IETF Logo Mail Archive

Re: [openpgp] Clarify status of subkeys with certification use

Leo Gaspard <ietf@leo.gaspard.ninja> Fri, 25 May 2018 10:27 UTC

Return-Path: <ietf@leo.gaspard.ninja>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D239126C0F for <openpgp@ietfa.amsl.com>; Fri, 25 May 2018 03:27:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=leo.gaspard.ninja
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id koZmU8q914ko for <openpgp@ietfa.amsl.com>; Fri, 25 May 2018 03:26:59 -0700 (PDT)
Received: from smtp.gaspard.ninja (grym.ekleog.org [94.23.42.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE7361200A0 for <openpgp@ietf.org>; Fri, 25 May 2018 03:26:58 -0700 (PDT)
Received: by smtp.gaspard.ninja (OpenSMTPD) with ESMTP id 12cfb35f for <openpgp@ietf.org>; Fri, 25 May 2018 10:26:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=leo.gaspard.ninja; h=subject:to:references:from:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s= grym-20170528; bh=uldqEJ5kFMYTzwSoILGGRE44C8E=; b=b7jbhokqSW1kW3 O5h1qMmtMnp+3oRds+JuzVXk1519aDHklEiMled9C07ffJ1qE8GVz9PaaKgRLtoh gaCHYMhlBf05HYaf/USphGhU6wkwWXhn2L157bWHfvRfo9IM5AwWb//6YX/zYPRV rPTn1yoUQCJx0yHg5EDeltTxZxdqA=
Received: by smtp.gaspard.ninja (OpenSMTPD) with ESMTPSA id c317f0fe (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for <openpgp@ietf.org>; Fri, 25 May 2018 10:26:54 +0000 (UTC)
To: openpgp@ietf.org
References: <c37c7f94-edef-7f2d-9151-787112abcbfc@sumptuouscapital.com> <8736yg2gz3.wl-neal@walfield.org>
From: Leo Gaspard <ietf@leo.gaspard.ninja>
Message-ID: <7dcf3192-e004-c95f-7b62-cdbb31f40c0d@leo.gaspard.ninja>
Date: Fri, 25 May 2018 12:26:54 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <8736yg2gz3.wl-neal@walfield.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/kAedqe1pGFK2BrIpM--VMyumdwk>
Subject: Re: [openpgp] Clarify status of subkeys with certification use
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2018 10:27:02 -0000

On 05/25/2018 11:59 AM, Neal H. Walfield wrote:
> Hi Kristian,
> 
> Justus and I have been thinking about how to realize per-device keys
> and approximate forward secrecy.  These two things are related: if we
> want devices to do their own key rotation (and I think this is
> sensible, as the alternative is to somehow regularly transfer secret
> key material to each device), then the devices need to be able to
> generate self-signatures.  Since we don't want all devices to have
> access to the primary key, each device could have its own
> certification subkey.
> 
> We also want the master device to be able to revoke individual devices
> if the device is compromised or retired, etc.  Using certification
> subkeys, it is straightforward to revoke an individual device: we just
> revoke its certification subkey, which automatically revokes any
> self-signatures that that certification subkey might have made.
> 
> (For those familiar with object capability terminology: one way to
> think of a certification subkey is like a capability wrapper.)
> 
> 
> Consequently, please do not remove certification subkeys from RFC
> 4880bis.  If anything, I would prefer that RFC 4880bis clarifies that
> certification subkeys should be supported.
> 
> Thanks,
> 
> :) Neal & Justus

Another use case supporting this opinion: certification subkeys are also
a way to increase the security of an offline OpenPGP key, as with them
it becomes possible to put the master key behind a diode while still
being able to certify keys, and only ever move data out:
 1. On the machine with the master key, generate a certification subkey
 2. Move the certification subkey to another system, less trusted
 3. Push the to-be-signed key to this other system
 4. On this other system, certify the to-be-signed key
 5. Rotate the certification subkey from time to time to be able to
revoke one were it compromised

This thus enables people to participate to the WoT without compromising
master key security. I wanted to do this for my key, but learned that it
was a not-very-supported capability bit, and had to fallback to pushing
the to-be-signed keys to my offline system, thus making it handle
untrusted data.

So I think clarifying that certification subkeys MUST be supported would
be better indeed, so that people can assume RFC4880bis-compliant
implementations do support them, both for the use case described by Neal
(ie. usability) and this one (ie. security).

Just my 2¢,
Leo

v2.23.0 | Report a Bug | By Email