix of hard-coded ecosystem-wide
assumptions (dates matter; higher algo-ids are preferable) and minimal
explicit signalling (one cert-wide flag).

I think it can successfully communicate several reasonable simple
strategies that keyholders might want to opt into.  I don't see any
plausibly executable strategies that are superior to the supported ones
that wouldn't be supported by this scheme.  Maybe if such a strategy
does turn up, we could have some additional mode to support it, if it's
worth the additional complexity?

On Thu 2025-05-01 17:10:46 +0000, Daniel Huigens wrote:

> I would propose that we add a single flag to the certificate, in a
> direct-key signature (for v6) or primary User ID binding signature (v4)
> subpacket, which says: "please encrypt to all valid encryption subkeys
> in this certificate". By default, the flag would be off.

Are you imagining this as a flag in the Features subpacket?  or some
other way to implement the flag?

> If it's off (explicitly or implicitly), the implementation should select
> the newest valid encryption subkey, or - if there are multiple valid
> encryption subkeys with the same creation timestamp - the subkey with
> the highest _algorithm ID_.

Some algorithm IDs support multiple security levels, right?  for
example, an RSA encryption key (algo ID 1) can have a 1024-bit modulus
or a 3072-bit modulus.  Or a generic "ECDH" key (algo ID 18) can
(depending on OID) offer brainpoolP256r1, Curve25519Legacy, or NIST
p521.  It seems not impossible to have two ECDH subkeys with different
curves on the same certificate (possibly even created at the same time).
What should happen in that case?  Maybe we should explicitly allow the
implementer to choose their own preference ordering between curve OIDs
for this legacy EDCH case rather than bikeshedding over some strict
ordering?

Semantically, i think when you say "valid encryption subkey" you mean
"supported valid encryption subkey", right?  that is, the sender allows
fallback to "older" keys (or "lower" algorithm IDs) when the newest (or
highest by algorithm ID) isn't supported.

This would allow a very ambitiously-backward-compatible certificate to
publish a cert with six encryption-capable subkeys with increasing
timesteps:

  K0: RSA
  K1: ECDH/Curve25519Legacy
  K2: X25519
  K3: X448
  K4: ML-KEM-768+X25519
  K5: ML-KEM-1024+X448

I'm not recommending anyone actually create such a monstrosity, but the
scheme described would certainly support this use case.

What do other folks think about Daniel's proposed scheme?

     --dkg

v2.31.3 | Report a Bug | By Email | System Status