IETF Logo Mail Archive

[openpgp] Re: Encryption subkey selection

Daniel Huigens <d.huigens@protonmail.com> Tue, 06 May 2025 09:50 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E006B254770E for <openpgp@mail2.ietf.org>; Tue, 6 May 2025 02:50:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Satr6YdmVAU for <openpgp@mail2.ietf.org>; Tue, 6 May 2025 02:50:36 -0700 (PDT)
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 172DB25476F9 for <openpgp@ietf.org>; Tue, 6 May 2025 02:50:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1746525034; x=1746784234; bh=ArnhEDm1Qx1gYBqS7QVj9yxKhgLdmb79DvhQI/oJ6X8=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=Q2nquITO3IQ7eywiJIPCPwmSc7vWwR5cHiBzLRQPDlHwDzA2A8XKIYH1OR4uvGZBP hNMryaeD5iiQFMcb4JoHl9GzojUMfauyjoKLk6Az8a7v4gAyWJQfgB9xGHPdTc+qbq TDr9N0PlYBe8XLhgz6+od7JcfgNAFA/3ujrV69/FAeTxXeHGJp1+MFKceNOx45W6qq RNv+CtiiVvV8TyiUvbkw8gRej2vMc5CWpnlCoknRJcECzs4nBEpFZ4hrEz50bIU7kT bzo/VsEFtr8DfL26/aNqFQDYUFRY56VJpkg5m3DUO62uhJSPvvRzCgvoDf7WKdznv+ qIcLNTKeQaHig==
Date: Tue, 06 May 2025 09:50:30 +0000
To: Johannes Roth <johannes.roth@mtg.de>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <4j51QllmOsceG5EB4cKfgmQkXSMsxd4evvmPyyQ4shnvrBYP32uRT6nUNS_tlhxcqVb0q_kN79OX-ngg8FBJi1UdU5-Ecb9xwtYsq9nqVwE=@protonmail.com>
In-Reply-To: <56926474-5bfc-485d-a120-e21554a40e02@mtg.de>
References: <87h631mvol.fsf@thinbox> <dI4YtuyWCyCqKizRafc2sNHBFSRSuQEt-03l8CBI-bRD4SPN7701nRDLFYtu0hwve96cG3Q4kIglx6oVTIAiJbVJseQRzLrt2AoKpSLes28=@protonmail.com> <87ecxupx9w.fsf@europ.lan> <ToH9iWOoC_CgdIu1k9gaMAaNzpZ5nwHbPScoiuJr_RIQpz6Wv1Z7qY9iaKepYMwLlynVkNytyotr-FWEFRBA5saNHy7N_1dmbcMC310quFM=@protonmail.com> <878qnahdhv.fsf@fifthhorseman.net> <0d7e2367-c6fa-483b-af3b-59cdb0a98c1f@mtg.de> <Ef6BOqB4sJojhX8zVFA6lCxASrnsV1rG_bF85V4_YHy1SutHgh3BW5f2hTNppvMcUOpmjtcMCiEYVVkAxcMLDMYAiUm2v-MN6qHRvqYYS-M=@protonmail.com> <56926474-5bfc-485d-a120-e21554a40e02@mtg.de>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: 699add758699d71ef4f8ff9b223390e1877fa4bc
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 45HEVHROYZ2ZIKBOFSRYG7I47PDJ7FXC
X-Message-ID-Hash: 45HEVHROYZ2ZIKBOFSRYG7I47PDJ7FXC
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Falko Strenzke <falko.strenzke@mtg.de>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, openpgp@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Encryption subkey selection
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/vQdPeSL7zpqYAKIi1Vn0U0SmZ80>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi Johannes,

On Tuesday, May 6th, 2025 at 11:29, Johannes Roth wrote:
> I agree with Falko that the ordering by algorithm ID is not ideal.
> Currently, with ML-KEM only, this is not a problem. As soon as we add a
> new algorithm that also has two IDs with different security levels, the
> logic doesn't guarantee the preference of the stronger keys.

If we do so, I would expect the certificate holder to want to pair the
two algorithm variants of equal strength. Otherwise, why would you add
a new subkey that's weaker and presumably less well-supported than the
one you already have? Alternatively, as I said before, we can tweak the
encryption subkey selection algorithm once we add those new algorithms,
if there's a concrete reason for it at that point. But also note again
that I'm not claiming that this algorithm will select the strongest/
best/most awesome subkey in all possible scenarios, just that it gives
a reasonable baseline for certificate holders to be able to reason
about which subkey(s) will be selected, and then act accordingly.

> Personally I am a bit skeptical about specifying the subkey creation
> time as a primary selection criterion. It somewhat overloads the simple
> statement about the creation time. If you have a PQC-only certificate
> and realize you need an ECDH key for backwards compatibility, you would
> need to set the creation time to an earlier date than your PQC keys
> which is counter-intuitive, and also requires you to add this delta to
> your expiry time, otherwise it will expire earlier than intended. At
> this point, I would consider it more sensible to let the certificate
> holder express his order preferred order explicitly.

I think that if an implementation of OpenPGP today (or in the near
future) gives you a PQC-only certificate, and you don't already have an
ECC fallback certificate, then that's a very strange choice and the
implementation should've warned you against that. If it does happen,
you could always add a fallback ECC certificate (rather than a subkey)
and bind them together using Andrew's replacement key draft (with the
ECC cert as the fallback).

> Bottom line: I think having such a default logic makes sense, but I also
> think it won't reliably solve the problems it addresses. In case we only
> specify PQC algorithms from now on, it would at least ensure the
> prefernce of PQC keys.

I think it's likely we'll only specify PQC algorithms from now on;
doing anything else would be strange, unless some major changes in
the predictions about cryptographically relevant quantum computers
occur, in which case we can reevaluate.

Best,
Daniel

v2.31.3 | Report a Bug | By Email | System Status