[openpgp] Re: Encryption subkey selection
Daniel Huigens <d.huigens@protonmail.com> Tue, 08 April 2025 18:06 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B99B3192046F for <openpgp@mail2.ietf.org>; Tue, 8 Apr 2025 11:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cQzDeA5pQMrD for <openpgp@mail2.ietf.org>; Tue, 8 Apr 2025 11:06:53 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id DCBA5192046A for <openpgp@ietf.org>; Tue, 8 Apr 2025 11:06:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1744135609; x=1744394809; bh=AS5m+18TpST2PulXQ2CtHq7ihC2GQui/zXQXz3rX+AY=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=uMfH65IepUSvOLLHKOmGQ5zvS1+nW/RxEh+VcWgdwiD0F9Dal14PugomLvFVn8JIm OEAg7yD6O2uOM5yWm2XTE/4Ch0BC8z34z0jEUrJTQz3y89xpKUS+mTG6V3ZU8CUUOg 8o2ZdWTPE/DXLnCcKPljIjTin6gY21iZjkSPL0cxpCNsHtTazIXJsyv+YvgbS1URwb Ip7hysvTjRAW8RB6DMXISDMj750dUv98eD1F9RV1DxGC74fq+duxSDbE2n36xtCAtW vpiFd6+gEnaINpAXLOKhjRxe4b/LqcFCMlvqLU7h4+XcMqI/zVYSENhlDaEbYqp6Jf qmpCKHKkEgslQ==
Date: Tue, 08 Apr 2025 18:06:45 +0000
To: Justus Winter <justus@sequoia-pgp.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <dI4YtuyWCyCqKizRafc2sNHBFSRSuQEt-03l8CBI-bRD4SPN7701nRDLFYtu0hwve96cG3Q4kIglx6oVTIAiJbVJseQRzLrt2AoKpSLes28=@protonmail.com>
In-Reply-To: <87h631mvol.fsf@thinbox>
References: <87h631mvol.fsf@thinbox>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: 6c99cc810e1ad7c1a147e44937cbf07a2b52ef69
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 6IGL2CZ5EUDNRJBOJK6A3YLVX5ZSRWKB
X-Message-ID-Hash: 6IGL2CZ5EUDNRJBOJK6A3YLVX5ZSRWKB
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: openpgp@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Encryption subkey selection
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/mg8dBjC3_8nKnzDSZIf1XUmpQTs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hi Justus & all, I agree that it would be good to reach a consensus on this, and that if we assume that we want to support one-subkey-per-device setups (e.g. for use with integrated HSMs, to be able to generate a key on each of your devices in hardware), which seemed to be the conclusion from the multi-device session at the summit, then we probably need some mechanism for that. _However_, I want to raise one specific potential solution that Patrick Brunschwig proposed in that session, which is a variant of "List of sets of subkeys", but rather than introducing some new encoding for this, we could simply say: each certificate is such a list of subkeys. In other words, we pick the first certificate, see if it's usable, if so use all valid encryption subkeys in that certificate. If not, try the next certificate. And so on. This means that, to migrate to a new encryption algorithm, you also need to generate a new certificate. Often we want to do that anyway: in the migration from RSA to ECC, and ECC to PQC, we've introduced both new encryption algorithms and new signing algorithms. I know this goes a bit against what I've said previously and also conflicts with the concept of "certificate equivalence" in the key replacement draft (because multiple subkeys across linked certs would then not behave the same as multiple subkeys in a single cert). _But_ if we all agree that we need some mechanism for this then I think it's best to pick the simplest possible mechanism. --- Alternatively, as an intermediary solution, we could have a single _per-certificate_ flag which says: please use all valid encryption keys in this certificate. (And potentially also: if you don't understand all encryption subkeys, please use the fallback certificate instead, if there is one. That being said, I think it would be a bit silly and a very niche edge case if you want to e.g. use a mix of ML-KEM-768 and ML-KEM-1024 subkeys in your latest cert, _especially_ you're going to ask the sender to encrypt to all of them, as then there's no security advantage to using ML-KEM-1024 in one/some of the subkeys). That way, we could keep the existing behavior for a single cert, if needed (so that you could still do a encryption algorithm migration within a single cert if you only have a single device), but could opt-in to the new behavior (from our perspective; obviously for Sequoia it'd be the other way around) if you have multiple devices. The only thing you then can't do is an encryption(-only) algorithm migration within a single certificate with per-device subkeys. But, that kinda seems like an edge case within an edge case.. Best, Daniel
- [openpgp] Encryption subkey selection Justus Winter
- [openpgp] Re: Encryption subkey selection Andrew Gallagher
- [openpgp] Re: Encryption subkey selection Falko Strenzke
- [openpgp] Re: Encryption subkey selection Bart Butler
- [openpgp] Re: Encryption subkey selection Falko Strenzke
- [openpgp] Re: Encryption subkey selection Andrew Gallagher
- [openpgp] Re: Encryption subkey selection Falko Strenzke
- [openpgp] Re: Encryption subkey selection Daniel Huigens
- [openpgp] Re: Encryption subkey selection Falko Strenzke
- [openpgp] Re: Encryption subkey selection Daniel Huigens
- [openpgp] Re: Encryption subkey selection Andrew Gallagher
- [openpgp] Re: Encryption subkey selection Falko Strenzke
- [openpgp] Re: Encryption subkey selection Falko Strenzke
- [openpgp] Re: Encryption subkey selection Andrew Gallagher
- [openpgp] Re: Encryption subkey selection Justus Winter
- [openpgp] Re: Encryption subkey selection Daniel Huigens
- [openpgp] Re: Encryption subkey selection Daniel Kahn Gillmor
- [openpgp] Re: Encryption subkey selection Falko Strenzke
- [openpgp] Re: Encryption subkey selection Daniel Huigens
- [openpgp] Re: Encryption subkey selection Daniel Huigens
- [openpgp] Re: Encryption subkey selection Johannes Roth
- [openpgp] Re: Encryption subkey selection Daniel Huigens