Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?

Andrey Jivsov <openpgp@brainhub.org> Mon, 04 July 2016 04:05 UTC

Return-Path: <openpgp@brainhub.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4505112D1DC for <openpgp@ietfa.amsl.com>; Sun, 3 Jul 2016 21:05:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QnXAfCBmvYRX for <openpgp@ietfa.amsl.com>; Sun, 3 Jul 2016 21:05:28 -0700 (PDT)
Received: from resqmta-po-01v.sys.comcast.net (resqmta-po-01v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 009CD12D1D3 for <openpgp@ietf.org>; Sun, 3 Jul 2016 21:05:27 -0700 (PDT)
Received: from resomta-po-08v.sys.comcast.net ([96.114.154.232]) by resqmta-po-01v.sys.comcast.net with SMTP id Jv8RbOWdvkzylJv8RbJxRl; Mon, 04 Jul 2016 04:05:27 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1467605127; bh=6E3z8u6Z7kbKywWI0UtR0VnTiX186rxaR1KmZFiwATE=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=KvuPUrXF9sAnB8Mc7iPjNJNkONVfpIOrI/ygZlTxTVEBR5WTbvsSCLkDzOdfv/jYI jFTIs8LHs66vq0JMEivP+el5M9OmNd+ml7Dq5AJ3IwBjcoRaliEwAw1j3PnzP+7U+p a1I4sHephjbjB9LX0oophwo+upDxh0zgCmrUD3pDarwVcTuSU8xP8hyoV8xgPOS7Ji 3x9iabsQdtgHPrcjIs4DI4B8WWUK51gXnHwQaeaP7Z4eKWq8C2pKqnb8uW04O/CC2f MofimNy3uYe6MT40F5DE2xj2jwmXD5mIMLXlw434L+lKlfwECEGogvOvZyaJxn6R6V gn6sCef0RKdPQ==
Received: from [192.168.0.10] ([76.103.100.237]) by resomta-po-08v.sys.comcast.net with comcast id EU5S1t00457Jnqc01U5S0x; Mon, 04 Jul 2016 04:05:27 +0000
Message-ID: <5779E086.9000506@brainhub.org>
Date: Sun, 03 Jul 2016 21:05:26 -0700
From: Andrey Jivsov <openpgp@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <20160701153304.332d2c95@pc1>, <874m86xq04.fsf@alice.fifthhorseman.net> <9A043F3CF02CD34C8E74AC1594475C73F4CB97D2@uxcn10-5.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4CB97D2@uxcn10-5.UoA.auckland.ac.nz>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/vo5ykkw9T0BH4Ge22NEWtbNx6Fs>
Subject: Re: [openpgp] Can the OpenPGP vs. S/MIME situation be fixed?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jul 2016 04:05:30 -0000

On 07/03/2016 08:41 PM, Peter Gutmann wrote:
> Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
>
>> I think we should be clear about what it would take to do what you're
>> proposing; there are two main angles:
>>
>> * certificate interoperability (OpenPGP certs vs. X.509 certs)
> This is easily solved in a technical spec, just define (to use the approach
> I've been using in my code, which as worked more or less seamlessy for some
> years), the use of sKID for S/MIME and issuerAndSerialNumber for PGP.

Commercial PGP products used this type of "same key, two certificates" 
paradigm for over a decade. Some of this is documented in 
http://www.ietf.org/mail-archive/web/openpgp/current/msg01742.html 
(that's what PGP Corp. did; this write-up is incomplete).

One issue with storing OpenPGP KeyID in X.509 Subject Key Identifier 
(SKI) is that over the last decade and earlier popular S/MIME clients 
were not using SKI to identify a recipient. Instead, they were using the 
X.509 cert's Issuer and SN. Therefore, one will have to encode OpenPGP 
keyID into the SN of the X.509 cert to be able to locate the OpenPGP key 
later from the encrypted S/MIME message. This works if the ecosystem 
owns an issuing X.509 Sub-CA, so that it's possible to control the SNs.

>
>> * message interoperability (PGP/MIME vs. S/MIME)
> This can't be solved by a technical spec, it's an application issue which you
> resolve by e.g. writing a PGP plugin for Outlook.
>
> Peter.
>
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp