IETF Logo Mail Archive

Re: [openpgp] To bind or not to bind

Andrew Gallagher <andrewg@andrewg.com> Wed, 27 March 2024 16:59 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA4BBC14F5E2 for <openpgp@ietfa.amsl.com>; Wed, 27 Mar 2024 09:59:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wSDrHaXG4fEJ for <openpgp@ietfa.amsl.com>; Wed, 27 Mar 2024 09:59:12 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 666A7C14F5E0 for <openpgp@ietf.org>; Wed, 27 Mar 2024 09:59:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1711558749; bh=CZOYZLBCwrQ/1exvtFkAy4NoSVkFOKwhTvkGw4+JEjI=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=Sb3JDCdGSzgxx2Yn1QV16kNA/NcUGvyMvbSLk4hY9nfLbzGRPKV8vr/ytFQUoc4VL O1f27rqSnFahfnQaOFgUTn/qRNCsBtuJ0ohlqIWf2PsHK+gcqJSe0Lwvx2CNJtwOAl DqzKZNDGhBZ/1fE1fLtFZcrrIjlzBJsoODq9grXGtHfwaDPfJe/EuQIHAR1Fjo/VK+ kyvrxcVIaCU9u+dSnONLWJxwZQw4xIenz+v7YcKvuTSpzwlk0xclOdCNIWrjr6O7Bl UpTnGIwHipkXxyQFHFIHAc24QiB9e/M5N8VT5egjpXkTkboNmEYuiOriNNFW4sFphD cvLSDu1lUp1nQ==
Received: from smtpclient.apple (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id BA6575DE47; Wed, 27 Mar 2024 16:59:08 +0000 (UTC)
Content-Type: multipart/signed; boundary="Apple-Mail=_8E451442-6DD3-40FC-930E-D0A636D33EEB"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87sf0bhnjc.fsf@europ.lan>
Date: Wed, 27 Mar 2024 16:58:50 +0000
Cc: Falko Strenzke <falko.strenzke@mtg.de>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Aron Wussler <aron@wussler.it>, IETF OpenPGP WG <openpgp@ietf.org>
Message-Id: <EE3FF75F-6F99-4BFA-BD2C-6FEA29C06DCE@andrewg.com>
References: <87a5mqi0xi.fsf@europ.lan> <23B46D65-EAF7-43D0-A5F1-04D28B698559@andrewg.com> <87sf0h32d3.fsf@fifthhorseman.net> <cd9a18d9-2d13-48d2-98e0-2ae268f68215@mtg.de> <87y1a6has4.fsf@europ.lan> <14a80b96-9860-461d-b9fe-e38e3bf651b1@mtg.de> <87v858gcmv.fsf@europ.lan> <8169558D-E770-495C-89BB-93F9BD42035A@andrewg.com> <87sf0bhnjc.fsf@europ.lan>
To: Justus Winter <justus@sequoia-pgp.org>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ttsZZnVtVuYSBvCZ6EEdc3nhvMo>
Subject: Re: [openpgp] To bind or not to bind
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 16:59:16 -0000

On 27 Mar 2024, at 12:22, Justus Winter <justus@sequoia-pgp.org> wrote:
> 
> I don't think the fix is as straight forward.  Because there are a great
> number of v4 implementations out there, some of which we don't even know
> exist.  How can we know how these are sufficiently robust to support
> this opportunistic upgrade path?

We don’t, but failure is not necessarily a bad thing - providing that PQC keys fail early, at import time. We can then tell people how (or better still, give them a tool) to strip the PQC encryption subkey(s), leaving a usable v4 key.

It is not just the existence of errors that we must consider, but the nature of those errors and whether the user is empowered to do anything about them. The test suite flags up where the dangers are, but it doesn’t tell us what actually happens in a real usage scenario.

> As a single data point, we know that Github uses an implementation
> derived from Google's OpenPGP implementation for Go (which aiui GopenPGP
> is also derived from).  Assuming the test results for GopenPGPv2 hold
> for x/crypto/openpgp, adding a PQC encryption subkey to a v4 key would
> break Github's signature verification.

I just tried to add the v4 ML-KEM test key from draft-pqc-02 to my own GitHub account. It failed at import time saying:

"We got an error adding your GPG key. Please verify the input is a valid GPG key.”

IMO this is an ideal failure; since keys can only be added or updated manually by the key owner, people should know (or be able to easily find out) whether their own key is PQC-enabled, and how to un-PQC it. And if not, they can google the error message and get some nice person on stack overflow (volunteers, anyone?). I therefore believe GitHub is not a blocker.

(As a contrasting data point, I performed the same test in MacGPGTools. It imported cleanly, and shows a greyed out “Algorithm_105” subkey - otherwise the key appears quite usable. It will happily import and export the test key without errors or data loss.)

A

v2.23.0 | Report a Bug | By Email