Return-Path: <jon@callas.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
 with ESMTP id 4AE9521F8999 for <openpgp@ietfa.amsl.com>;
 Tue,  5 Mar 2013 08:10:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5
 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zi75LrvL3l2g for
 <openpgp@ietfa.amsl.com>; Tue,  5 Mar 2013 08:10:43 -0800 (PST)
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by
 ietfa.amsl.com (Postfix) with ESMTP id CD90121F8901 for <openpgp@ietf.org>;
 Tue,  5 Mar 2013 08:10:43 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com
 (Postfix) with ESMTP id 67B3F225F883; Tue,  5 Mar 2013 08:10:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (localhost
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4h01IISKpIP7;
 Tue,  5 Mar 2013 08:10:34 -0800 (PST)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by
 mail.merrymeet.com (Postfix) with ESMTPSA id E8FD8225F860;
 Tue,  5 Mar 2013 08:10:30 -0800 (PST)
Received: from [172.16.13.170] ([23.24.110.141]) by keys.merrymeet.com (PGP
 Universal service); Tue, 05 Mar 2013 08:10:34 -0800
X-PGP-Universal: processed;
 by keys.merrymeet.com on Tue, 05 Mar 2013 08:10:34 -0800
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <6F1173CD-290C-4A38-BD80-152C5E553D1F@jabberwocky.com>
Date: Tue, 5 Mar 2013 08:10:30 -0800
Message-Id: <B18461E9-7F88-4B85-AAD7-83E31C79DBD4@callas.org>
References: <5135BDE6.1070200@fifthhorseman.net>
 <6F1173CD-290C-4A38-BD80-152C5E553D1F@jabberwocky.com>
To: David Shaw <dshaw@jabberwocky.com>
X-Mailer: Apple Mail (2.1499)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Cc: IETF OpenPGP <openpgp@ietf.org>, Jon Callas <jon@callas.org>,
 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [openpgp] marking subkeys as constrained for specific use -- new
 key usage flags?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>,
 <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>,
 <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2013 16:10:44 -0000

On Mar 5, 2013, at 7:19 AM, David Shaw <dshaw@jabberwocky.com> wrote:

>=20
> I'd do this with a notation (option B, which can be marked as critical =
if you desire).  The Usage flags are helpful but I don't think they have =
the ability to carry enough information to really state what you are =
trying to say.  Usage is more "this key can may be used for =
authentication", and it sounds like what you're looking for is "this key =
may be used for authentication, but only in the context of OTR".

Usage flags are there for broad declarations. For example, so that you =
use an RSA key for encryption but not signing, or a signing key for =
authentication-based signing, but not documents.

If you're really going to put protocol-specific notes in, then notations =
are the way to go.

>=20
> I can't speak for all OpenPGP implementations, but GPG will correctly =
reject a subkey binding signature if it has a critical notation that GPG =
doesn't know about.  I'm not sure if that helps or hurts your plan, =
though, as without adding code to GPG to understand your notation, you =
won't easily be able to show a connection from your OpenPGP key to the =
OTR subkey.

There's a problem with criticality as a concept in general, and that is =
that if you really do private development, it can cause things to =
explode in ways that are not useful.

In this case, we have an authentication-only subkey that's intended to =
be used for OTR. If you mark it as authentication-only, it's not going =
to be used for document signing, which is really what you want. It's =
possible that some other authentication protocol could grab it, but is =
that really a problem?

This brings us to the problem with criticality. It's supposed to keep =
some item from being used in an unknown way. But it can also fail in =
unexpected ways. I've seen criticality flags cause all sorts of weird =
issues in other systems, and the usual fix is not to make it critical.

	Jon