IETF Logo Mail Archive

[openpgp] Re: Encryption subkey selection

Daniel Huigens <d.huigens@protonmail.com> Thu, 01 May 2025 17:10 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B681F23B09FA for <openpgp@mail2.ietf.org>; Thu, 1 May 2025 10:10:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkP1ERtu2Na9 for <openpgp@mail2.ietf.org>; Thu, 1 May 2025 10:10:52 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E612D23B09D4 for <openpgp@ietf.org>; Thu, 1 May 2025 10:10:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1746119450; x=1746378650; bh=Il5S7utpP3u0KoXSP209b/BxJx0CtBNj76XGN2+sa1g=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=NYHaOK55E4sXi7JYAB7FO7avDgTfjfkU1YSkZZ+WYiqc7Kh7tRdpH2684lJA6923t P36nuGLtY0t1rvnr69kPHqhvUq5RJ6Icyv25QA8sZ+QkPbL5/kxG2cOJcuza+LMVu+ QD4gdLGRpi74uUIN/kYaxlwxTBLY7eyeyV8PCW4TIkbYShSaRZ7r1SBy/fhURxk/Ka /Kw8sothXOcZ2wXlDjldEyZIlrdTUTO8O3L5ZIcSW8uZlN8yebVLDQgsq/t+aK/dWF OcHNEzX1xxeh1KLTtgu5mIfpxadlCifHUXxENO7vcBEeQZ2SuXQprAkQyDriuw9VEn 93KAKaWlXtVKw==
Date: Thu, 01 May 2025 17:10:46 +0000
To: Justus Winter <justus@sequoia-pgp.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <ToH9iWOoC_CgdIu1k9gaMAaNzpZ5nwHbPScoiuJr_RIQpz6Wv1Z7qY9iaKepYMwLlynVkNytyotr-FWEFRBA5saNHy7N_1dmbcMC310quFM=@protonmail.com>
In-Reply-To: <87ecxupx9w.fsf@europ.lan>
References: <87h631mvol.fsf@thinbox> <dI4YtuyWCyCqKizRafc2sNHBFSRSuQEt-03l8CBI-bRD4SPN7701nRDLFYtu0hwve96cG3Q4kIglx6oVTIAiJbVJseQRzLrt2AoKpSLes28=@protonmail.com> <87ecxupx9w.fsf@europ.lan>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: 9c20a07a3d06da0437f861b04a9739dd55ad7572
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: SSGKLCUZAYKY3LNEIVN34BQGZPDIXIHP
X-Message-ID-Hash: SSGKLCUZAYKY3LNEIVN34BQGZPDIXIHP
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: openpgp@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Encryption subkey selection
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/dxWFUMuHfUmAssLIMRAep1HVsL8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi all,

I would like to try to make a slightly more concrete proposal here,
justified in part by the parallel post about PQC key selection [1].

I would propose that we add a single flag to the certificate, in a
direct-key signature (for v6) or primary User ID binding signature (v4)
subpacket, which says: "please encrypt to all valid encryption subkeys
in this certificate". By default, the flag would be off.

If it's off (explicitly or implicitly), the implementation should select
the newest valid encryption subkey, or - if there are multiple valid
encryption subkeys with the same creation timestamp - the subkey with
the highest _algorithm ID_.

This is based on the assumption that we won't add new algorithms that we
consider to be less secure than the ones we already have. If we ever do,
we could carve out an exception at that point, or recommend that people
don't use it in parallel with a more secure algorithm in a subkey with
the same creation time.

This guidance would also be consistent with the recommendation in
draft-ietf-openpgp-pqc-07 to prefer PQC subkeys over traditional
subkeys, though that was removed in draft-08, but I think perhaps
we should bring it back (see [1]).

Finally, as discussed before, this would enable both multi-device setups
with one encryption subkey per device (when the flag is on), and also
encryption algorithm migrations without certificate rotation (when it's
off), just not both at the same time. I think wanting both at the same
time is quite an edge case that we shouldn't worry about. I know I said
before that we shouldn't worry about encryption algorithm migrations
without certificate rotation either, but if it's useful for PQC and
helps to get that draft out the door sooner, perhaps that's worth
reconsidering. Also, I think the mechanism above is still quite simple.

Hopefully this makes some sense, but let me know what you think!

Best,
Daniel

[1]: https://mailarchive.ietf.org/arch/msg/openpgp/ipOOKb5TKii_xtNxe3gifF50d2w/

v2.31.3 | Report a Bug | By Email | System Status