Re: [openpgp] Revocations of third-party certifications (TPK+"CRL") [was: draft-dkg-openpgp-abuse-resistant-keystore-04.txt]
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 27 August 2019 23:24 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C876212025D for <openpgp@ietfa.amsl.com>; Tue, 27 Aug 2019 16:24:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=KUWG/F7L; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=E9wOhSTS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iHKIXjMBw9wT for <openpgp@ietfa.amsl.com>; Tue, 27 Aug 2019 16:24:17 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76DAA12001A for <openpgp@ietf.org>; Tue, 27 Aug 2019 16:24:17 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1566948256; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=XKIPXhfxKSusE8erT9+9Rce4Ik/PxpKg9cIBrD90Bh0=; b=KUWG/F7LCIBCzCuhnHfpSH4PUWNQTzxtmfyg2DJoAkZ3NVyLPZNMLG6R w4ZNnLoiVZLcgKP6Sni3WvcKkqvUCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1566948256; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=XKIPXhfxKSusE8erT9+9Rce4Ik/PxpKg9cIBrD90Bh0=; b=E9wOhSTSgUnoO4N5FaEIhiBZzuPmUgt3Eman1YuKf/IoB/E0b+PZRX14 rHoqyTjOeImsQxVd50IeKck98GhoqveXscNda1I3/spojV1RKIySjsiutr VjWtKwlqMK5J20wsZU2UGv2ivJQ4/BCgHFK7TUgZV/Q4SmY7JcceTCHF+Z UtTFa4Y+ub4RGy96h+KZbTbRnrFLBeyFeDFCmnTCGDgD0XbdozY4Lt1/xW gERWjrlDZXUB3f/9F9PacnoVMlmGXHbiWaRv4dsCJAoFCjn6xL/bZpsWdM TPmxONh4jmPRLH8uIMAf98k26s2qPod1rcgnHBgLLdZXRUYvX5qaCA==
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 683B3F99D; Tue, 27 Aug 2019 19:24:15 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 3130D202A8; Tue, 27 Aug 2019 18:43:45 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Jon Callas <joncallas@icloud.com>, openpgp@ietf.org
In-Reply-To: <CAF751FB-4AFD-4E64-AD8C-E04B3031F50D@icloud.com>
References: <156650274021.14785.10325255315266801149.idtracker@ietfa.amsl.com> <875zmodi1v.fsf@fifthhorseman.net> <8736hsdfm4.fsf@fifthhorseman.net> <CAF751FB-4AFD-4E64-AD8C-E04B3031F50D@icloud.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Tue, 27 Aug 2019 18:43:44 -0400
Message-ID: <87zhju9qlb.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/PEUGbOK7gN_MQUXTVqTimYe42YQ>
Subject: Re: [openpgp] Revocations of third-party certifications (TPK+"CRL") [was: draft-dkg-openpgp-abuse-resistant-keystore-04.txt]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2019 23:24:20 -0000
On Tue 2019-08-27 13:05:35 -0700, Jon Callas wrote:
> Yeah. I just cringed and said, "Oh, dear me, you just invented CRLs
> and we *know* those don't work.
haha, sigh -- the way that CRLs "don't work" is roughly the same way
that HKP-style keyservers "don't work". In particular, most users don't
check CRLs, and they don't refresh keys from keyservers.
One of the reasons that they don't check CRLs is because the relevant
time for the check is often a low-latency situation (e.g. TLS session
establishment) and the implementation doesn't want to block.
Additionally, the user might not want to leak metadata about their
activity to the CRL operator. Both of these reasons are also why
OpenPGP signature verifiers have a hard time collecting revocation
information about the signature-issuing certificates.
In either case (X.509 or PGP), though, if we're willing to accept a
delay (i.e., we don't support low-latency requirements), and we can do
scheduled/backgrounded onion-routed updates to our certificate stores to
obscure the metadata patterns, we can mitigate some of those concerns.
But an additional concern for OpenPGP certificates (which X.509 doesn't
have) is that the common keyservers are vulnerable to flooding attacks,
as outlined in the draft under discussion here.
So while this discussion isn't aiming to fix the low-latency or metadata
leakage concerns, it is trying to address the abuse concerns. Maybe we
can focus on that?
> I think that it's better to keep things more or less the way we've
> done them.
The way we've done them in OpenPGP up to now is vulnerable to abuse, as
we've seen. I'm hoping we can concretely specify what we need to do to
avoid leaving the door open to that abuse.
> Alice's revocation attaches to her prior certification, and they
> travel together. They could both be dropped, but not only one. (Even
> though I can't really imagine the case of no certification, but only a
> revocation, in completeness.)
The case of an omitted certification but included revocation seems
sensible to me. If the keystore knows that a given certification is
revoked, it might very sensibly want to refrain from redistributing it.
At the same time, it knows that the certification is out there, some
people might have a copy of it, and those people need to know that a
revocation has been issued.
> If Alice isn't a good citizen and makes an abusive revocation, the
> server can and should drop it.
How would you define "abusive revocation" in this context? Is it a
universal view of "abuse", or might different people have different
perspectives?
For example, if we define abuse as being simply "too large", then
perhaps we can fix a byte limit on what a "redistributable" revocation
looks lke. And if Bob attests to Alice's certification, he is
implicitly willing to accept her (as yet unseen) revocation as well.
This gets thornier if we look at arbitrary data in the revocation. For
example, if Alice's certification revocation contains a Reason for
Revocation subpacket with a text string that says "the King is an
imbecile" (and Bob needs his certificate to be distributable in a place
where it's illegal to insult the King) or it says "Joe Smith was born on
1957-03-25" (and Bob lives needs his certificate to be distributable
somwhere it's illegal to distribute "personal information" without the
person's consent), then that would make Bob's certificate difficult to
redistribute where he needs it to be. This is where i get uncomfortable
about the idea that there is some universally-applicable view of what an
"abusive" revocation is, and why i think that Bob's sovereignty over his
own certificate makes it really important.
Perhaps we could say that the most narrowly-tailored third-party
certification revocation signature is acceptable -- the only three
subpackets allowed:
* Issuer Fingerprint
* Signature Creation Time
* Reason For Revocation -- only with a code, and string MUST be empty
And of course the abuse-resistant keystore would have to
cryptographically verify the certification revocation signature.
But does that mean that *any* revocation is freely attachable to any
certificate? What if Bob doesn't ask for a distribution of Alice's
certification in the first place? Is Alice allowed to slap a revocation
onto Bob's certificate?
This brings us to this case:
> If Bob wants to just drop Alice's certification along with her
> revocation, that's fine too.
So let's say Mallory gets ahold of Bob's secret key, and Bob's
certificate has a certification from Alice, which Mallory likes. Alice
learns that Bob's secret key has been compromised, and she wants to
revoke her certification of Bob. But Mallory (masquerading as Bob)
indicates "actually, do not distribute Alice's certification". Then
Mallory can hide Alice's revocation. I don't think that's an acceptable
outcome.
Furthermore, it's possible that Bob has *never* attested to (requested
redistribution of) Alice's certification, though Alice's certification
is known to some other party, let's say "Carol". How should Carol be
confident that she will learn of Alice's revocation, if it is created
and published?
Something like a CRL seems to still be required.
--dkg
- [openpgp] [internet-drafts@ietf.org] New Version … Daniel Kahn Gillmor
- [openpgp] Revocations of third-party certificatio… Daniel Kahn Gillmor
- Re: [openpgp] Revocations of third-party certific… vedaal
- Re: [openpgp] Revocations of third-party certific… Daniel Kahn Gillmor
- Re: [openpgp] Revocations of third-party certific… Benjamin Kaduk
- Re: [openpgp] Revocations of third-party certific… Daniel Kahn Gillmor
- Re: [openpgp] Revocations of third-party certific… Jon Callas
- Re: [openpgp] Revocations of third-party certific… Daniel Kahn Gillmor
- Re: [openpgp] Revocations of third-party certific… Jon Callas
- Re: [openpgp] Revocations of third-party certific… Daniel Kahn Gillmor
- Re: [openpgp] Revocations of third-party certific… Peter Gutmann
- Re: [openpgp] Revocations of third-party certific… Benjamin Kaduk
- Re: [openpgp] Revocations of third-party certific… Jon Callas