[openpgp] Re: I-D Action: draft-ietf-openpgp-replacementkey-01.txt
Daniel Huigens <d.huigens@protonmail.com> Fri, 15 November 2024 23:39 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E1F3C180B41 for <openpgp@ietfa.amsl.com>; Fri, 15 Nov 2024 15:39:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibCXyqmW61Rv for <openpgp@ietfa.amsl.com>; Fri, 15 Nov 2024 15:38:57 -0800 (PST)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A04A1C17C89D for <openpgp@ietf.org>; Fri, 15 Nov 2024 15:38:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1731713935; x=1731973135; bh=8MyHdWDoVf9WJZ80mn/ebKBhKYHGrCnJeys//2ifkFs=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=O1USg7jaGsx6eylsPF/548VPEhzUWZkUzhl8pmLAOs7gYU/JhqMeCJrxM3yE39ugM lERYvyf1nXUtz4l299ukmToesnGjZgV9tcugZWikpdPK4lajB2n0yB4GAs0LOkzz1W UdDuqwyvwPQQAxKps3lnxTXda/6do0ECUuKR+cspxKUmDsxdq1UKhtx5GmWoStnbcp 16GlYImHVn2gjsTF42h6xiut/5v7EI0JIpMqh1HOg03PEVXwYUjhv5JX8ePxlNBdbh aQeGGV6meGX38yRS01HuHX4SfqHczYcqu+FAnAI9VYl09vojWX/YjfaYKCNwgpW282 vl/PloYxKUTqA==
Date: Fri, 15 Nov 2024 23:38:53 +0000
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <n5d9S1LMnWcBedf1s81m0ixnQpl2ZLMUnFX2rYCAOQXjSxExz2vnvcZ-mIiZcpr16o4zObieFUyqzhnLiWNAMkZslk_rOGpfdE89RjKZEoE=@protonmail.com>
In-Reply-To: <8AF30CAC-9E83-4629-9100-6F6DCFA4584A@andrewg.com>
References: <172954607466.2080527.11129941200377024335@dt-datatracker-78dc5ccf94-w8wgc> <B498EDD0-1FE4-405B-81AD-8E4854720B6F@andrewg.com> <F082F1E1-8779-45AA-897B-CDE8DDF95B40@andrewg.com> <tTD49Q9CCd7cUJK2anZkb4NYq2JS5f4Krv0N3IwmyeYOl2sSotwa2uheNT4il9BzhQtx26q7Avlwufd5Zr09t0cOqa-x74MjNdrjNUE6f_o=@protonmail.com> <85D1D96A-EEC1-4C0A-9A6F-E7BF14554567@andrewg.com> <ai21-U0l-5xqlffeNXg9qeRMY6Kp4dv5Hhxe8dYF5DcWPkLI0Ab6KpGs4qnaVvhytkTR9jtgHtS646sdEuU051bS4IXADvOowyteudKHkpA=@protonmail.com> <8AF30CAC-9E83-4629-9100-6F6DCFA4584A@andrewg.com>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: d6d177ff86f568eca853b58d74f05ad632d73bdb
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: LCBYG225HIZF4OEG7DZLTUP5XDR32FGI
X-Message-ID-Hash: LCBYG225HIZF4OEG7DZLTUP5XDR32FGI
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF OpenPGP WG <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: I-D Action: draft-ietf-openpgp-replacementkey-01.txt
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Y3rV5WP2VSLxSfMQIFVBJ941czU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hi Andrew, The reasoning makes sense to me, so I'd agree with dropping the "no replacement" bit. Indeed I also don't particularly see a use case for explicitly stating the default. --- To throw another (hopefully not-too-big) spanner: I have previously argued in defense of the name "replacement key" (as opposed to e.g. "replacement certificate"), mostly because in my mind the draft described the process of a key holder replacing their (private) key as much as replacing the public key/certificate. _However_, if we add persistent symmetric keys to the mix, this might not be true anymore. E.g.: the key holder could switch from a v4 ECC key to a v6 PQC key _plus_ a v6 symmetric key, but their correspondents only see them switching from a v4 ECC certificate to a v6 PQC certificate, and this draft will only describe that part. Concretely, this means that the draft also can't be used to decide which _key_ to use (when signing or encrypting for private storage, for example), only which _certificate_ to use (e.g. for communication). (Perhaps the draft should spell that out explicitly?) And so, though I have my own mild reservations about the term "certificate" for TPKs, it's clear enough, and given the above, I find myself agreeing more with Justus's point that perhaps the draft and subpacket should be renamed to "replacement certificate". Alternatively, we could change the scope of the draft slightly and also include the scenario I described above, but nevertheless the _subpacket_ should probably still be named "replacement certificate" as there's no real point including a replacement persistent symmetric key in it. Best, Daniel On Friday, November 15th, 2024 at 19:55, Andrew Gallagher wrote: > Hi, all. > > Justus reminded me[1] that there is no standard definition (yet!) of hard v soft revocations, so I’ve included some text in the latest gitlab copy to cover that omission. It currently reads: > > — > > * "hard-revoked" means the key has been revoked with a Reason for Revocation subpacket specifying "Key material has been compromised" or "No reason specified"; the absence of a Reason for Revocation subpacket is equivalent to "No reason specified”. > > * "soft-revoked" means the key has been revoked with a Reason for Revocation subpacket specifying "Key is superseded" or "Key is retired and no longer used”. > > If a Key Revocation signature contains a Replacement Key subpacket, a Reason for Revocation subpacket MUST also be included, to prevent it from being interpreted as "No reason specified", which is a hard revocation. > > * if the Replacement Key subpacket has the "no replacement" bit set, the Reason for Revocation subpacket SHOULD indicate "Key is retired and no longer used”. > > * if the Replacement Key subpacket does not have the "no replacement" bit set, the Reason For Revocation subpacket SHOULD indicate "Key is superseded”. > > — > > The requirement for an explicitly soft Reason for Revocation subpacket flows directly from the normal interpretation of hard revocations as meaning “no signatures made by this key are trustworthy, including this one”. A Replacement Key subpacket in a hard revocation signature is therefore non-functional, so we have to provide a soft Reason for Revocation subpacket, which is constrained to either “Key is superseded” or “Key is retired and no longer used”. However, this appears to duplicate the semantics of the 0x80 “no replacement” bit in the scenario where a key has been revoked. > > The only context where the “no replacement” bit still appears to have distinct semantics is in the case where a) the current key is not revoked, b) there is no other preferred or fallback key, and c) the key owner wishes to make an explicit statement to that effect. But since a) plus b) represents the default scenario, it seems unnecessary to cater for such an explicit non-statement. > > So I’m going to throw a last-minute spanner in the works and ask: do we still need the “no replacement” bit? I know that Daphne and I both previously argued that we do, but the particular scenario that I had in mind was being able to differentiate between “revoked, no replacement” and “revoked, replacement unspecified” which seems to be already covered by Reason for Revocation values, and is in any case not meaningful to an automated process. > > A > > [1] https://gitlab.com/andrewgdotcom/openpgp-replacementkey/-/issues/25 > > _______________________________________________ > openpgp mailing list -- openpgp@ietf.org > To unsubscribe send an email to openpgp-leave@ietf.org
- [openpgp] I-D Action: draft-ietf-openpgp-replacem… internet-drafts
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Andrew Gallagher
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Andrew Gallagher
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Andrew Gallagher
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Daniel Huigens
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Andrew Gallagher
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Heiko Schäfer
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Andrew Gallagher
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Daniel Kahn Gillmor
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Daniel Huigens
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Andrew Gallagher
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… andrewg
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Daniel Huigens
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Andrew Gallagher
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Daniel Huigens
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Andrew Gallagher
- [openpgp] Re: I-D Action: draft-ietf-openpgp-repl… Andrew Gallagher