[openpgp] Re: Splitting replacement keys subpacket into related keys and trust equivalence?
Heiko Schäfer <heiko.schaefer@posteo.de> Fri, 13 September 2024 11:56 UTC
Return-Path: <heiko.schaefer@posteo.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C445EC16943D for <openpgp@ietfa.amsl.com>; Fri, 13 Sep 2024 04:56:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWld2wblahPt for <openpgp@ietfa.amsl.com>; Fri, 13 Sep 2024 04:56:38 -0700 (PDT)
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A2ECC151071 for <openpgp@ietf.org>; Fri, 13 Sep 2024 04:56:37 -0700 (PDT)
Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id AB037240027 for <openpgp@ietf.org>; Fri, 13 Sep 2024 13:56:35 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1726228595; bh=ykdYbslO3TyowVczhPvoOzsKH9jZAPJj9WKEfG6h3EQ=; h=Content-Type:Message-ID:Date:MIME-Version:Subject:To:From:From; b=Ff+GyPa1BIKqTwY3iB2yApBSArjJ3an0nmcNScEmJ8wAXSW2R8kHr2uR9tMumXVgu c2O/umgIY0nwkjLMPP+e+Ik92rBX2pGaFJF4nMgf0MgCUdTo3RaDCX8nNH2rccEeCg ddsUWvY3s10yLxMRt+gAoX7c5ApRIhTwPWKyvSLNtGuBVQdgy6h11uZN8YRSFSW7IM sNbmtK7NE4xXhhDj6hnTILoD1cVrFeXyswOgbG+s43c6B2x76Rehw1RxPHP6ItnPt1 t+idWmaqDDlHdd2Ied0pM4+HceW/S7A3ycP2kPr5j4vm/tr2poklHNPze2WVLSrDv0 otxqaOiUyjwZQ==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4X4t7l1n7Cz6tmv for <openpgp@ietf.org>; Fri, 13 Sep 2024 13:56:35 +0200 (CEST)
Received: from services.foundation.hs (services.foundation.hs [192.168.21.4]) by mail.foundation.hs (Postfix) with ESMTP id BD7B9705C5 for <openpgp@ietf.org>; Fri, 13 Sep 2024 13:56:34 +0200 (CEST)
Content-Type: multipart/alternative; boundary="------------Dtg00b5GAItpzLXEQQBWFX0c"
Message-ID: <0aa16b8d-e217-481a-b039-c64f3b92937f@posteo.de>
Date: Fri, 13 Sep 2024 11:56:33 +0000
MIME-Version: 1.0
To: openpgp@ietf.org
References: <I1AVKcpZIk0c47n7JbfpMHn0RmQv7YTkXvRC7JbH_MRPfKvd4V6jn50E0pIcaANbAZ4-khxFgIGLk5D1rDsJgPTQgvNoqbPzbj5WEd5rUc0=@protonmail.com> <5ED82E08-5973-4C4D-8726-49B24646DF2D@andrewg.com> <8dasmNRbHHCaM5m_appBMcCDLKuk4fT1CMnWZMmzAK77m_C4lRKIR1dlYqBzL9zW5CdFXUfv5LPuU46w5uMEGMtnN-cCxJaeGRzks0gQYC0=@pm.me>
Content-Language: en-US
From: Heiko Schäfer <heiko.schaefer@posteo.de>
In-Reply-To: <8dasmNRbHHCaM5m_appBMcCDLKuk4fT1CMnWZMmzAK77m_C4lRKIR1dlYqBzL9zW5CdFXUfv5LPuU46w5uMEGMtnN-cCxJaeGRzks0gQYC0=@pm.me>
Message-ID-Hash: 2JRE3VVW36DQM23ODDEKDJ65LYR77SJB
X-Message-ID-Hash: 2JRE3VVW36DQM23ODDEKDJ65LYR77SJB
X-MailFrom: heiko.schaefer@posteo.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: Splitting replacement keys subpacket into related keys and trust equivalence?
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/n9ImhO53zglIvG12geUWAIOnzRc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
As Andrew outlined, in some of the existing PKI mechanisms, the fingerprint is currently the best/most specific lookup key. It would seem unfortunate to me not to include the fingerprint in a replacement key mechanism (which is presumably often going to involve client software attempting to do PKI lookups). Heiko On 9/13/24 1:48 PM, Bart Butler wrote: > I’m fairly agnostic on this as long as we don’t make it optional and > introduce yet another degree of freedom. One other advantage of not > including the fingerprint would be to force implementations to verify > using the imprint. But either approach is fine. > > > On Fri, Sep 13, 2024 at 11:01 AM, Andrew Gallagher > <andrewg=40andrewg.com@dmarc.ietf.org <mailto:On Fri, Sep 13, 2024 at > 11:01 AM, Andrew Gallagher <<a href=>> wrote: >> On 13 Sep 2024, at 08:42, Daniel Huigens <d.huigens@protonmail.com> >> wrote: >> > >> > In the email case specifically, you _could_ take it as a signal to say, >> > "oh there's a replacement key, but I don't know where/which it is, >> > so I need to go fetch this contact's keys again (by email address)". >> >> Sure, but I’m thinking specifically of the cases where lookup by >> email address isn’t efficient, e.g. if there is no WKD on the domain >> and there are a number of fake keys on the keyservers. If we compare >> with the design goal of trying to match the behaviour of subkeys as >> much as possible, leaving out fingerprints does complicate the lookup >> process in the general case. >> >> A >> _______________________________________________ >> openpgp mailing list -- openpgp@ietf.org >> To unsubscribe send an email to openpgp-leave@ietf.org > > _______________________________________________ > openpgp mailing list --openpgp@ietf.org > To unsubscribe send an email toopenpgp-leave@ietf.org
- [openpgp] Splitting replacement keys subpacket in… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… iang
- [openpgp] Re: Splitting replacement keys subpacke… Justus Winter
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… Bart Butler
- [openpgp] Re: Splitting replacement keys subpacke… Andrew Gallagher
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… Andrew Gallagher
- [openpgp] Re: Splitting replacement keys subpacke… Heiko Schäfer
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… Bart Butler
- [openpgp] Re: Splitting replacement keys subpacke… Andrew Gallagher
- [openpgp] Re: Splitting replacement keys subpacke… Bart Butler
- [openpgp] Re: Splitting replacement keys subpacke… Neal H. Walfield
- [openpgp] Re: Splitting replacement keys subpacke… Justus Winter
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens