Re: [openpgp] marking subkeys as constrained for specific use -- new key usage flags?
David Shaw <dshaw@jabberwocky.com> Tue, 05 March 2013 15:19 UTC
Return-Path: <dshaw@jabberwocky.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D25221F861B for <openpgp@ietfa.amsl.com>; Tue, 5 Mar 2013 07:19:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDe6SMZjXjZH for <openpgp@ietfa.amsl.com>; Tue, 5 Mar 2013 07:19:16 -0800 (PST)
Received: from walrus.jabberwocky.com (walrus.jabberwocky.com [173.9.29.57]) by ietfa.amsl.com (Postfix) with ESMTP id 6F70A21F8606 for <openpgp@ietf.org>; Tue, 5 Mar 2013 07:19:14 -0800 (PST)
Received: from dshaw.nasuni.net (vpn.nasuni.com [173.166.63.186]) (authenticated bits=0) by walrus.jabberwocky.com (8.14.4/8.14.4) with ESMTP id r25FJC2w005550 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 5 Mar 2013 10:19:13 -0500
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: David Shaw <dshaw@jabberwocky.com>
In-Reply-To: <5135BDE6.1070200@fifthhorseman.net>
Date: Tue, 05 Mar 2013 10:19:12 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <6F1173CD-290C-4A38-BD80-152C5E553D1F@jabberwocky.com>
References: <5135BDE6.1070200@fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Mailer: Apple Mail (2.1499)
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] marking subkeys as constrained for specific use -- new key usage flags?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2013 15:19:17 -0000
On Mar 5, 2013, at 4:41 AM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > Hi good OpenPGP people-- > > I use both OpenPGP and OTR. my OTR implementation has its own public key. > > I can see a use case for indicating my OTR public key directly as a > subkey on my main OpenPGP key, so that anyone who knows me via the > OpenPGP web of trust could have their tools automatically authenticate > me (without having to do any of the various OTR authentication > handshakes explicitly). > > I also think i would like this subkey to be unambiguously identified as > an OTR public key, so that it is not accepted for use in any other > context (e.g. it would be bad if someone who was able to compromise my > OTR client and steal my OTR key was able to use the secret key material > to impersonate me over SSH). > > How could i indicate such a clear constraint? > > I have a couple of ideas, and would be happy to hear people's thoughts: > > A) allocate 0x40 of the usage flags [0] to mean "use in OTR". > > What kind of work needs to be done to get a new bit allocated there? > Is allocating a new bit reasonable? > > B) use the "authentication" usage flag with a critical notation. > > Since the OTR subkey is clearly used for authentication purposes, > perhaps the right way to go is to mark the key as authentication- > capable in the usage flags, but also add a critical notation that > indicating that the scope of use is limited to otr. Does such a > thing already exist? > > Option A seems cleaner to me (since no existing implementations would > mistake such a marked subkey as useful for anything else), but i worry > about how it would scale in the bigger picture -- how many such bits are > we going to need to allocate if keys can be useful elsewhere? > > OTOH, maybe that's not a big deal. And option B seems risky in the near > term -- how many OpenPGP implementations will actually respect the > critical bit and reject that subkey binding signature if they know that > they are not in the OTR context? I'd do this with a notation (option B, which can be marked as critical if you desire). The Usage flags are helpful but I don't think they have the ability to carry enough information to really state what you are trying to say. Usage is more "this key can may be used for authentication", and it sounds like what you're looking for is "this key may be used for authentication, but only in the context of OTR". I can't speak for all OpenPGP implementations, but GPG will correctly reject a subkey binding signature if it has a critical notation that GPG doesn't know about. I'm not sure if that helps or hurts your plan, though, as without adding code to GPG to understand your notation, you won't easily be able to show a connection from your OpenPGP key to the OTR subkey. David
- [openpgp] marking subkeys as constrained for spec… Daniel Kahn Gillmor
- Re: [openpgp] marking subkeys as constrained for … Jon Callas
- Re: [openpgp] marking subkeys as constrained for … David Shaw
- Re: [openpgp] marking subkeys as constrained for … Werner Koch
- Re: [openpgp] marking subkeys as constrained for … Jon Callas
- [openpgp] Offline key flag (was Re: marking subke… David Shaw
- Re: [openpgp] Offline key flag Werner Koch
- Re: [openpgp] Offline key flag David Shaw
- Re: [openpgp] marking subkeys as constrained for … Daniel Kahn Gillmor
- Re: [openpgp] marking subkeys as constrained for … Jon Callas