Re: [openpgp] primary key binding signature requirement
Aron Wussler <aron@wussler.it> Mon, 05 December 2022 09:25 UTC
Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C433C14F6E7 for <openpgp@ietfa.amsl.com>; Mon, 5 Dec 2022 01:25:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qwoId9mQTuJ for <openpgp@ietfa.amsl.com>; Mon, 5 Dec 2022 01:25:34 -0800 (PST)
Received: from mail-4317.proton.ch (mail-4317.proton.ch [185.70.43.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 493FCC14F722 for <openpgp@ietf.org>; Mon, 5 Dec 2022 01:25:33 -0800 (PST)
Date: Mon, 05 Dec 2022 09:25:25 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail3; t=1670232330; x=1670491530; bh=QdDrGGoAx0cA+g3aFlAfH7q9S8CRClhUiO9jJs8Benk=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=cPB6LhgZovKt6Yqt9uV34ejAGatBq6iLQcs3lNlZYZ2qbmABXSr9Avz3rvgjZl0tA dT088gxVSoa+Y8RGd/WkwqwSePnCZ2WiIN5xWLBcXM9dZ94quU8+u8dtAhA0TRoWGA egtsPz7sKa/G+IK6SRsYKvfbPxU5Bp3HL6UoiwsclnIciKZkL8mQNWFxvJWoQ788ZQ QJgwVqJEH3bwrWc7Z+G+XQZwm3hJkQ96SWNVaWlCk6lHErdrLr278zZyfBCrll8aPZ G7/g1KM10UJVtwY0qNqfIU4DMbTiRxEZCMbdNNICmmTJqbxGGHq0uyyKrUfJX2HNT8 fffalsd0mHtoQ==
To: "Neal H. Walfield" <neal@walfield.org>
From: Aron Wussler <aron@wussler.it>
Cc: Paul Schaub <vanitasvitae@riseup.net>, openpgp@ietf.org
Message-ID: <O8BktgQ3FoR9pxaaJpfRCzCYW9Httn_81Tr2eiAIB8ApnYBvfPKkLoD5J4Yliw_l6kl3QvNT42GmyRzYQGfJGtSRNDoYs0p8KfBF5_sg8Ro=@wussler.it>
In-Reply-To: <871qpe47fs.wl-neal@walfield.org>
References: <87v8mv4gfe.wl-neal@walfield.org> <4xf4guGg2quiLcVvBQI78yHRQmwuV3NK-tyKFMw9pdwv5MXBmgnAUIu0vDxYK0L8dz3zQdwV5JoPozx98gIoCtgFVbNBg03UQSt8YfE_7YM=@wussler.it> <DAD8D9FD-E0CD-4D7A-BD8F-776F07207C06@riseup.net> <877cz84jue.wl-neal@walfield.org> <pM_Lyx3OlnFSNprDwYOLg4Ssx2vScAGr8XqGFXUYB3OUcZr1u4PUQ8rwOxlUe0_rl_c_sCF8KIcPF4lxUCAyjW7sC4sh-UxOaUNWVKlble8=@wussler.it> <87359v4am4.wl-neal@walfield.org> <U6n2VVpBN9sbBojynnUb4gHkIl7nUZfhqOMfPjVBhu4DnOc_4bxGfrQ-fxNf7xDHcKTzTp65A5nhsejJuvGLVG3fKTUdpkfajN2ju6crZHc=@wussler.it> <871qpe47fs.wl-neal@walfield.org>
Feedback-ID: 10883271:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------1766a268f8a9564c1bbdbb53975515a98db6c7c892dc6420d9242e9e877aa467"; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/XSpFccUQ-GALGAPUwubxGr5p3Ow>
Subject: Re: [openpgp] primary key binding signature requirement
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2022 09:25:39 -0000
Hi Neal, As far as I understand WKD returns only one unrevoked certificate by design. The HTTP GET method MUST return the binary representation of the OpenPGP key for the given mail address. The key needs to carry a User ID packet ([RFC4880]) with that mail address. Note that the key may be revoked or expired - it is up to the client to handle such conditions. To ease distribution of revoked keys, a server may return revoked keys in addition to a new key. The keys are returned by a single request as concatenated key blocks. This is another change that I would like to pursue with the superseded signature (other thread), to change WKD to return at most one non-revoked or non-supersed certificate. Cheers, Aron -- Aron Wussler Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930 ------- Original Message ------- On Monday, December 5th, 2022 at 08:48, Neal H. Walfield <neal@walfield.org> wrote: > On Sun, 04 Dec 2022 23:13:35 +0100, > Aron Wussler wrote: > > > > Did you consider using an offline primary that tsigns the intermediate > > > keys? > > > > Doesn't this require users to download both keys? It would probably save us some effort with trusting the offline key, but they must be individually fetched, and AFAIK this would be a change with how OpenPGP-CA works. Not against this model, but in general I agree with Heiko that there is insufficient support from the verifying side here, to allow for a seamless UX like TLS (or even close to that). > > > How do you currently get the top-level CA certificate? WKD? If so, > you can store all of the certificates there. And since they all use > the same email address, getting the top-level certificate gets all of > the intermediate certificates. > > > > I suspect that having this discussion now will further delay the > > > crypto refresh (in addition to thinking that it is out of scope). > > > > True. So in your opinion we should not specify here whether certification subkeys are acceptable behaviour? > > Or shall we standardize the "status quo": certification subkeys are not allowed? > > > I'm for leaving it as it is, for now. > > Neal
- [openpgp] primary key binding signature requireme… Neal H. Walfield
- Re: [openpgp] primary key binding signature requi… Aron Wussler
- Re: [openpgp] primary key binding signature requi… Paul Schaub
- Re: [openpgp] primary key binding signature requi… Neal H. Walfield
- Re: [openpgp] primary key binding signature requi… Neal H. Walfield
- Re: [openpgp] primary key binding signature requi… Aron Wussler
- Re: [openpgp] primary key binding signature requi… Neal H. Walfield
- Re: [openpgp] primary key binding signature requi… Aron Wussler
- Re: [openpgp] primary key binding signature requi… Neal H. Walfield
- Re: [openpgp] primary key binding signature requi… Aron Wussler