IETF Logo Mail Archive

Re: [openpgp] primary key binding signature requirement

Aron Wussler <aron@wussler.it> Sun, 04 December 2022 22:13 UTC

Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A923C14F738 for <openpgp@ietfa.amsl.com>; Sun, 4 Dec 2022 14:13:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpNS-eS6vuWi for <openpgp@ietfa.amsl.com>; Sun, 4 Dec 2022 14:13:52 -0800 (PST)
Received: from mail-40136.proton.ch (mail-40136.proton.ch [185.70.40.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EE43C14F5E0 for <openpgp@ietf.org>; Sun, 4 Dec 2022 14:13:51 -0800 (PST)
Date: Sun, 04 Dec 2022 22:13:35 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail3; t=1670192029; x=1670451229; bh=MSIAmxIV07aCWJLRP0G5fWyxvzSq/0mTfHK5cJuK+lM=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=jz92io0ct6RTeo7b/Aj86XLcodbbqEXn6k75bKf1tjrfq+Wu0xYGzXLGSEGn/PhVX nrmCRTu4VG92z/QOSx34RScCcdtkwRijgqI8PgOyZBMY4khZXTSQfyMNd/ld8Gcxxp /Ef92pRNBFemtxz6arVjA/sfS1RmvJlEVM57YKqES2ErJILqYHrlc1GaW5aRXs7mnf Mdx2h6Zfx55YS3DBDMCNcbXludYJeUO2kaGnKVGAfg7QjQmSkQV0/wBHLx24FopLJ4 Cg52rr8z9WwooNlswBB+2E684CItk4m0oUe4VS+KEDXvtyXbVmUw2GRRubvNSjWqaZ uNB6gbyMO0r5w==
To: "Neal H. Walfield" <neal@walfield.org>
From: Aron Wussler <aron@wussler.it>
Cc: Paul Schaub <vanitasvitae@riseup.net>, openpgp@ietf.org
Message-ID: <U6n2VVpBN9sbBojynnUb4gHkIl7nUZfhqOMfPjVBhu4DnOc_4bxGfrQ-fxNf7xDHcKTzTp65A5nhsejJuvGLVG3fKTUdpkfajN2ju6crZHc=@wussler.it>
In-Reply-To: <87359v4am4.wl-neal@walfield.org>
References: <87v8mv4gfe.wl-neal@walfield.org> <4xf4guGg2quiLcVvBQI78yHRQmwuV3NK-tyKFMw9pdwv5MXBmgnAUIu0vDxYK0L8dz3zQdwV5JoPozx98gIoCtgFVbNBg03UQSt8YfE_7YM=@wussler.it> <DAD8D9FD-E0CD-4D7A-BD8F-776F07207C06@riseup.net> <877cz84jue.wl-neal@walfield.org> <pM_Lyx3OlnFSNprDwYOLg4Ssx2vScAGr8XqGFXUYB3OUcZr1u4PUQ8rwOxlUe0_rl_c_sCF8KIcPF4lxUCAyjW7sC4sh-UxOaUNWVKlble8=@wussler.it> <87359v4am4.wl-neal@walfield.org>
Feedback-ID: 10883271:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------653592b61c2545f5b9c71909e868497db6ee7038b2f04511de763af5b4044f57"; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/R_Plf4vQ2uLw6kZYROLi9090ipo>
Subject: Re: [openpgp] primary key binding signature requirement
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Dec 2022 22:13:58 -0000

Hi Neal,

> Did you consider using an offline primary that tsigns the intermediate
> keys?

Doesn't this require users to download both keys? It would probably save us some effort with trusting the offline key, but they must be individually fetched, and AFAIK this would be a change with how OpenPGP-CA works. Not against this model, but in general I agree with Heiko that there is insufficient support from the verifying side here, to allow for a seamless UX like TLS (or even close to that).

> I suspect that having this discussion now will further delay the
> crypto refresh (in addition to thinking that it is out of scope).

True. So in your opinion we should not specify here whether certification subkeys are acceptable behaviour?
Or shall we standardize the "status quo": certification subkeys are not allowed?

Cheers,
Aron

------- Original Message -------
On Sunday, December 4th, 2022 at 13:27, Neal H. Walfield <neal@walfield.org> wrote:


> On Sat, 03 Dec 2022 17:09:17 +0100,
> Aron Wussler wrote:
> 

> > The very reason why I tried to make a certification-capable subkey is for ProtonCA - our take at OpenPGP-ca.
> > I think an offline primary key would be much better than what we're doing now, creating sorta a certificate chain, and making subkey rotation easy.
> > We can also pre-distribute and pre-generate all the subkeys for some years to come.
> > 

> > After trying out different software and realising none understood my certification, I gave up and we decided to use the primary key.
> > With the current setup this we're stuck at using the primary key, and when we'll have done some 2^30 signatures rotate it.
> 

> 

> Did you consider using an offline primary that tsigns the intermediate
> keys? Users would need to use a depth of >1 instead of 1 when
> 

> tsigning the proton CA as a (partially) trusted root, but that's not a
> much bigger ask, I think. That is, you'd have something like this:
> 

> Alice
> | tsigns (domain=protonmail.com)
> v
> proton offline CA
> | tsigns
> v
> proton intermediate CA 2022
> | certifies
> v
> proton user
> 

> > > The protocol is complex enough as it is today. I believe there are no use-cases that require subkeys of subkeys which cannot be solved in other ways.
> > > I also sadly agree with this sentence, the OpenPGP RFC is already complex enough, and I am not trying to argue that there is no way around (as we found one) but it would be nice to know whether it's officially possible or not.
> > 

> > Slightly edge-case uses are possible and this could be useful, but nothing really mainstream IMO.
> > 

> > > But, I believe that discussion is out of scope for the crypto refresh.
> > > Hmm, not sure about this, probably this is the best place to define it univocally. Or should this be in another informational RFC?
> 

> 

> I suspect that having this discussion now will further delay the
> crypto refresh (in addition to thinking that it is out of scope).
> 

> Neal

v2.23.0 | Report a Bug | By Email