IETF Logo Mail Archive

Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey

Andrew Gallagher <andrewg@andrewg.com> Fri, 19 April 2024 11:00 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBB7DC14F6F2 for <openpgp@ietfa.amsl.com>; Fri, 19 Apr 2024 04:00:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r5lySNZ3OUoZ for <openpgp@ietfa.amsl.com>; Fri, 19 Apr 2024 04:00:08 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FFB0C14F5E9 for <openpgp@ietf.org>; Fri, 19 Apr 2024 04:00:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1713524404; bh=jiwEAmf1m74gF4R+MAOa1+Rt3UvMp/5jaYFzvPCcnw4=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=fbtNphUYIENAtvO/wAMWSZKX3dQn6ChHTk50mu6f0e5AJw3obBmb+ZUNNmKr8qWcL uN9P3MhYxI9ZvkGWsrk3NO2A8rz2Fnbz+TfT+0xS65gn3t0a5igQapS10tXHcnNFWU wlHjRm/lokQu+FdXLMTJPApNsSDYUhdFvofxqyVlBMoeYgwu/e8EFrKq/IIIw2S9JM 5dtumZ57EmUnE+fxqV/RV5Bw+C1BYbSu16FlPPsONVDxdKTpWFJipOlOGH+hFwWGIl RpBCJFidv3u5AZZ6ycGe7RrkN7Lwnh+dnnOMyj0pYlhPLpvd4nwcXQeImOBW5lQbqk g2pKj/O66XSNw==
Received: from smtpclient.apple (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 61D495DCA6; Fri, 19 Apr 2024 11:00:04 +0000 (UTC)
From: Andrew Gallagher <andrewg@andrewg.com>
Message-Id: <014C79AF-92AE-4ED1-A431-80D425F5A540@andrewg.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_50C50799-7740-42CB-9EEC-375BB3489B17"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
Date: Fri, 19 Apr 2024 11:59:46 +0100
In-Reply-To: <77c4139f-3532-4b11-9771-6ac7c448e6a3@mtg.de>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, IETF OpenPGP WG <openpgp@ietf.org>
To: Falko Strenzke <falko.strenzke@mtg.de>
References: <87o7anhybr.fsf@fifthhorseman.net> <87jzkunest.fsf@fifthhorseman.net> <77c4139f-3532-4b11-9771-6ac7c448e6a3@mtg.de>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/rnJ03bz0xVTGkG6n9li3LLyUiVY>
Subject: Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Apr 2024 11:00:14 -0000

On 19 Apr 2024, at 07:48, Falko Strenzke <falko.strenzke@mtg.de> wrote:
> As one (maybe naive?) concrete suggestion: Might it make sense to provide the option to simply include the whole replacement certificate in the subpacket? That would address the distribution problem directly. Of course any concerns regarding placement of trust into the replacement key would remain untouched by this.
> 

Hi, Falko.

We did consider this, however it has two concrete disadvantages.

1. It would significantly bloat the old key. Since this is a subpacket of a normal self-signature, it would need to be included in every subsequent self-signature to prevent it being overridden. While this may not be a significant issue on a revoked key, which is unlikely to be further self-signed, this would have a cumulative effect on a non-revoked key (specifically in the "parallel PQC" case).

2. The replacement key in such a subpacket may be stale, particularly if the old key has been revoked and is not being actively updated with newer copies of the replacement. The first thing that an implementation should do on receiving such a key is therefore to check for new signatures online, particularly revocations. If online updates are being done anyway, there is no advantage gained by distributing a stale key.

There are cases where 2. above is impractical, say for systems that do not (regularly) connect to the internet. In such cases, it is simpler and more efficient to distribute a single keyring containing the two keys side by side.

A

v2.23.0 | Report a Bug | By Email