Re: [openpgp] OpenPGPv5 wish list

ianG <iang@iang.org> Mon, 29 April 2013 09:40 UTC

Message-ID: <517E3FFE.1070005@iang.org>
Date: Mon, 29 Apr 2013 12:40:14 +0300
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: openpgp@ietf.org
References: <20121212104620.GA35659@redoubt.spodhuis.org> <50D0AB16.5020505@brainhub.org> <CAN+za=O4NcLtN=Etm-7UC4SY=ndan_0n167rkDfKqcpEp0W25g@mail.gmail.com> <2584059.Q9cNNqxsta@inno> <517E0250.1040708@sixdemonbag.org> <20130429111532.7e53c7f6@gmail.com>
In-Reply-To: <20130429111532.7e53c7f6@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [openpgp] OpenPGPv5 wish list
Precedence: list

On 29/04/13 12:15 PM, Jean-Jacques wrote:

> 2) What is the key used for?
>
> And I see at least 4 purposes :
>   - To authenticate itself through TLS  [RFC6091]
>   - Maybe To sign other certificates (subkeys on smartcard issues)
>   - To authenticate through HTTP (gpgauth or
>     https://github.com/Open-UDC/open-udc/blob/master/docs/HTTP_OpenPGP_Authentication.draft.txt)
>   - To sign an OpenUDC transaction.
>
> I work especially on the 2 last purposes. And having the possibility
> for the owner to set descriptions, or more flags on its (sub)keys inside
> its OpenPGP certificate, would be a more elegant solution than some
> workaround we have to manage.

Some comments from my experience/perspective, only.  In my work I have 
done this by using pgp's comment field aka uid.  Here's some:

$ gpg -k | grep uid

uid                  Iang [certification] (Africa-2012) <iang@iang.org>
uid                  Iang [contract] (lowsec-PIZZA-only) <iang@iang.org>
uid                  Systemics [operator] (Africa-2012) <iang@iang.org>
uid                  Systemics [server] (Babba-2012) <iang@iang.org>
uid                  Systemics [receipt] (Babba-2012) <iang@iang.org>
uid                  Systemics [receipt] (offa-20130101) <iang@iang.org>
uid                  Systemics [server] (offa-20130102) <iang@iang.org>

In my software I use the [tag] for the purpose, the (text) as a human 
comment, and everything else as the name of the keyholder.  You could do 
whatever tho.

Perhaps more on point, I do not want the OpenPGP system to provide me 
with bits that allow me to set purpose or anything else, because OpenPGP 
is too low-level.  My designed claims like "this is an operator key" are 
too involved in the business layer to be foisted onto anyone else.  The 
history of key-bits being used for human claims suggests this is a fast 
way to failure.  E.g., non-revocation and the infamous 
you-must-understand-me bit.

I don't know if this logic applies to anyone else.  But if it did, 
hypothetically, I might record your claims in my key uids as such:

uid                  Iang [HTTP-auth] (social-networks) <iang@iang.org>
uid                  Systemics [UDC-agent] (Black-2012) <iang@iang.org>

iang

Re: [openpgp] OpenPGPv5 wish list Jean-Jacques
Re: [openpgp] OpenPGPv5 wish list ianG
Re: [openpgp] OpenPGPv5 wish list Philippe Cerfon
Re: [openpgp] OpenPGPv5 wish list Werner Koch
Re: [openpgp] OpenPGPv5 wish list Philippe Cerfon