IETF Logo Mail Archive

Re: [openpgp] Code-signing in OpenPGP [was: Re: SLH-DSA code points]

Daniel Huigens <d.huigens@protonmail.com> Wed, 27 March 2024 11:29 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82BE1C14F694 for <openpgp@ietfa.amsl.com>; Wed, 27 Mar 2024 04:29:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwtPEoZ8pzGd for <openpgp@ietfa.amsl.com>; Wed, 27 Mar 2024 04:29:25 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11643C14F614 for <openpgp@ietf.org>; Wed, 27 Mar 2024 04:29:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1711538962; x=1711798162; bh=scQYwSzCRjwhBShuFu1KvxGYLIJIyPZ4LSw2lXvsNeY=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=TRvG1hxirAEZf+J3LuvOx16GNz1SrG5A0PHoelVzajlqoTdkR6VLhHDod5YM5AG1v dU7EEgUjLzlTlaRJbNUEovoWHqRtH3j2ZBm8pmiTpxnjDOV4lw7Uol/4vHOE4AiFyS mfLx6ci9IInf5G8ZCvr+6G/COTGxXZCupxTYjwQdOzg5aDB2eLAbpVth992cPTjL7U OUiKpzSdWH8yUi2eqVWwGNVN6UkZkPSqwxrKeg/2dkabyBCbd0y0w8CM2fU57BJWya tMmvT9Bx+Kah2z2J1mqoA+sb2WOy/iughscQfyWGXAiu/BDoFArAP9bki8Vcw6NWjE 1xQauJN6tW6Jw==
Date: Wed, 27 Mar 2024 11:28:49 +0000
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Message-ID: <a7dj0COE8fCSe-gDvJNBZCDdpvirmbqOa7BCFVnxldzltqHqQxQITHOo5qXSFNBMm8_LChRIhAf7uWEx6Z_j9J18i1pn5F54vxXklOf2DcA=@protonmail.com>
In-Reply-To: <877chokidv.fsf@fifthhorseman.net>
References: <42ff8d55-88a9-4c84-99bd-688f1d29b508@mtg.de> <cmw0WtLf6I-72e-G31FTB9xrwcccedIXaLi0QxYKjN-q9HAwCryEfqHwv6tZnlc2O3STIbVEoFY7gRzENrRBS8EDd_2lKWwx33UQBPrG204=@protonmail.com> <87bk763ykr.fsf@fifthhorseman.net> <p86TXWysxVMhaMALowJJ-XayfefZDjgA7v6oFb8YX7H8bXPdC-IYo8-GBsbfQg_xlzUJdzA5UCeOGfXfJUrQ_dxyYxwPtOm9DDKtIb1aubQ=@protonmail.com> <877chokidv.fsf@fifthhorseman.net>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/oRbbo6Ua2R3R8c1ocXekQcX0E9c>
Subject: Re: [openpgp] Code-signing in OpenPGP [was: Re: SLH-DSA code points]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 11:29:29 -0000

Hi dkg,

On Tuesday, March 26th, 2024 at 18:33, Daniel Kahn Gillmor wrote:
> And the corollary seems to be that if there are multiple secret keys,
> just sign with each of them. I'm proposing to make this the default for
> `sop`, since sop was previously ambiguous about that.

I don't think this really solves your original problem in [1], right?
If you use all keys, the performance is always at least as bad as the
slowest algorithm, and the security is still only as good as the
primary key, at most (since it signs the binding signatures).

My idea was, if you have an SLH-DSA primary key and an EdDSA subkey, you
could use EdDSA for short-lived signatures, and SLH-DSA for long-lived
ones. That way, you have fast signing when long-lived signatures aren't
important, and high security/longevity when needed.

> right, i don't think there's a good UI for this either -- "make
> signature likely to be invalidated sooner" is not an option most users
> will reasonably want to check.

If the tradeoff is between signing performance and signature longevity,
I think there are reasonable scenarios where the user would choose the
former; basically the use cases in your first list in [1].

As a high-level API for choosing an algorithm in both SOP and OpenPGP
implementations, I would propose two axes / parameters: security and
longevity. For example, --security=high could lead to choosing Curve448
instead of Curve25519 (which btw should not be called "low security",
but rather "standard" or so), and --longevity=high could lead to
choosing SLH-DSA (with a security level depending on --security).
This could apply both to key generation, and to signing and encryption
(if an appropriate key is available).

Alternatively, the (default?) longevity could be chosen automatically
based on the expiration date, but then (in the case of SOP) we'd need
to add an API for that first, and it might be nice to keep them separate
since the expiration can always be extended but the algorithm can't be
changed.

Note that security and longevity would be orthogonal to but potentially
affected by the profiles - e.g. --profile=rfc4880 --security=high might
lead to using 4096-bit RSA, and so on. Some combinations might not be
possible, e.g. --profile=rfc4880 --longevity=high could return an error.

---

Finally, to actually solve the original problem using SOP, it would also
need to learn about subkeys, e.g. by inventing generate-{encryption,
signing}-subkey commands. That way, you could put it all together with:

  sop generate-key --longevity=high --signing-only > key1
  # Might generate an SLH-DSA primary key, given an appropriate profile.

  sop generate-signing-subkey --longevity=standard < key1 > key2
  # Might generate an (ML-DSA+)EdDSA subkey, depending on the profile.

  sop sign --longevity=standard/high key2 < msg > sig
  # Select which (sub)key to use.

Not entirely trivial, of course, but hopefully not insurmountable for
an informed user, either.

---

In GopenPGP v3, we've implemented the "security" axis of this proposal,
as documented at [2]. Once we add PQC, we could add the "longevity" axis
too. Note that I'm not proposing that we specify in SOP which algorithm
the implementation should pick in each of the security/longevity/profile
combinations, but rather to pass it along to the OpenPGP implementation
(or, if it exposes an option to choose an algorithm directly, the SOP
implementation could make a judgement call).

Best,
Daniel

[1]: https://mailarchive.ietf.org/arch/msg/openpgp/PTBjyBcrNQwAYvy8HpUc2AFyLM0/
[2]: https://github.com/ProtonMail/gopenpgp/tree/v3#generate-key

v2.23.0 | Report a Bug | By Email