[openpgp] primary key binding signatures (0x19) for non-signing subkeys

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 12 March 2013 21:07 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 96E7C11E810A for <openpgp@ietfa.amsl.com>; Tue, 12 Mar 2013 14:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id RDSo3NaJDVAL for <openpgp@ietfa.amsl.com>; Tue, 12 Mar 2013 14:07:06 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org []) by ietfa.amsl.com (Postfix) with ESMTP id 1619111E80E9 for <openpgp@ietf.org>; Tue, 12 Mar 2013 14:07:06 -0700 (PDT)
Received: from fifthhorseman.net (lair.fifthhorseman.net []) by che.mayfirst.org (Postfix) with ESMTPSA id E0DCFF980 for <openpgp@ietf.org>; Tue, 12 Mar 2013 17:07:04 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id E30B81FF23; Tue, 12 Mar 2013 17:07:04 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: IETF OpenPGP <openpgp@ietf.org>
User-Agent: Notmuch/0.15.2 (http://notmuchmail.org) Emacs/23.4.1 (x86_64-pc-linux-gnu)
Date: Tue, 12 Mar 2013 17:07:01 -0400
Message-ID: <87li9s2uq2.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Subject: [openpgp] primary key binding signatures (0x19) for non-signing subkeys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2013 21:07:06 -0000

hi OpenPGP folks--

I'm wondering whether authentication-capable subkeys should require
primary key binding signatures (aka "back-sigs" or
"cross-certifications").  There seems to be consensus that
signing-capable subkeys need back-sigs, but it's not clear whether
authentication-capable subkeys need the same thing.

RFC 4880 says:

>   For subkeys that can issue signatures, the subkey binding signature
>   MUST contain an Embedded Signature subpacket with a primary key
>   binding signature (0x19) issued by the subkey on the top-level key.

Many (all?) authentication schemes that use public keys involve making a
signature of some data during the authentication exchange.

This suggests to me that authentication-capable subkeys should have a

Also, i'm considering the possibility of OTR-OpenPGP linkage i mentioned
in a previous thread.  It occurs to me that if Alice manages to
authenticate Bob using some OTR handshake, and she wants to bootstrap
her way from that mutual authentication into an OpenPGP authentication,
then a back-sig is critical.

Mallory can already make her own OpenPGP primary key, attach Bob's User
ID to it, and then attach Bob's actual OTR key as a subkey.  If Alice
just scans the keyserver for primary keys that have Bob's OTR key as a
subkey, there is no way for her to distinguish between Bob's actual key
and Mallory's Fake-Bob key.  A back-sig would provide such a
distinguishing mechanism.

Practically, at least one common implementation (GnuPG) does not create
a back-sig for authentication-capable keys.  Should it do so?  Do other
implementations do so?

Are there any downsides to including a back-sig in every
authentication-capable subkey?