Re: [openpgp] comments on draft-mccain-keylist-02

[Paul Wouters <paul@nohats.ca>]

On Wed, 13 Feb 2019, Micah Lee wrote:

> I'm adding Miles McCain to this email, who is one of the authors you
> left out.

Oops. sorry about that.

> It's good to understand how RFCs are supposed to get discussed and
> written. I, as well as the other two authors, are new to the IETF
> process. However I don't see how the Note Well is especially relevant to
> this draft RFC, as there has been no talk about patents.

> Can you point to a document that describes the policy you're referencing
> about where discussion of the RFC should take place, and also where
> collaboration of writing the actual document should take place? We
> definitely want to be transparent about the whole process.

An overview can be found at https://www6.ietf.org/tao

See also: https://datatracker.ietf.org/meeting/103/materials/slides-103-edu-sessj-newcomers-overview-for-ietf-103-00

> It's true that there's a potential privacy issue with regularly fetching
> updates, but it's the same issue that all subscription systems have,
> such as Atom feeds (RFC 4287). It's also the same issue if you configure
> gpg to refresh your keyring on a regularly interval.
>
> This privacy issue is more of a fundamental problem with how networking
> works than with any specific standard that relies on subscribing to a
> regularly-changing document, so I don't think it's in scope for this
> specific RFC to tackle.

If one would implement the RFC, what advise would you have to
implementors to reduce this risk? That's the text I'm looking for.

> However, GPG Sync, software that already implements the draft keylist
> RFC, supports an option mitigate this issue by making it simple to fetch
> updates over Tor:

So that would be good to mention in the draft!

> The relevant standard you're probably thinking of is RFC 4880 which
> defines the OpenPGP message format, basically the "-----BEGIN PGP PUBLIC
> KEY BLOCK-----"-type blocks. But that format isn't appropriate for
> keylist subscriptions.

Yeah I was thinking of that.

> Keylists don't include full public keys, they only include fingerprints.

I guess that was a big point of my confusion. I was thinking of the
keylist having keys, not key pointers. So perhaps the term "key list" is
not the right term for this?

> Information in public keys themselves change frequently -- the owner of
> the key might add a UID, update their expiration date, or otherwise
> modify their key. If keylists included actual full public keys, then the
> person maintaining the keylist would have to update it not just when a
> new key is added, but every single time anyone in the the organization
> modifies their key.

But what scales better? An automated central way of pulling those
updates, and everyone else mirroring that, or everyone pulling all
these updates themselves? From a privacy point of view, the first would
be better. From an operational point of view I think the first would
give the best results too. But of course, there is a management issue
on how or what is responsible for this.

> One of the main purposes of keylists is to reduce the amount of work
> required to ensure that everyone in an organization (or anyone who
> wishes to communicate with members of that organization) has the correct
> public key for everyone else.

Just a note, when you say organization, I mapped that in my mind to be
within a single (DNS) domain, or at least within the same administrative
control group. After reading your email, I understand things are meant
to work a lot more informal or scattered over dozens of domains.

> Including full public keys in the keylist would be counterproductive.
> The keylist that my company relies on currently has 228 fingerprints on
> it, and it would add a ridiculous amount of pointless work to maintain
> it if we had to keep track of minor changes in each key (and get copies
> of those changed public keys from their owners), when instead we can
> just keep track of fingerprints.

But wouldn't it be a simple cron job to refresh those keys every day?
And for your members to pull it all from the same location daily? The
additional burden you say you want to avoid is exactly te burden you
put on everyone who wants to use the key list?

>> The biggest problem though is that I see no attempt at providing
>> confidentiality for a key list. Anyone with the URI can get the list
>> of participants.
>
> Keylists are public documents, and anyone can subscribe to them even if
> they're not a member of the organization.

I did not realise all keylists are public. Especially not reading the
opening sentence of the abstract:

    This document specifies a system by which an OpenPGP client may
    subscribe to an organization's keylist to keep its internal keystore
    up-to-date.

Note it specifically says "internal keystore". It would be better to
rephrase that to be the organisations public keystore?

> It might be worth considering the case where people wish to have private
> keylists, but it's not something we have considered yet.

That's worth mentioning somewhere then, possibly the Security
Considerations section.

>> Why not introduce a .well-known location that any organisation can
>> use, so we could try and find key lists for organisations we never
>> talked to before. Perhaps specify a mechanism on how to verify an
>> organisational management key?
>
> We considered introducing a .well-known location, but, as described in
> the draft:
>
>   To subscribe to a keylist, the client must be aware of the keylist
>   URI (see [RFC3986]), and the fingerprint of the authority key used to
>   sign the keylist.
>
> A client must have both the keylist URI and the fingerprint of the
> authority key to subscribe to it -- just the keylist URI is not enough,
> which means a .well-known location would have to also include the
> authority key fingerprint. Doing this would ultimately make the trust of
> the entire system rely on the security of the organization's web server,
> and on HTTPS, as opposed to on the authority key.

So that is an important point. It would be great if we can somehow make
it so they keylists can be trusted via some way. So that if I want to
contact a journalist at firstmedia, I don't need to first somehow
contact the owner of the key that signed the keylist to confirm this is
the real key list (especially with references on members outside of the
actual domain name used by the organization).

We recently had a very similar discussion in SAAG about security.txt,
see:

https://tools.ietf.org/html/draft-foudil-securitytxt-05

https://mailarchive.ietf.org/arch/msg/saag/WoVRqcqmWdbE4mZo42XHBCKb9vg


Note that I'm myself not in favour of the current security.txt proposal,
but it seems that it might be worthwhile to see if your key list idea
and their universal pointer to contact information could work together.

> As described in the draft, only the "fingerprint" field of the key is
> required, and all other fields (name, email, comments, and any other
> arbitrary metadata) are optional, and only there for the sake of the
> organization maintaining the keylist. Clients simply fetch the fingerprint.

Ahh fair point. I'm still a little uneasy at keys changing and getting
new IDs and implying trust, but I guess that's out of scope for this.

Could you mention that fingerprints must be only in the long form, and
not the old short form that is no longer secure enough?

>> Why not use https://wiki.gnupg.org/WKD ?
>> 
>> Why not use OPENPGPKEY DNS records?
>
> The members of an organization frequently don't have email addresses at
> the same domain name.

This is another important point that I completely missed after reading
the text. I assumed "an organisation" meant that only a very few number
of domains were involved. Perhaps clarify that in the draft?

> A keylist contains a list of fingerprints for public keys everyone in
> the organization should have.

To be fair here, you don't just want them to have a keylist. You want
them to have the public keys. And the keylist is a directory service to
get them. And I still think it might as well do the work and present it
all together.

> It would add more pointless work to
> maintain this system if we chose to arbitrarily require that they all
> keys contain UIDs with email addresses for the same domain name.

I agree. As I mentioned I hadn't thought of that scenario.

>> While automatic sync is a nice feature, over-syncing is a privacy risk,
>> especially for people who are trying to remain anonymous.
>
> This is outside the scope of this RFC. Like I described above, Atom
> feeds, and existing automated use of key servers, have always had this
> problem.

But the point of a Privacy Considerations section is to give important
information to implementors on issues that could pose a privacy risk,
and might be partially mitigated. So, instead of waving it out of scope,
try to give advise to implementors on how to mitigate this as much as
possible.

> (Also, people trying to remain anonymous need to do quite a bit more
> than just not automatically fetch PGP keys. It requires using an
> operating system designed for such a use-case, like Tails, in which case
> subscribing to keylists would be perfect fine, and would not compromise
> anonymity.)

I don't believe it would be fine. Better sure, but there would still be
risks. A dissident could be announcing their presence as a coffee shop
if _any_ IP address queries for the updated key list. Tor does not
help that. Now I agree some of this is out of scope for your document,
but again think about what you'd want to advise implementors.

> It's true that we could bootstrap a system like `gpg --refresh-keys`
> combined with cron (or more realistically launchd on macOS) to keep keys
> up-to-date. But 1) Not all OpenPGP users use gpg and cron, and 2) we
> don't necessarily want to update all keys in every user's keychain, only
> the keys on the keylists they're subscribed to.

That sounds like an argument for the key list to have the updated keys
for easy import by subscribers :)

> Only refreshing keys
> listed on a keylist leaks less information to key servers than
> refreshing all keys -- it leaks what keylists you're subscribed to.

Sure, though let's hope that people only fetch keys over TLS so that at
least it is not known which keys are fetched?

> But, most importantly, and in fact the reason we developed GPG Sync to
> begin with (which ultimately lead to writing this draft RFC), what isn't
> possible with existing tools is to get everyone in an organization to
> automatically fetch *new* keys that they otherwise wouldn't be aware of.

Right. But wouldn't a non-gpg specific standards based keyring format
not be a better and more universal solution?

Paul