Re: [openpgp] Unuploadable Keys
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 21 July 2015 21:11 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9592C1B30A0 for <openpgp@ietfa.amsl.com>; Tue, 21 Jul 2015 14:11:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aNich8CaMsOd for <openpgp@ietfa.amsl.com>; Tue, 21 Jul 2015 14:11:43 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 9062A1B309D for <openpgp@ietf.org>; Tue, 21 Jul 2015 14:11:43 -0700 (PDT)
Received: from fifthhorseman.net (31.208.broadband18.iol.cz [109.81.208.31]) by che.mayfirst.org (Postfix) with ESMTPSA id 6593CF984; Tue, 21 Jul 2015 17:11:42 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id C8F29202F9; Tue, 21 Jul 2015 23:11:40 +0200 (CEST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: "Neal H. Walfield" <neal@walfield.org>, IETF OpenPGP <openpgp@ietf.org>
In-Reply-To: <87a8uxlcvz.wl-neal@walfield.org>
References: <87a8uxlcvz.wl-neal@walfield.org>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Tue, 21 Jul 2015 23:11:40 +0200
Message-ID: <87615dkygj.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/bN10gQUc7t0QbP1aQImyEv85fzA>
Subject: Re: [openpgp] Unuploadable Keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 21:11:45 -0000
Hi Neal--
On Wed 2015-07-15 16:21:52 +0200, Neal H. Walfield wrote:
> OpenPGP has support for local signatures. It would be nice to have
> something similar for keys as well. The motivation for this feature
> is: some people have keys that they don't want to have widely
> distributed and training others to respect this is very difficult.
>
> Concretely, it should be possible to mark a key as not exportable to a
> keyserver or to provide a list of key servers (perhaps described using
> regular expressions as per Section 8 of RFC 4880) to which it may be
> exported.
>
> This could be implemented as a new signature subpacket.
>
> When the key is exported (e.g., using gpg2 --export KEYID), a
> warning should be issued that the key is not intended for public
> distribution.
I like this idea, though i'm not sure how useful it is as currently
proposed.
You could craft an OpenPGP certificate with all its self-sigs marked
non-exportable, and that should have roughly the same effect for other
users of GnuPG. You'd have to use --import-options import-local to
import it at all, or else it would have no valid self-sigs, which GnuPG
should reject as a poorly-formed certificate.
However, this arrangement (or your signature subpacket proposal) has a
set of problems that make it far from ideal protection, especially in
the face of potentially adversarial users:
0) Any existing key (one with a self-sig that does *not* have this
feature set) can't add this feature in a reliable way -- a new
self-sig can just be stripped out of the certificate and the
remaining certificate (with the previous self-sig) will be back to
being "exportable".
1) The keyservers would need to respect the value and decline to accept
or propagate such keys. SKS currently doesn't even respect the
non-exportable flag for non-self-sigs
(https://bitbucket.org/skskeyserver/sks-keyserver/pull-request/20),
let alone verify the cryptographic validity of signatures.
2) GnuPG doesn't currently let you make non-exportable self-sigs, as
far as i can tell (i just tested 2.1.6 with gpg2 --expert --lsign;
maybe this is a bug in gpg, though)
3) anyone can just post the key publicly in a non-keyserver way
(e.g. to the web) if they really want to do so.
So the question is whether having this as an advisory mechanism (not a
perfect bulwark against adversarial publication) is worthwhile. If it
is worthwhole, would this interpretation of non-exportable self-sigs be
a sufficient mechanism?
This is certainly something worth considering clarifying in rfc4880,
whether it's introduced as a separate subpacket, or a clearer
recommendation of how to treat non-exportable subpackets in a self-sig.
--dkg
- [openpgp] Unuploadable Keys Neal H. Walfield
- Re: [openpgp] Unuploadable Keys Daniel Kahn Gillmor
- Re: [openpgp] Unuploadable Keys Werner Koch
- Re: [openpgp] Unuploadable Keys Neal H. Walfield
- Re: [openpgp] Unuploadable Keys Gregory Maxwell
- Re: [openpgp] Unuploadable Keys Vincent Breitmoser
- Re: [openpgp] Unuploadable Keys Daniel Kahn Gillmor