IETF Logo Mail Archive

[openpgp] Re: I-D Action: draft-ietf-openpgp-replacementkey-02.txt

Daniel Huigens <d.huigens@protonmail.com> Fri, 13 December 2024 14:21 UTC

Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 603ABC14F6EC for <openpgp@ietfa.amsl.com>; Fri, 13 Dec 2024 06:21:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDDJC-fFC3uG for <openpgp@ietfa.amsl.com>; Fri, 13 Dec 2024 06:21:04 -0800 (PST)
Received: from mail-10631.protonmail.ch (mail-10631.protonmail.ch [79.135.106.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DABFC14F714 for <openpgp@ietf.org>; Fri, 13 Dec 2024 06:21:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1734099662; x=1734358862; bh=N7nkZMRG4O9KLio7dLYypnOTDJtt1GZLpPjysCXY+lY=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=Os9r5UC+BysSkhYpYJBMp+P7L/G5ou4TNvzpWNQD/df4tsabOArT/e/yA1JlZMiOF jCacOIiMUlbfCUcjnaDl7CVOi3xCUmiW7gZb2YC6uJfokypkjI4UqvAzYnMtwHTnpX v8vMEPaKzNVTO+uL7cMbdyyRIzK4+NP4fJtHBaK6C1cyrCOtrZMzoCEYLmP5ACnhzZ 0X7Or0JXik9SoDGb20aoO6LvtGg8qpjmiCbeASumWJJDUaevAIrhHO4Nq5dQC80ZX4 DTIoaGl8FZHuxI8D9G4v8pINuaB7zBRThw2Gc+w5TCLwXvElbKxaYBUA67VzZmpCXs NInu9xCsUN7Gw==
Date: Fri, 13 Dec 2024 14:20:57 +0000
To: Johannes Roth <johannes.roth@mtg.de>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <_vCCQ4cQunC8YzHL0oder_9QngbTWZJ2nLVf5jUssLMpN4-wAag6goursPWrOFD5lwyitOiuYBSxgiSFQ1Z6pzIL0-FnDNOlYXCneBRrjc8=@protonmail.com>
In-Reply-To: <2649917e-59f4-4f9a-a3fb-b348061a3f35@mtg.de>
References: <173264571597.581885.1047714570419252899@dt-datatracker-5679c9c6d-qbvvv> <14B07CCC-BD69-4302-9E1C-96B853942C5F@andrewg.com> <cb1627a3-1257-4177-9917-9ea7d73652b1@mtg.de> <EEED1E4F-973E-4424-88F0-5D81BD6F997F@andrewg.com> <2649917e-59f4-4f9a-a3fb-b348061a3f35@mtg.de>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: 113ac512aa73b694075d4d73fda03d6416594c9b
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 67UP7SPMHYWKUC6PUTEHZWN2KLN3NZIY
X-Message-ID-Hash: 67UP7SPMHYWKUC6PUTEHZWN2KLN3NZIY
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>, IETF OpenPGP WG <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: I-D Action: draft-ietf-openpgp-replacementkey-02.txt
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/vhNsP3m4OcZuNbo_owkSa40bANQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi Johannes & all,

At the OpenPGP email summit, folks agreed that there shouldn't be chains
of replacement keys, mainly for simplicity, but I also think it's
unnecessary.

If you have existing keys A and B where B replaces A, and then you
generate C replacing both, *and* you don't have access to key A, then
you can't sign a statement with key A saying that key C replaces it.
Therefore you can't create an equivalence binding.

You can sign a statement with key C saying that it replaces A, but
that's fairly meaningless and shouldn't be trusted in the absence of
other evidence, because anyone could sign such a statement claiming to
replace your key. Hopefully, by that time you would at least have some
trust / third-party sigs or w/e in key B, such that it's sufficient to
sign a statement with key B saying that key C is the replacement key.

Also, if you don't have the key material of key A anymore, it can't act
as a fallback key. In that scenario, you only want folks to use B or C.
Ideally, you would thus have a revocation certificate for key A lying
around somewhere, and use that to revoke key A.

I do agree that the note in the draft saying that key equivalence is
transitive is potentially confusing and perhaps it should just be
removed, in favor of explicitly saying that all keys in an equivalence
binding are equivalent to all the others (in some sense).

---

All of the above does not totally remove the question of what to do
when an implementation encounters chains in violation of the spec.

In our implementations and applications, I don't imagine we'll
proactively follow pointers in keys to look up other keys, at all.
Rather, we'll look up all available keys from WKD/KOO/whichever sources
are deemed appropriate, and then make a decision on which of those to
use. Even there, we might prefer to just pick the key that's most
recently generated or "most secure" (according to some heuristic).

The way I then imagine us using the information in the replacement key
subpacket is in the scenario where the user has manually verified /
trusted key A, and not the latest&greatest key B. Then, iff key A and
key B are equivalent, we can use key B instead of key A without asking
the user explicitly. That way, there are no chains to follow at all,
and at least the low-level API can be very simple, we just need
"select the key we like the most" and "are key A and B equivalent".
(For high-level APIs like SOP we might want something more abstract
as I've argued before.)

And then, the first step could later be expanded to take into account
the replacement key subpackets, but perhaps only if they present a
consistent view of the key holder's preference (i.e. without chains
and loops and so on).

Best,
Daniel

v2.35.0 | Report a Bug | By Email | System Status