IETF Logo Mail Archive

Re: [openpgp] Revocations of third-party certifications (TPK+"CRL") [was: draft-dkg-openpgp-abuse-resistant-keystore-04.txt]

Jon Callas <joncallas@icloud.com> Tue, 27 August 2019 20:05 UTC

Return-Path: <joncallas@icloud.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C76E21200FF for <openpgp@ietfa.amsl.com>; Tue, 27 Aug 2019 13:05:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PvhppeEwmSD3 for <openpgp@ietfa.amsl.com>; Tue, 27 Aug 2019 13:05:36 -0700 (PDT)
Received: from mr85p00im-ztdg06011801.me.com (mr85p00im-ztdg06011801.me.com [17.58.23.199]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7C6E1200DE for <openpgp@ietf.org>; Tue, 27 Aug 2019 13:05:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1566936336; bh=/cYZYw27K4wtzf9HNdwpRUDG9NnLX96dETnIsJd8esw=; h=Content-Type:Subject:From:Date:Message-Id:To; b=bpG++Yk28dGb7DczCFj2GQkgLR+r/uYo4fv8a9qwHNsiozzA7dvCykUeDpnKN533k RDM1ZSCrRthIyZ9wOT2oEBCRHXoMygCYK5UWEl6xAlRkVS/ZP7kF6VZEA7afza2Hgb Ca/UTI70xLrOtDvLNedoLBkjqKAIFSktxeLrcE1z/0Jz9AbGZTf82TA0mJ/8UyLGk8 ihJDVTPwtRxkq65r0494opJR2LS4VphjWIOP/mLmOGd3zwC1D8VPwk3f2FbEg87opz 5wi3Y0WSAmcTsF5UC7Syszg8pAloJfqnI12/TTDyoJhr4SleW7+S5rpswByaiwHjnN JovE0GAQzh1lA==
Received: from [10.125.12.108] (67-207-120-150.static.wiline.com [67.207.120.150]) by mr85p00im-ztdg06011801.me.com (Postfix) with ESMTPSA id 1D416C10C5; Tue, 27 Aug 2019 20:05:36 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Jon Callas <joncallas@icloud.com>
In-Reply-To: <8736hsdfm4.fsf@fifthhorseman.net>
Date: Tue, 27 Aug 2019 13:05:35 -0700
Cc: Jon Callas <joncallas@icloud.com>, openpgp@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <CAF751FB-4AFD-4E64-AD8C-E04B3031F50D@icloud.com>
References: <156650274021.14785.10325255315266801149.idtracker@ietfa.amsl.com> <875zmodi1v.fsf@fifthhorseman.net> <8736hsdfm4.fsf@fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-08-27_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1812120000 definitions=main-1908270190
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/a3cDfcBSgcp6_5rAJz7T9jPng4U>
Subject: Re: [openpgp] Revocations of third-party certifications (TPK+"CRL") [was: draft-dkg-openpgp-abuse-resistant-keystore-04.txt]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2019 20:05:39 -0000


> On Aug 22, 2019, at 3:01 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> 
> The "first-party sovereignty" idea is that the certificate-holder (and
> *only* the certificate-holder) gets to decide what gets shipped with
> their certificate.  But that makes for trouble when the first party
> appears to want to distribute a third-party certification, but the
> keystore is aware of a revocation from the third-party.

Thank you, thank you for "first-party sovereignty" even if I'd say "ownership." This might be relevant below.

In 4880, 5.2.3.17 and the no-modify flag is there intentionally to provide an affirmation that the owner wants sovereignty.

[...]

> 
> My first instinct option is for the keystore to just slap the revocation
> onto Bob's certificate directly.  This is how SKS and other
> non-abuse-resistant keystores have done it in the past.

That's also mine. Of course there is more to it than that, there always is.

> 
> This has a few problems:
> 
> * It violates the "first-party sovereignty" idea.  Bob doesn't get to
>   decide whether this revocation is attached to his certificate or not.

Yes, but it's Alice's certification. I think I can argue that she has a right to revoke her signature, that her signature does not transfer over to Bob.

If this is false, then there's a lot of reason never to sign anyone else's key, because it's therefore irrevocable.

> 
> * It's open to abuse.  What if Alice makes an abusively large
>   revocation signature, or a revocation signature that contains toxic
>   data?

I think that can be taken care of. If Alice did that, I, the key server might decide that my sovereignty overrides hers, and I'm not going to be a party to her abusing Bob.

> 
> * What if Bob then revokes his attestation over Alice's third-party
>   certification, so that the keystore won't ship it?  Then presumably
>   the keystore won't ship the revocation as well.  But then clients
>   that already know about Alice's certification don't get the
>   revocation.

Well, this is why "sovereignty" might be the wrong term.

In my idealized way that I think a key server should work, it should defer to the rules of the game, and one of those rules is that it's Bob's key, and another is that it's Alice's signature. 

A resolution that shipped neither Alice's certification nor her revocation of same is to me an adequate compromise.

> 
> All this is unsatisfactory, so there needs to be another approach.
> 
> The approach i'm proposing in this draft is that revocations of
> third-party certifications are shipped with the *revoker*'s certificate
> (Alice, in the example above), not with the targeted certificate.
> 
> This has some nice properties:
> 
> * "Sovereignty" still holds: Alice still controls what's attached to
>   her certificate, because she can avoid making a revocation if she
>   doesn't want it to be visible there.
> 
> * it's abuse-resistant, because Alice has a strong incentive not to
>   make the revocation abusively large or toxic.
> 
> * A user who cares about Alice's certifications should be regularly
>   refreshing Alice's certificate anyway.  Users who don't care about
>   Alice's certifications don't need to care about her revocations
>   either.
> 
> You can see this as the keystore performing a CRL-like distribution
> service for each certificate that they distribute.  That is, each
> OpenPGP certificate is followed by a "CRL" of zero or more certification
> revocation signature packets, issued by that certificate's
> certification-capable primary key.

Yeah. I just cringed and said, "Oh, dear me, you just invented CRLs and we *know* those don't work.

[...]

> 
> Anyway, i'm thinking that this "CRL" extension to the Transferable
> Public Key might belong in RFC4880bis.  I will propose it as a separate
> patch to that draft, but i wanted to give some motivation behind why i
> think it's important and useful.
> 
> I welcome feedback,

I think that it's better to keep things more or less the way we've done them.

Alice's revocation attaches to her prior certification, and they travel together. They could both be dropped, but not only one. (Even though I can't really imagine the case of no certification, but only a revocation, in completeness.)

If Alice isn't a good citizen and makes an abusive revocation, the server can and should drop it. If Bob wants to just drop Alice's certification along with her revocation, that's fine too.

	Jon

v2.23.0 | Report a Bug | By Email