IETF Logo Mail Archive

Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 19 April 2024 21:48 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D894C14F6F1 for <openpgp@ietfa.amsl.com>; Fri, 19 Apr 2024 14:48:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="cFmuqBoV"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="jhVP+L+/"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJoTfaJqsbF1 for <openpgp@ietfa.amsl.com>; Fri, 19 Apr 2024 14:48:17 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97560C14F6E4 for <openpgp@ietf.org>; Fri, 19 Apr 2024 14:48:17 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1713563295; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=bKTj3Lp1THReCrwmm8+3Y5WHBbCr8p0IAB3hFCvi4rM=; b=cFmuqBoVjUs2GJ59fsPp9ehiucuWz2MYwy2rgtdQHHzksGQBBgNpfz/N1OuXMF+Ul4WXa 1HuOyT30c0DyxQmDg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1713563295; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=bKTj3Lp1THReCrwmm8+3Y5WHBbCr8p0IAB3hFCvi4rM=; b=jhVP+L+/VqbQrrimnI6rzKH9EUnaKDYaSV4K6fUFrhBTuv3WCcgJAbX5fZcJ1khwdd8Qk L1+qoiNCTl1MHvDnj3LwYYGhE76wh8F2VsuYSAiWp1g3gOe8STgvEg/V9pwtL2y03HyxPjO Goy2MqmIkmZBRNeFMFpAFitB+TrKd7nSricYZ4uyRQE16fBw8QT5+eDc9GF9LZoDNyy5t93 g6JjW60sLbJoD009DtLVNOi6IYK8PT6u1MZgvjek3RUiXJzh89vc9KNG/oo1gakQk1yqWh8 DG5AmJz0r0AgnjgcLID/ME6yynHZRail+oXBAPMDyUHzC7VssVYcPG7y91ug==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id CB551F9DA; Fri, 19 Apr 2024 17:48:14 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 5542D20606; Fri, 19 Apr 2024 17:47:56 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Andrew Gallagher <andrewg@andrewg.com>, Simon Josefsson <simon@josefsson.org>
Cc: openpgp@ietf.org
In-Reply-To: <A0B535B4-215B-4159-9F39-0D33C24ECF2F@andrewg.com>
References: <87o7anhybr.fsf@fifthhorseman.net> <87jzkunest.fsf@fifthhorseman.net> <87y199g67k.fsf@kaka.sjd.se> <A0B535B4-215B-4159-9F39-0D33C24ECF2F@andrewg.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= xjMEZXEJyxYJKwYBBAHaRw8BAQdA5BpbW0bpl5qCng/RiqwhQINrplDMSS5JsO/YO+5Zi7HCi QQfFgoAMQWCZadnIAUJBdtHCwMLCQcDFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu36RAUlea/ cACgkQu36RAUlea/edDQD+M2QjnoEyu/TjI+gRXBpXQ5jCsnnp9FdYhaSSUW/vZ8kBAJByWlj A9aMfVaVrmvgcYw7jzJz+gmZspBRB++5LZ20NzRc8ZGtnQGZpZnRoaG9yc2VtYW4ubmV0PsLA EQQTFgoAeQMLCQdHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEu/CS CeyWwC6j4ihJr2u/z6delsF1pvYW3ufgf1L538DFQoIApsBAh4BFiEE1HcEDHDCFWpcKYVJu3 6RAUlea/cFAmWnX5AFCQXZ8EUACgkQu36RAUlea/cjVwD+ONjdHM74rAa6EEiiqaPjlptiaZx CVqFYXnib6EbZARkBAPnnR8pW8vCBnDXHKu65jNqwF3aH761NaOqqMFfppg8GzjMEZXEJyxYJ KwYBBAHaRw8BAQdAjX25Fq2Q9IUFeHy6yByIQPBnFOedFliuEiCIUzJsENDCwMUEGBYKAS1HF AAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnwqKWsw56uoWVLIFcs7ZecJ gwpsSNevWCzbviKQ8yRLUCmwK+oAQZFgoAbwWCZXEJywkQdy0WHjXNS4FHFAAAAAAAHgAgc2F sdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEIJSOxuw2y/UJmg5M3BLpN0JYjODZpXiEVFu 1byARzMWIQR0vATEPYYIS+hnLAZ3LRYeNc1LgQAAsH8BAKg1C5LK/D7pSkXCD+jfTSP+CqM58 iHLjh4vKhpOKsTJAQCHldtEjxJ1ksPTFgG9HihHH7qc6/wvvLw77ETMpwlrAxYhBNR3BAxwwh VqXCmFSbt+kQFJXmv3BQJlp1+rBQkCF4lgAAoJELt+kQFJXmv3ydsA/2roQZ2Jm/7iUrg/2C5 ClWA/xbvPC31LyMkGGH2/rq8tAP9BgqLuCPnNTVPqeX9+9qqMmaFq7wmvjq5I+yycAw9CDc44 BGVxCcsSCisGAQQBl1UBBQEBB0BZMsRrRaaeFSYMF1ZdfRmVgBriDUIr99eDQ085BK14DgMBC AfCwAYEGBYKAG5HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnsazAWX tEHUPmSTmcRZAIsAsNiO8k0hdjsfRlRVipgJgCmwwWIQTUdwQMcMIValwphUm7fpEBSV5r9wU CZadfqwUJAheJYAAKCRC7fpEBSV5r90AjAPwLgY1iKiFJEj32SVD5f721929l79VxQB5FlQss x1n5kQEA6Uct2tPvbB6T7p5KG3Gl+tbi7oJAuxFmpkpW5/N2Owg=
Date: Fri, 19 Apr 2024 17:47:55 -0400
Message-ID: <87frvhnhx0.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/aDu0dCc6QUFJ19SqOrVWXH1jCd4>
Subject: Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Apr 2024 21:48:22 -0000

My comments below are as an implementer and a user, not wearing any
chair hat.

On Fri 2024-04-19 11:59:52 +0100, Andrew Gallagher wrote:
> On 19 Apr 2024, at 08:30, Simon Josefsson wrote:
>> Two rough outlines of problem statements:
>> 
>>   1) replace human written key transition documents
>> 
>>   2) enable automatic non-interactive upgrades to PQ keys

[…]

> I don’t believe that use cases 1 and 2 are in conflict, I think they
> are clearly distinguished by whether the old key remains valid or is
> expired/revoked.

fwiw, i don't expect an OpenPGP tranition document (case 1) to require
that the old key be expired/revoked.  Common practice for a transition
document for Alice seems to be that Alice leaves her old certificate
valid while she gathers certifications on her new certificate.

There may well be multiple stages to a transition.  From the perspective
of the keyholder, here's an exhaustive list of the possible steps i can
think of, roughly in the order that it seems reasonable to take them:

1. publish intent-to-expire on old cert
2. create new cert
3. configure local tooling to use new cert as well as old for decryption
4. distribute new cert to gather 3rd-party certifications ("transition document")
5. configure local tooling to use new cert as well as old for signing
6. publish new cert (with 3rd-party certifications) in standard(?) channels
7. add replacement information to old cert, re-publish old cert
8. configure local tooling to not use old cert for signing
9. revoke old cert
10. destroy signing-capable secret key material from old cert
11. publish revoked old cert
12. harvest and retain session keys for encrypted data deemed worth keeping
13. destroy decryption-capable secret key material from old cert

Depending on the properties of the transition, maybe some of these steps
aren't necessary.  And there might be months or years between some of
these steps.

And, depending on the outcome of some of these steps, you might want to
roll the process back somehow.

Do you think the use cases section (in the pending MR) of the draft
could be a place to work through these steps, from the keyholder side?

It would be useful to think through the interactions between the
keyholder's steps and the steps taken by the peer, who is relying on the
certificate(s) as well.

> A receiving implementation that first validates both keys and then
> orders them according to the replacement key indirection will behave
> sensibly in either case.

I think teasing that apart a bit more could be useful.

In practice, it isn't uncommon for people use OpenPGP in a sort of TOFU
(or YOLO) fashion, where "meh, it's better than cleartext, we'll see
whether it works" seems to be the operating principle.

It's not clear what "validates both keys" means for this mode of
operation.  That is, the first certfificate has already been "validated"
(by the user saying "sure, ok by me"), but of course the new certificate
has not yet been through this process.

I think it would be useful for the draft to at least try to address what
it means for this mode of operation instead of completely waving it
away.

When certificate validation is automated and invisible (like X.509),
saying "do the same thing for both certs and only use the new one if (a)
you know how to use it, and (b) it validates silently and correctly for
the relevant User ID" make sense.  But what are the impacts on the user
experience if the user has to interact during the validation process?

           --dkg

v2.23.0 | Report a Bug | By Email