IETF Logo Mail Archive

Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 19 April 2019 06:50 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D91B1202A7 for <openpgp@ietfa.amsl.com>; Thu, 18 Apr 2019 23:50:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=KZN1BRUh; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=XDeHA3Qx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NLQxlqhjHc2D for <openpgp@ietfa.amsl.com>; Thu, 18 Apr 2019 23:50:01 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECDBE12010D for <openpgp@ietf.org>; Thu, 18 Apr 2019 23:50:00 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1555656599; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=q+gReLEtwKXXjT4HIPidIWeZgoYdgZOalLNXRWmQR7g=; b=KZN1BRUhi8YQlzgHjlziLbJVmYdRk4ccxIxSG9Uu5O1z7IIDYFgLqokR wuODWzgEedkDQVdjchquQXqoE2vfDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1555656598; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=q+gReLEtwKXXjT4HIPidIWeZgoYdgZOalLNXRWmQR7g=; b=XDeHA3Qxm6LsKvvz/9mwX+u5FRVxbdfq2FYmIsfpwaVxr8NgtoYaEn2m VGYuIW+7gDozV9cNSr9LoeNl6mdQ5ghX30yYtwTWc2u/IygNAPJ8Re0kmb H7CQdHA2b9LW5DC2WsawyKptL+XWGBjVwkNK8KsnHFhs8u7ANwfMmAP+G3 J0l3RKeNFI22nUH7A+HqMnrmWmQRjUHCq4C9Dimzl1LQ6/E2k0mlpmHFFg tPSiSvsLTpE9TJ2RLrGJfYyyU9vlRYvJ87fESS9633k5WMN1bpUaiw71Jg o0sHmzjWIONoaTzjDmj6n/J3ukfcWoXAVWYVXWbxInQa1Ff4gtQrVQ==
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id A12D2F99E; Fri, 19 Apr 2019 02:49:57 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 64ED5202AF; Fri, 19 Apr 2019 02:49:55 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: ilf <ilf@zeromail.org>, openpgp@ietf.org
In-Reply-To: <87h8ax3chy.fsf@fifthhorseman.net>
References: <87v9zt2y2d.fsf@fifthhorseman.net> <20190412201300.GJ1226@zeromail.org> <87ef635hmt.fsf@fifthhorseman.net> <20190416195614.GH1226@zeromail.org> <87h8ax3chy.fsf@fifthhorseman.net>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Fri, 19 Apr 2019 02:49:54 -0400
Message-ID: <87d0lizdyl.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ZQ8gH2P3mX32-RGJHWtiIQ2cJ1I>
Subject: Re: [openpgp] Modelling an abuse-resistant OpenPGP keyserver
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Apr 2019 06:50:15 -0000

On Tue 2019-04-16 16:45:45 -0400, Daniel Kahn Gillmor wrote:
>    I think the next draft will use "certificate discovery" to refer only
>    to this third case, and will rename lookup-by-user-id to "certificate
>    lookup".  Does that make sense?

I've just released version 03, which makes this change, and also adds
more nuance related to the ecosystem around keystores and how that might
have to change in the face of abuse-resistant keystores.  Identifying
and naming this distinct interface helped to surface another attack,
fingerprint flooding, which is also now documented.

The new version is here:

   https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore-03

From the document's changelog:

substantive changes between -02 and -03:

 * new sections:
   * Keystore Interfaces
   * Keystore Client Best Practices
   * Certificate Generation and Management Best Practices
 * rename "certificate discovery" to "certificate lookup"
 * redefine "certificate discovery" to refer to lookup by signing (sub)key
 * new attack: fingerprint flooding
 * new retrieval-time mitigations -- tighter filters on discovery and update
 * recommend in-band certificates where possible to avoid discovery and lookup
 * new privacy considerations:
   * distinct keystore interfaces
   * certificate update
   * certificate discovery
   * certificate validation
 * more nuance about unhashed subpacket filtering
 
I really appreciate the feedback i've gotten in the course of this
writeup, and welcome more.

In particular, if someone has any pointers to how to think about e-mail
address canonicalization within an OpenPGP User ID (which is a UTF-8
string), especially in the context of IDN and non-ASCII local-parts
(does this mean RFC2047-decoding or encoding?) i'd love to see some
pointers (or even better, proposed text).

The full text of the markdown source for -03 is attached below.

    --dkg

v2.23.0 | Report a Bug | By Email