Re: [openpgp] New Version Notification for draft-dkg-openpgp-stateless-cli-05.txt (key generation profiles)
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 23 February 2023 13:44 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C95FC14CE25 for <openpgp@ietfa.amsl.com>; Thu, 23 Feb 2023 05:44:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.303
X-Spam-Level:
X-Spam-Status: No, score=-1.303 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="mlYFWsDR"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="QjiffP9i"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xfllZhcsMhgj for <openpgp@ietfa.amsl.com>; Thu, 23 Feb 2023 05:44:19 -0800 (PST)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EBDAC14F726 for <openpgp@ietf.org>; Thu, 23 Feb 2023 05:44:18 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1677159857; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=68z9cGkESoGcVZUoQPAtWj1GjgsCHgq11TnMvHxehqc=; b=mlYFWsDRUDg6egsTKtsPDnuRkNIw0yP0FEA6540i9lUU7AC5r/fiWrd10ofHetijJuIL8 WrAyobl2NZEolG8BQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1677159857; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=68z9cGkESoGcVZUoQPAtWj1GjgsCHgq11TnMvHxehqc=; b=QjiffP9i1VaCD6P7uVFhHcWiNj7EVa4qD93YIDR/aGEb3ukA+djvR1Mu/dFGRsc10to6l vfOR38bpAj5WPdd17/DCsCsg7UuADGROhLDaTDztEyaIgGRUtoqD0Z7w8Nvbcu/sdeOSrOK aDn7VVMc/b5AqPUyi0FR7OlbCnuWldr3w5w57mPaeZbb/bu4ecVRimpPrDpddWGgmWivz6J /qEYX2+C2zR4KvgM7BGdIHVg8k1U/isWt8YRepy68QvlXkxCl2v2hI3cbnWvk6eFUlQR0uQ QcoIDMfR1pfkoZ2jNbMIhorWzgL8F3SfX+tyWwTmbXatnABb/ZVthEl78WtQ==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 6F649F9AF for <openpgp@ietf.org>; Thu, 23 Feb 2023 08:44:17 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 8030F2065A; Wed, 22 Feb 2023 19:06:03 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <167710977260.9629.9105781856550715247@ietfa.amsl.com>
References: <167710977260.9629.9105781856550715247@ietfa.amsl.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Wed, 22 Feb 2023 19:06:00 -0500
Message-ID: <878rgpi6tz.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/SK7E895BfNcSnTZqFsJi-0DlqfM>
Subject: Re: [openpgp] New Version Notification for draft-dkg-openpgp-stateless-cli-05.txt (key generation profiles)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2023 13:44:23 -0000
Hi OpenPGP folks-- The draft announced in this message is not Working Group work, but it is aimed at interop testing, so i wanted to give a heads-up for any implementers following the current crypto-refresh draft. On Wed 2023-02-22 15:49:32 -0800, internet-drafts@ietf.org wrote: > A new version of I-D, draft-dkg-openpgp-stateless-cli-05.txt > has been successfully submitted by Daniel Kahn Gillmor and posted to the > IETF repository. > > Name: draft-dkg-openpgp-stateless-cli > Revision: 05 > Title: Stateless OpenPGP Command Line Interface > Document date: 2023-02-22 > Group: Individual Submission > Pages: 46 > URL: https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-05.txt > Status: https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/ > Htmlized: https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-stateless-cli > Diff: https://author-tools.ietf.org/iddiff?url2=draft-dkg-openpgp-stateless-cli-05 I've just updated the sop draft, with the main goal of trying to faciliate interoperability testing of developer branches that might support new specifications. From the changelog: ------ ## Substantive Changes beteween -04 and -05: - `decrypt`: change `--verify-out` to `--verifications-out` - `encrypt`: add missing `--with-key-password` - add the concept of "profiles", use with `generate-key` - include table of known implementations - `VERIFICATIONS` can now indicate the type of the signature (`mode:text` or `mode:binary`) ------ The biggest novelty here is the "profiles" mechanism. "sop generate-key" now takes an optional `--profile=PROFILE` argument, and any implementer can define an interesting and useful profile. By default, nothing changes, and implementations can emit whatever they want to emit. But the idea here is that when we manage to release crypto-refresh-08, implementers can enable a profile named "draft-ietf-openpgp-crypto-refresh-08" and we can see whether other implementations can handle the keys or certificates produced that way. That would be invoked like so: sop generate-key --profile=draft-ietf-openpgp-crypto-refresh-08 "Alice <alice@example.org>" If the eventual RFC is released as RFC 9999), then an implementation might try to make a new key for it with: sop generate-key --profile=rfc9999 while still leaving the default profile as something with a wider interoperability. There is also a way to learn the new key profiles supported by any sop implementation, with: sop list-profiles generate-key For future work, we could also consider applying this --profile= mechanism for `sop encrypt` (e.g. to force some flavor of ESK/SEIPD to be produced?), but i figure this is enough churn in the specification for one cycle. If someone else wants to propose improvements, i'd be happy to review. As always, I welcome feedback from implementers or consumers of the sop interface. Does it match the semantics that you're expecting? is it concretely useful? How can it be improved or clarified? --dkg
- Re: [openpgp] New Version Notification for draft-… Daniel Kahn Gillmor
- Re: [openpgp] New Version Notification for draft-… Daniel Huigens
- Re: [openpgp] New Version Notification for draft-… Daniel Kahn Gillmor