[openpgp] OpenPGP certificate structure: multiple binding signatures on subkeys? (MR 43)

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 21 May 2021 17:25 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E83123A18A2 for <openpgp@ietfa.amsl.com>; Fri, 21 May 2021 10:25:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.306
X-Spam-Level:
X-Spam-Status: No, score=-1.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=jSlEySFc; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=R4eOZu/7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V9I1jZ6JUWzE for <openpgp@ietfa.amsl.com>; Fri, 21 May 2021 10:24:55 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CFE23A18A0 for <openpgp@ietf.org>; Fri, 21 May 2021 10:24:55 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1621617893; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=JizpHl2zx3/nUz1aLdHRZKSCDVql6BVffr+zML2BRY4=; b=jSlEySFcPrRCNvQZ+RvG00/TF+3y3kjP47cz780AjOn6IOiepkSjbb65XpwELq0inja8w spUZcsM60Atkkb5Aw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1621617893; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=JizpHl2zx3/nUz1aLdHRZKSCDVql6BVffr+zML2BRY4=; b=R4eOZu/7VTWr9pHDy4xn1e/ZwAYmh/9PuP9xWHZ/QrlcyDZt+RkHLBUtfU06P33PWWOZn 78NbzrtYjWHPFFptTkSdUfOGrKuUTRie6tCSUlbncMh/zLVnADEcC9tLpEsrs7kHfY6Lf2R 7OG7pNxwgHnCc/31sQOuvTlx/heYOgYRWe5wo6mbbU99rSXCpjhkwil3yrg69UB/SU0T5aC DhS8tFetW5aQxLUH9fTZPjse0CRGlGRbd3pcBklAXLuHv9RMRpX9eE9gDOb/lnmE291KG4K /hBRIoT2SGCDAhzFugdFoAJ55xaZA5Bqo3+46ImeUpgIVMJJk4O0Dzn1vcuQ==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 05D95F9A5 for <openpgp@ietf.org>; Fri, 21 May 2021 13:24:52 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 72CA721272; Fri, 21 May 2021 13:24:49 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 21 May 2021 13:24:48 -0400
Message-ID: <87bl94dmov.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/PJ8GjOH-dnZ53wB8T16DOdX9-aM>
Subject: [openpgp] OpenPGP certificate structure: multiple binding signatures on subkeys? (MR 43)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2021 17:25:01 -0000

Hi OpenPGP folks--

in https://gitlab.com/openpgp-wg/rfc4880bis/-/merge_requests/43 and
https://gitlab.com/openpgp-wg/rfc4880bis/-/issues/25 vanitasvitae
suggests that the structure for OpenPGP certificates (aka "Transferable
Public Keys", aka "keyblocks") is wrong.  He recommends this change:

--- a/crypto-refresh.md
+++ b/crypto-refresh.md
@@ -2914,8 +2914,8 @@ The format of an OpenPGP V4 key that uses multiple public keys is similar except
         User ID [Signature ...]
        [User ID [Signature ...] ...]
        [User Attribute [Signature ...] ...]
-       [[Subkey [Binding-Signature-Revocation]
-               Primary-Key-Binding-Signature] ...]
+       [[Subkey [Binding-Signature-Revocation ...]
+               Subkey-Binding-Signature ...] ...]
 
 A subkey always has a single signature after it that is issued using the primary key to tie the two keys together.
 This binding signature may be in either V3 or V4 format, but SHOULD be V4.


There are two things happening here:

 - the binding signature is correctly identified as a
   Subkey-Binding-Signature, not a Primary-Key-Binding-Signature. (the
   primary-key-binding signature (the "cross-sig") is, where
   appropriate, expected to be embedded in the subkey-binding-signature
   itself)

 - there can be more than one binding sig revocation, and more than one
   subkey binding signature


This matches my understanding of how OpenPGP certificates are
structured, and I believe most implementations work this way.

I've opened
https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/52
to request a test for this, but it may not be necessary if the WG has
consensus that this is correct.

I note that if the change in the structure is correct, then the text
below it should also be changed (it should not say "has a single
signature after it…")

          --dkg