IETF Logo Mail Archive

[openpgp] Re: Signing-only primary keys

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 30 April 2025 23:20 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9A7412365BE6 for <openpgp@mail2.ietf.org>; Wed, 30 Apr 2025 16:20:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="IBlmFpLe"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="o8rpt52K"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rjn9VJbrvg0i for <openpgp@mail2.ietf.org>; Wed, 30 Apr 2025 16:20:22 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5F6BE2365BD3 for <openpgp@ietf.org>; Wed, 30 Apr 2025 16:20:22 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1746055221; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=T+ebszPHzF1bJ/6+qcol3rv/cq8Neb0lq3x3QWaoS7E=; b=IBlmFpLe+OC+tB2i8tM1Budix+1PiorEXlAVFSB6x17UurqspmN00ug1eTvmErG9KwdoX kQcPSnjx+woFVrNCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1746055221; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=T+ebszPHzF1bJ/6+qcol3rv/cq8Neb0lq3x3QWaoS7E=; b=o8rpt52KbIkIq1Xxm9rp74I4DFEp/NWvxx9l696CI8IGLoFguX07VK4pYeod+XPqDNubM 1tDKy+BPS/CpnRyzc3o6GLn7gmQimUC2Ghi2bNWHV9mgxyIWiPODmm8EWdq6RjB5gRwyx9L Lco7MbDUlYfRkB8ZUQWwk1XGfpYpWCiRKi1CCbBkHdWHh42QyAaf0NZa0ouvDeQr30ozywO STvPok0gdTNfmTj24jQmaZ5/wJUll3n8xgBtgpHdSFEKAmt/m9HkFgKgasmsN4CpgF3pOVo H0FM8jzLaNw8vLY9DlwW30By/rL0NwJ6og+HiBef/GS72uvLznz655ZiGqOQ==
Received: from fifthhorseman.net (AMERICAN-CI.ear2.NewYork6.Level3.net [4.59.214.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id DFEE2F9D0; Wed, 30 Apr 2025 19:20:21 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id DDE3513F6B7; Wed, 30 Apr 2025 19:20:18 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Wiktor Kwapisiewicz <wiktor=40metacode.biz@dmarc.ietf.org>, "openpgp@ietf.org" <openpgp@ietf.org>
In-Reply-To: <7d94d70b-fd18-4a0f-b656-d2936aa09578@metacode.biz>
References: <7d94d70b-fd18-4a0f-b656-d2936aa09578@metacode.biz>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/YO+5Zi7HNFzxk a2dAZmlmdGhob3JzZW1hbi5uZXQ+wsARBBMWCgB5AwsJB0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmcS78JIJ7JbALqPiKEmva7/Pp16WwXWm9hbe5+B/UvnfwMVCggCmwEC HgEWIQTUdwQMcMIValwphUm7fpEBSV5r9wUCZadfkAUJBdnwRQAKCRC7fpEBSV5r9yNXAP442N0c zvisBroQSKKpo+OWm2JpnEJWoVheeJvoRtkBGQEA+edHylby8IGcNccq7rmM2rAXdofvrU1o6qow V+mmDwbOMwRnio4OFgkrBgEEAdpHDwEBB0Cw9HzJFl9lZn3UBaUqSMSgxjcdbd0MwNVcGZ8t8wdN EcLAvwQYFgoBMQWCZ4qODgkQu36RAUlea/dHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p YS1wZ3Aub3JnhcN+tn41cAg01Kk56zcAfpdsh8j98PDe00mqKPfFvaYCmwK+oAQZFgoAbwWCZ4qO DgkQeAuFTtnCtJZHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnxsD8Sk5P Wgx8c/Zseo6OlCjyDC+Ogm17gTaUUIpxjWYWIQRjrBGOWy5dZsiKhad4C4VO2cK0lgAAdcQA/1RG dmrmvVxkBY2qNPjtERNwPga8Pf4IdlenrZ03NXM4AQC+TDHMpD7d5obEvUy8GYI3oThzYItPP8vv ChY+wbaIBRYhBNR3BAxwwhVqXCmFSbt+kQFJXmv3AAAKbgD+K1MZXnRKPdmA8DgNysyGRZY8cSVH HQcC7ZAAtV3i2+wA/0CyOYrbFYbyTRALgoERR07OHFoP+fJopQLMNQARVUELzjgEZ4qN+RIKKwYB BAGXVQEFAQEHQDTGlR+Qmn334e+bPqvojJVdFsiBf0leAAHP+ESqop8NAwEIB8LAAAQYFgoAcgWC Z4qN+QkQu36RAUlea/dHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnA5Lw b3wOOcoodImuVNw4PYq1U65FDC1Q2JMFIcJXqF0CmwwWIQTUdwQMcMIValwphUm7fpEBSV5r9wAA 6egA/j3QANSmogZ5VTF5KlI+BBye9ud/w9j7RLcCHU6u8AA1AQC3FGaNuv+uWOSa+eeEoI/aZrGd X5el8b/m6aXDDxDjDg==
Date: Wed, 30 Apr 2025 19:20:18 -0400
Message-ID: <87r019grt9.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Message-ID-Hash: YS5GRVZQLYA4QAV4Z23JKCY46SGUM27Y
X-Message-ID-Hash: YS5GRVZQLYA4QAV4Z23JKCY46SGUM27Y
X-MailFrom: dkg@fifthhorseman.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Signing-only primary keys
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/PFqmlHKVvnihUfkr-r79xuiPUpE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

On Wed 2025-04-23 12:04:29 +0200, Wiktor Kwapisiewicz wrote:
> Is my reasoning valid that dropping the "C" key flag is okay or is 
> anyone aware of practical issues with it?

I'm also not aware of any practical problems you're likely to have with
a primary key without the certification usage flag.

It's entirely possible that there are implementations that will accept
certifications from such a key.

Andrew Gallagher opened a request for a new test like that here:

   https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/160

Maybe someone wants to nudge the interop test suite in that direction?
It should be pretty easily discoverable with `sop validate-userid`.

      --dkg

v2.31.3 | Report a Bug | By Email | System Status