Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey

Daniel Huigens <d.huigens@protonmail.com> Mon, 29 April 2024 15:13 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0123C14F610 for <openpgp@ietfa.amsl.com>; Mon, 29 Apr 2024 08:13:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_4RjOb_L9iN for <openpgp@ietfa.amsl.com>; Mon, 29 Apr 2024 08:13:23 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5C44C1C412D for <openpgp@ietf.org>; Mon, 29 Apr 2024 08:10:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1714403439; x=1714662639; bh=ao0WAXkLGUOQDOcqd22qZyVEZhNqKSbfF6mQBGgqd2A=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=H0gAd5lmtNtsjHNkehC1dCPiTAnoDrIxjgWTiH5dV/TtsLG/PCPq6luD8/RYwMmpd 6C0eBH/0ZW+qlYeGnYzBxxNDldJZwFeEkGJHSbismrZkWieo+Ke7DTYsKR7cq2yoIH JS4rnLOqjjO8Q+JfIcIbZNNuXVpYBH9RYdMY+8rYMNtOO0a3Y64Wp1mMUeTGPbDlGn BYEzdVP11QfjyKOHQBdKIAPMWJ/vPfywVgBhznxDvTn1S30cVibsAxm7WQbKaI2jE+ fwHYeX4Q3g8JNoqFTSEsFcagmHFstBFkMcLZAzlYjrYCfSNyJCImHitShx1GAv335U E3JSjZ8bqayVA==
Date: Mon, 29 Apr 2024 15:10:32 +0000
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Simon Josefsson <simon@josefsson.org>, openpgp@ietf.org
Message-ID: <tPdBr7QK7VoBsKag0QafjtDv9mB_jBTxHI00f_gSyM8SnUPkPukP2FqmSc-zcccXkvl13s8pDhnuNr9JkzgnY_XVNJlEEpUpqWvN1Ufw2Jg=@protonmail.com>
In-Reply-To: <74AAE7BF-BD6C-4F27-9BFF-A4AA972056A4@andrewg.com>
References: <87o7anhybr.fsf@fifthhorseman.net> <87jzkunest.fsf@fifthhorseman.net> <87y199g67k.fsf@kaka.sjd.se> <A0B535B4-215B-4159-9F39-0D33C24ECF2F@andrewg.com> <87frvhnhx0.fsf@fifthhorseman.net> <74AAE7BF-BD6C-4F27-9BFF-A4AA972056A4@andrewg.com>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: c18b7b04de46a51e0f56e62f23bc0cd3cfdaccae
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/sDg4YS3RnzhUh97S-xeXVqfZBPA>
Subject: Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2024 15:13:28 -0000

Hi Andrew,

On Wednesday, April 24th, 2024 at 16:41, Andrew Gallagher wrote:
> Key distribution methods that carry implicit trust (such as Autocrypt and WKD) do not strictly require a key replacement mechanism, however implementations that perform TOFU should(!) normally warn if they see that a key has changed.

IMO, this is only true if we are in a scenario where the user has
explicitly opted to trust the original key. If we use Autocrypt or WKD
for "opportunistic" (so to speak) encryption automatically, without any
user interaction, we shouldn't then turn around and warn the user when
the key changes, either, as they'll have no context on what they're
being warned about.

But, even if we are in the first scenario...

> In such a scenario the key replacement subpacket could suppress the TOFU key-change warning.

... this is only true if the key replacement subpacket is considered
to transfer the trust from the old key to the new one, right? I read
Section 5 of draft-gallagher-openpgp-replacementkey as saying that
we shouldn't place any special trust in the new key based on this
subpacket. I'd imagine, that if we do want to transfer trust, we can
sign the new key using the old key - but that's already possible today.

So to me, the main advantage of (the preferred key server subpacket in
combination with) the replacement key subpacket would seem to be being
able to signal how to automatically (update, and now) replace the key,
in cases where you weren't able to do that before, e.g. if the key was
uploaded manually. Or, when using Autocrypt, it'd allow you to update
the key proactively if you haven't received an email from a contact in
a while.

But, both of those things are only true if the key already has a
preferred key server subpacket when it's uploaded (or if the client is
willing to make some guess(es) about which key server might likely have
updates to the key - but at that point, it might as well query by email
address, rather than querying by fingerprint and then following the
replacement key subpacket to find the new key).

So, if that's the use case you want to serve, I'd think we should
recommend putting the preferred key server subpacket in a self-signature
*before* the key is replaced. Though, to be perfectly honest, that'd
require a level of foresight on the side of the generating party that
I'm not sure is realistic, but one can hope, of course :')

Best,
Daniel