[openpgp] 1PA3PC: first-party attested third-party certifications (making Key Server Prefs no-modify actionable)
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 28 August 2019 05:31 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0889012081D for <openpgp@ietfa.amsl.com>; Tue, 27 Aug 2019 22:31:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=wonWNemK; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=kzRUgqZT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZH2T8kSvhUs for <openpgp@ietfa.amsl.com>; Tue, 27 Aug 2019 22:31:49 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8360512083C for <openpgp@ietf.org>; Tue, 27 Aug 2019 22:31:49 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1566970308; h=from : to : cc : subject : date : message-id : mime-version : content-type : from; bh=Of3IylW9yYMOzaAW9teWg0J2dYFCyb8wBM23+dsEins=; b=wonWNemKuX1chfvWmvsGCIzOB5AN6N/jrWz7d4T1OJy1gOOXub56Bi7j HYV3B0ty0F/K/pPjHfkVs/ElD40nCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1566970308; h=from : to : cc : subject : date : message-id : mime-version : content-type : from; bh=Of3IylW9yYMOzaAW9teWg0J2dYFCyb8wBM23+dsEins=; b=kzRUgqZTOlceo3IKrxe/GcbBooenzhFTYwGD1dvPPWaf04ydyO0WhdU7 rvN9/CtOIAJk0y9J2jBM3lpCPaDCK0j6un9x4R7tv3qg+9ejiOPXf0j7ax +JTyom+7mrY8SPq+fWjQ3PoC/tv2hDengB8co/Q6uvNa6KedTYOTGBLBvF S6dG+HxRQmPF74F5FG+1cXPYCX8gwielPZQHsdFofDp13Bri2/9uflxlBB rVGF+hDsT7lsw+NXyDXxGGtohs7CUwxvFpvvbIqtgHgt+TH4B0Szn/n+pj pU7dSDWusaiZKQO86EXTLgor3u51O9ypa9sdorYP2eatEqFO4LWMvg==
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id B2774F99D; Wed, 28 Aug 2019 01:31:47 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 8B4F6202A6; Wed, 28 Aug 2019 01:31:43 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
Cc: Heiko Stamer <HeikoStamer@gmx.net>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Wed, 28 Aug 2019 01:31:42 -0400
Message-ID: <87tva1am9t.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/hHLFrIhccgJgw6_8MvNE9NgjaOI>
Subject: [openpgp] 1PA3PC: first-party attested third-party certifications (making Key Server Prefs no-modify actionable)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 05:31:52 -0000
Hi OpenPGP folks-- The "No-modify" flag for Key Server Preferences has never been particularly actionable, because the keyserver has no way to tell whether the certificate-holder intends for third-party certifications to be redistributed or not. After a few discussions with other implementers offlist [0], i'm proposing a new, simple way that the certificate holder (the "first party") can attest to some number of specific third-party certifications, to indicate that they're redistributable. [0] https://gitlab.com/dkg/draft-openpgp-abuse-resistant-keystore/issues/1 and several discussions on #hagrid on IRC The shorthand for this "first-party attestation of third-party certifications" is 1PA3PC. The abuse-resistant keystores draft makes clear that such an attestation is necessary to be able to distribute third-party certifications while retaining first-party sovereignty over the certificate. But that draft (up through version -04) proposes a more-complicated mechanism using third-party confirmation signatures embedded in unhashed subpackets. The new mechanism i'm proposing here is just a list of digests over third-party certifications, stored in a hashed subpacket in the self-sig. This has two major advantages over the more complex proposal: * it's simpler to specify and to implement. * the first party can pretty easily change their mind about their preferred attestations for a given User ID by issuing a new self-sig; no need for juggling/redistributing explicit revocations of the attestations from the first party, which made the abuse-resistant keystore draft much uglier. There are two downsides as i see it, neither of them particularly bad: * there is an overall space limitation in the hashed subpackets (64KiB tops, probably less given other overhead), so the keyholder can't attest to arbitrarily many third-party certifications. However, even when using SHA512 (64B per attested certification), with even tighter constraints (like autocrypt, where the whole cert must be < 10KiB), there is still room for attestation of dozens of third-party certifications. That's more than enough for reasonable use. * It encourages/requires certificate holders to issue new self-sigs when they want to change their attestations. If a certificate store that doesn't prune superseded self-sigs encounters a rapidly-changing set of attestations, this might cause a bit of bloat. But the certificate store can just start pruning to fix that problem. This new proposal (diff for RFC 4880bis attached) claims subpacket codepoint 37 for shipping these attestations. I've also put this proposal as a merge request here: https://gitlab.com/openpgp-wg/rfc4880bis/merge_requests/20 1PA3PC test vector and example ------------------------------ Below is an example of this form of 1PA3PC, using ed25519. The third-party certifier: -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEXWYJVBYJKwYBBAHaRw8BAQdAFa8edTtqPPjjMVwac8Z+LCTbQLJv8zE7YI/8 TB8Wo7vNJkNlcnRpZmljYXRlIEF1dGhvcml0eSA8Y2FAZXhhbXBsZS5jb20+wm0E ExYIABUFAl1l0RQCGwECFQgCF4ACGQECHgEACgkQCzDFEKWiYTfSTgEAr5HQLoxx JLEYiEwLfixmGj5O0egfuQ8w/j+TovDvacMA/iUe9H8oyxqGKFoTn5hj0abG72mL BWGh2++7J+BpUI8A =W+bG -----END PGP PUBLIC KEY BLOCK----- The end user certificate, with the third-party certification and a self-sig that attests to it: -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEXWYJVBYJKwYBBAHaRw8BAQdA3RPxU734ifWKfZMLChBCYYCD3Pq6mV1RFyhh H4vSq77NHFRlc3QgVXNlciA8dGVzdEBleGFtcGxlLmNvbT7CXgQQFggABgUCXWXR HgAKCRALMMUQpaJhN3V/AQD8tnvWlpuXEjPDX4jxJ9COhobYS3UG8Id4i0Mhe/4c wAD8DehW+aDn7+Nv0qPJrUuyDeODHj7/MCvvEaxltrgjkQ/CjwQTFggANwUCXWXR KAIbAQIVCAIXgAIZAQIeASElZykynZ95I3ov66EDuDZE1g6By2V0gE0Z0RlkE1DT CsQACgkQ1NdAbG04n/QVxwEAgZ812nc7lqISocouns7Z7Zi7LHj8RyI9JrpmmDio fXkA+wRUUxgsQ63nyWfOJDvMl5Z57IKQOvlWJrtmSZ9ORGwG =ApYY -----END PGP PUBLIC KEY BLOCK----- I'd be happy to hear any feedback, both about the proposed patch to the spec, and about the test vector i've included here. --dkg
- [openpgp] 1PA3PC: first-party attested third-part… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Werner Koch
- Re: [openpgp] 1PA3PC: first-party attested third-… Vincent Breitmoser
- Re: [openpgp] 1PA3PC: first-party attested third-… Vincent Breitmoser
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Ángel
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Werner Koch
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Benjamin Kaduk
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Daniel Kahn Gillmor
- Re: [openpgp] 1PA3PC: first-party attested third-… Werner Koch