IETF Logo Mail Archive

Re: [openpgp] Fingerprints

Derek Atkins <derek@ihtfp.com> Mon, 27 April 2015 14:24 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A531A1A7E for <openpgp@ietfa.amsl.com>; Mon, 27 Apr 2015 07:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.289
X-Spam-Level:
X-Spam-Status: No, score=-1.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_ORG=0.611] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id or73-8Mt9Hw7 for <openpgp@ietfa.amsl.com>; Mon, 27 Apr 2015 07:24:14 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EAFB1A1A7C for <openpgp@ietf.org>; Mon, 27 Apr 2015 07:24:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 71406E2036; Mon, 27 Apr 2015 10:24:13 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 29713-03; Mon, 27 Apr 2015 10:24:11 -0400 (EDT)
Received: from securerf.ihtfp.org (unknown [IPv6:fe80::ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id C34F6E2035; Mon, 27 Apr 2015 10:24:11 -0400 (EDT)
Received: (from warlord@localhost) by securerf.ihtfp.org (8.14.8/8.14.8/Submit) id t3REOBol023695; Mon, 27 Apr 2015 10:24:11 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Christoph Anton Mitterer <calestyo@scientia.net>
References: <CAMm+LwhbB+-MnGRBCvprgAGOuu+5CJ2rgod7EBGOQR5UNVrspQ@mail.gmail.com> <87d232lkb6.fsf@alice.fifthhorseman.net> <sjmlhhmakxp.fsf@securerf.ihtfp.org> <1429543533.24823.73.camel@scientia.net> <2142458E-1636-4E3B-8CCE-36078AFC02C9@callas.org> <1429922158.4659.43.camel@scientia.net>
Date: Mon, 27 Apr 2015 10:24:11 -0400
In-Reply-To: <1429922158.4659.43.camel@scientia.net> (Christoph Anton Mitterer's message of "Sat, 25 Apr 2015 02:35:58 +0200")
Message-ID: <sjmoam94pkk.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/PNdalPW-JxpWa8gh1UFjAVWlkD8>
Cc: openpgp@ietf.org, Jon Callas <jon@callas.org>
Subject: Re: [openpgp] Fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2015 14:24:15 -0000

Hi,

Christoph Anton Mitterer <calestyo@scientia.net> writes:

> On Fri, 2015-04-24 at 12:11 -0700, Jon Callas wrote: 
>> > And specifying a expiration time (even if it's 0) should be mandatory.
>> That's there now.
> Again, I don't see where this would be specified, except for the
> deprecated v3 keys.
>
> It's not part of the v4 keys, and I can't recall a section which makes
> the key exp sig subpacket mandatory.

I read 4880 again and I'm afraid I was wrong and you are correct; the
key expiration was removed in v4 keys.

Having the subpacket mandatory doesn't help, because the self-sig can
always be reissued.

> Anyway, the idea for making it mandatory has less to do with the
> immutable vs. mutable question... it's rather based on the idea that we
> should IMHO try to strengthen and clarify the whole message format.
> E.g. I think we should convert the critical-bit to be a non-critical
> bit. e.g. everything is considered critical unless explicitly specified
> not to be.

With it being in the self-sig there is no way to make it immutable.  I
could take the top-level key packet and create a new self-sig on it with
a different key-expiration subpacket.  All other signatures on the key
will remain valid (because they don't include the self-sig), and the key
fingerprint wont change (because it doesn't include the selfsig, either).

> Cheers,
> Chris.
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

v2.23.0 | Report a Bug | By Email