[openpgp] Re: Splitting replacement keys subpacket into related keys and trust equivalence?
Bart Butler <bart+ietf@pm.me> Thu, 12 September 2024 20:35 UTC
Return-Path: <bart+ietf@pm.me>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E013EC14F5FF; Thu, 12 Sep 2024 13:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pm.me
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajizeJYjFohv; Thu, 12 Sep 2024 13:35:07 -0700 (PDT)
Received: from mail-40131.protonmail.ch (mail-40131.protonmail.ch [185.70.40.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B44E6C14F5FC; Thu, 12 Sep 2024 13:35:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pm.me; s=protonmail3; t=1726173304; x=1726432504; bh=MuZxcyovoCiWRJLXrx3VDRhyZ5QLcKihMB3hiKJrUbU=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=oLN+NUGge6igW0zD78BoJ3zgHlZnlWT6wI7NHhg/Ql3g8WGSU33XZgZFYiQvJpVOD ADH5VrqwoByxNrPWndJEfuOPeuC/1bY3P5jNeYogbGA5mW0/iqUV+gVuRsZnluZ0cs hNQFq7UWmUdbrIbRl/sDjHa9cbT9iEyddeJltgMIuxmHARkFwF/51GsNsEqdolo4CN z7UBFBmPtCm4hq6ZahRKIbgxamNKHJUvMUe1qzzBaUTMzvg3ydpJjZD+BWIugWUOTR MIOKWdXRmR/MjT017FeO+2hqxSSrBkaFqB2UvTnEXPQdHz47PYGzJDIRdBztZCuqPz k8THJZum/L02w==
Date: Thu, 12 Sep 2024 20:35:00 +0000
To: Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>
From: Bart Butler <bart+ietf@pm.me>
Message-ID: <mthViSfwq2BajpS-YXlit_8Y3Yij-SGW9Yt5YDU6CRqc6j4IaNzBmMvccKo1cPXV1_qEEj5E7BLaxhVXRkitB18JjfwcBzP4QD1QSJj3ZKo=@pm.me>
In-Reply-To: <snUysR3YaJPpZfsfPXxpxDrlKwryVEa2uUUQWwgjZyjqE30YlQQzb4i_lApsb_9JD9btL5L9v0e3xVM6l5zU54z6Wbv2dUtr4Qd3RrgpQFQ=@protonmail.com>
References: <AwjEWTG0D_H985qVgdVDJNfG3jJROp0T9HD06zQWGzXnby5tXCoVrZH18W8T67Mh7CCAPLFJ33Np0Ro0yAWGRH827Kl7_lhqSZMr6JckCrU=@protonmail.com> <87r09o7wmt.fsf@europ.lan> <snUysR3YaJPpZfsfPXxpxDrlKwryVEa2uUUQWwgjZyjqE30YlQQzb4i_lApsb_9JD9btL5L9v0e3xVM6l5zU54z6Wbv2dUtr4Qd3RrgpQFQ=@protonmail.com>
Feedback-ID: 5683226:user:proton
X-Pm-Message-ID: e67016beaafde90c806ac9435b7e549ba7e1674a
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha256"; boundary="------36ea3016bd75ebbf607cad84b109edbd42e16fa01e66288cea872a0b2fa9dad2"; charset="utf-8"
Message-ID-Hash: PIRZSS2AGQFZYC54JMU223DXCEY4ZQDN
X-Message-ID-Hash: PIRZSS2AGQFZYC54JMU223DXCEY4ZQDN
X-MailFrom: bart+ietf@pm.me
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Justus Winter <justus@sequoia-pgp.org>, "draft-ietf-openpgp-replacementkey@ietf.org" <draft-ietf-openpgp-replacementkey@ietf.org>, "openpgp\\@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: Splitting replacement keys subpacket into related keys and trust equivalence?
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/uCYku_pOSfeV0prwR-b4Ruz5pSo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
I’d also be fine dropping the fingerprint and just keeping the imprint. I had a slight preference for having both in the meeting but I’ve changed my mind and decided that simplicity wins :) On Thu, Sep 12, 2024 at 6:48 PM, Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org> wrote: Hi Justus :) On Thursday, September 12th, 2024 at 16:51, Justus Winter wrote: > First of all, I have an issue with the terminology. The text in > question does not mention "trust-equivalency" once. I think it'd be > better to stick with the terminology established in the document under > discussion, or clearly say why the existing terminology is insufficient. OK, fair enough. The draft talks about "key equivalence", and "bound- equivalent", and just "equivalent". I think those are vague terms; in my mind a v4 and a v6 key (or an ECC and a PQC key, and so on) are obviously not equivalent in every way; the sense in which they are equivalent is mainly that if you trust (in "my" terminology, see below) one of them you can also automatically trust the other one. Hence, trust-equivalence. > Further, I have a rule of thumb when discussing OpenPGP: any person > saying the word "trust" is likely confused and most certainly wrong. :D > The phrase "trusted one of the keys" is meaningless. There are two > kinds of trust being discussed in OpenPGP, and I'm pretty sure you are > thinking of the former, but the phrase has the shape of the latter: > > - One can have a varying degree of confidence that a given certificate is > appropriate for a given use. Most often we think of (email address, > cert) tuples, for example. (Shape: tuple). > > - One can also have a varying degree of confidence that a certificate > holder's objectives are sufficiently aligned with ones own objectives so > that the certificate holder can be used to authenticate other (email > address, cert) tuples. Adding to the confusion, GnuPG calls this > owner trust. (Shape: certificate). OK, perhaps I'm leaking Proton-specific terminology. In Proton Mail, trusting (or pinning) a key means the former (and yes, the trust in the key is specific to the email address of course). We don't have any support for the latter concept. > Saying go find my replacement cert on that server is the web bug, that'd > be an antifeature. I personally tend to agree but the draft talks about this [1], so I thought people wanted it. Personally I don't care about this part of the functionality of the proposed subpacket, which is why I proposed splitting it up. But I would also be fine with dropping it entirely. To be explicit, in concrete terms that would imply (to me) dropping the fingerprint and keeping only the imprint, and not caring that it can't be used to look up the replacement key on the web (at least for now). But I was under the impression that some people do care about that part. > What if there are two keys with the same creation time? What if the > newest key I create is not the one I prefer? Do I need to lie about the > creation time then? I guess so. All of this also applies to subkeys - at least in our implementations, we select the latest valid subkey to encrypt - I know Sequoia behaves differently, and unfortunately the spec doesn't say anything about it, but IMHO this behavior makes the most sense, _especially_ when dealing with migrations to a new algorithm that not everybody may support yet: up-to-date senders get the security benefit by selecting the latest subkey (with the introduction of this subpacket, across multiple TSKs), out-of-date senders are still able to encrypt with an older subkey. All of it also applies to subkey and user ID binding signatures, where we select the latest valid one as well (and that part _is_ codified by the spec). Obviously there are wrinkles and edge-cases for all of this, but I don't think that makes it a bad policy in general. > I don't think that splitting the subpacket into two makes any of the > spec, semantics, or implementations substantial easier. On the other > hand, I can imagine it getting messier: what if I tell you about related > keys that I don't consider equivalent There may be some use case for this, like saying: here's my other key, but please use your WoT model (or w/e) to determine whether you want to use it. But I'm not the best person to ask about this one as I don't really care about having that part at all. > or the other way around? This one I did give a use case for: if you fetch two keys from WKD v2, and the user has indicated their trust in the (email, cert) binding for the first one, then you can also use the second one automatically without asking the user about it. For that, you don't need the part that refers to another key that can be looked up externally, as the other key is right there in the response. Just to be explicit, this is also the main use case I care about, FWIW. So folks that care about a different use case may disagree with me, of course :) > And we lose the straight forward compression dkg suggested, and I don't > think we can rely on transport compression to work on armored > certificates, for example, because if two identical fingerprints are not > a multiple of three bytes apart, they will appear differently in the > armored stream. Yeah, that's true. I mean, again I would be happy to drop the first one, but others may disagree. I guess it's up to them to say whether they think the overhead matters, not up to me. Best, Daniel [1]: https://www.ietf.org/archive/id/draft-ietf-openpgp-replacementkey-00.html#section-3-2 _______________________________________________ openpgp mailing list -- openpgp@ietf.org To unsubscribe send an email to openpgp-leave@ietf.org
- [openpgp] Splitting replacement keys subpacket in… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… iang
- [openpgp] Re: Splitting replacement keys subpacke… Justus Winter
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… Bart Butler
- [openpgp] Re: Splitting replacement keys subpacke… Andrew Gallagher
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… Andrew Gallagher
- [openpgp] Re: Splitting replacement keys subpacke… Heiko Schäfer
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens
- [openpgp] Re: Splitting replacement keys subpacke… Bart Butler
- [openpgp] Re: Splitting replacement keys subpacke… Andrew Gallagher
- [openpgp] Re: Splitting replacement keys subpacke… Bart Butler
- [openpgp] Re: Splitting replacement keys subpacke… Neal H. Walfield
- [openpgp] Re: Splitting replacement keys subpacke… Justus Winter
- [openpgp] Re: Splitting replacement keys subpacke… Daniel Huigens