[openpgp] Re: Splitting replacement keys subpacket into related keys and trust equivalence?

Justus Winter <justus@sequoia-pgp.org> Thu, 12 September 2024 14:52 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A432CC14F603 for <openpgp@ietfa.amsl.com>; Thu, 12 Sep 2024 07:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ToTNU8YbUof for <openpgp@ietfa.amsl.com>; Thu, 12 Sep 2024 07:51:59 -0700 (PDT)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CF57C15171B for <openpgp@ietf.org>; Thu, 12 Sep 2024 07:51:58 -0700 (PDT)
Received: (qmail 10614 invoked by uid 500); 12 Sep 2024 14:51:56 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Thu, 12 Sep 2024 16:51:55 +0200
From: Justus Winter <justus@sequoia-pgp.org>
To: Daniel Huigens <d.huigens@protonmail.com>, "draft-ietf-openpgp-replacementkey@ietf.org" <draft-ietf-openpgp-replacementkey@ietf.org>, IETF OpenPGP WG <openpgp@ietf.org>
In-Reply-To: <AwjEWTG0D_H985qVgdVDJNfG3jJROp0T9HD06zQWGzXnby5tXCoVrZH18W8T67Mh7CCAPLFJ33Np0Ro0yAWGRH827Kl7_lhqSZMr6JckCrU=@protonmail.com>
References: <AwjEWTG0D_H985qVgdVDJNfG3jJROp0T9HD06zQWGzXnby5tXCoVrZH18W8T67Mh7CCAPLFJ33Np0Ro0yAWGRH827Kl7_lhqSZMr6JckCrU=@protonmail.com>
Date: Thu, 12 Sep 2024 16:51:54 +0200
Message-ID: <87r09o7wmt.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: ----
X-Rspamd-Report: BAYES_HAM(-3) SIGNED_PGP(-2) SUBJECT_ENDS_QUESTION(1) MIME_GOOD(-0.2)
X-Rspamd-Score: -4.2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from:to:subject:date; bh=XKfahNDeE70KcvABZVaKJhM+C+L0Rr5WTJHIXeZrfpU=; b=H9magf/jaJ9lg5hKA6IIuTaBNC50jSJ1rePDwMS78eCzUzXRsXtE+u+nbQd1g2QrPKVcndHpRR NgsrbRLJl71qEmkNhi/H25chYnTNlyX6E3M4AYZN46XYujBA6t03j+2jmg/ZezIXyUKuxzhe8OCh xhetc2JpEgeSw0NLGVhRxrRC+Kz+0sn1SNkq7uzfyRECDo7eKEkuOAlYJXdBiPLKKR+85z8cN8v9 62lTnMYbyHQFCKX2qFW86/CeJ+0O+0ihfn2K40NtviPW7yMUfm22O8Bpz8bcvph1D24pXeQvSayM Qg16QOtXXMfoGf8Oq/4EwSX5y8Q1DIIS/yHX/DAC1sSH23wy0rnzdmCQBwGD8EYL7K7lj+1fFCgX 5g+CEmNxdWQn6odrQSZZ9eISUlgHjJ9W6Cr8K0zZGddJ7D2Er1A1nTlb7P1UbBZyuXpN/EfnoBpk +/Mt9VOO/VHzutt52aYAgPoETVe491Qo1PVs+CTX7Y/hx8oTm2GQ8dEnFfS340iIxJWdnsUpSSAg Ju9t6yXSW7BoLpXX+uTARnsByOosQLcd1SgfB1eyhXcSWAD3hlyQeUZcGHvFJ11HjtWZ5tMJNTpq x+TrnODslJtS9j24VVzZ4QiQwgKB+VwPWRHoC7FsHepPK3cs49SweGCld8BvrFme+Fr8T2HByzqv s=
Message-ID-Hash: MLE4H3GTJR7X5LYBTES22AYVCJ6Q2TOD
X-Message-ID-Hash: MLE4H3GTJR7X5LYBTES22AYVCJ6Q2TOD
X-MailFrom: justus@sequoia-pgp.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: Splitting replacement keys subpacket into related keys and trust equivalence?
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/XTDyX3F0SzTPbbs24Li3YCFyB5A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hello :)

Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org> writes:

> After thinking a bit more about the fingerprint/imprint question after
> the meeting, I think they (and the entire subpacket in general) serve
> different purposes that perhaps should be split up into separate
> subpackets (but along a different axis than the forward/inverse
> split proposal).
>
> One purpose is identifying the replacement key so that it can be looked
> up (previous versions of this draft only had this purpose in mind AIUI).
>
> The other purpose is to create a trust-equivalence binding between two
> or more keys. I've advocated for adding this to the draft in the past,
> so I'm partly to blame for that extra scope, though in my defense, I
> didn't say that it should necessarily happen in the same subpacket :')

First of all, I have an issue with the terminology.  The text in
question does not mention "trust-equivalency" once.  I think it'd be
better to stick with the terminology established in the document under
discussion, or clearly say why the existing terminology is insufficient.

Further, I have a rule of thumb when discussing OpenPGP: any person
saying the word "trust" is likely confused and most certainly wrong.

For example:

> For some use cases (e.g. when using WKD with a hypothetical update that
> allows serving multiple keys) the first purpose is entirely irrelevant,
> as you already have all keys and the only thing you need is the trust-
> equivalence binding (if the user manually trusted one of the keys in
> the past, for example).

The phrase "trusted one of the keys" is meaningless.  There are two
kinds of trust being discussed in OpenPGP, and I'm pretty sure you are
thinking of the former, but the phrase has the shape of the latter:

- One can have a varying degree of confidence that a given certificate is
  appropriate for a given use.  Most often we think of (email address,
  cert) tuples, for example.  (Shape: tuple).

- One can also have a varying degree of confidence that a certificate
  holder's objectives are sufficiently aligned with ones own objectives so
  that the certificate holder can be used to authenticate other (email
  address, cert) tuples.  Adding to the confusion, GnuPG calls this
  owner trust.  (Shape: certificate).

I realize that I'm being pedantic here, but people get this wrong all
the time, and if we don't get it right (because we're using sloppy
language), how can we expect our downstream developers or users to get
it right?

> I also think the first purpose is potentially underserved by the current
> draft, since e.g. (as Andrew pointed out) there's no way to say "please
> find the replacement key on this other key server, which is different
> from the key server that I've been using to update this key".

Saying go find my replacement cert on that server is the web bug, that'd
be an antifeature.

> And.. actually there's a third purpose: identifying which key is the
> preferred one. I tend to think this is the least important among the
> three and could be replaced by just saying that the latest-generated
> valid (unrevoked etc) key among all trust-equivalent keys is the
> preferred one.

What if there are two keys with the same creation time?  What if the
newest key I create is not the one I prefer?  Do I need to lie about the
creation time then?

> So, as a strawman proposal, the way I'd slice it is with two subpackets;
> a "Related Key" subpacket (containing a fingerprint and perhaps a key
> server URL?), and a "Trust-Equivalent Key" subpacket (containing an
> imprint). Both of them can be included multiple times, and all trust-
> equivalent keys should refer to each other, such that they form a set
> rather than a tree or some such.
>
> The preferred key can be found by looking at all keys you have and
> looking up all related keys in them, then selecting all keys that are
> trust-equivalent with the one(s) you trust, and then picking the newest
> valid key from those.
>
> This of course doesn't help with the redundancy between fingerprint and
> imprint in the case SHA256 is used for both and you want to include both
> subpackets; but perhaps gzip compression in transit can fix the issue
> in that case :)

I don't think that splitting the subpacket into two makes any of the
spec, semantics, or implementations substantial easier.  On the other
hand, I can imagine it getting messier: what if I tell you about related
keys that I don't consider equivalent, or the other way around?

And we lose the straight forward compression dkg suggested, and I don't
think we can rely on transport compression to work on armored
certificates, for example, because if two identical fingerprints are not
a multiple of three bytes apart, they will appear differently in the
armored stream.


Best,
Justus