IETF Logo Mail Archive

Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revocation Key", replacing with full-key "Designated Revoker"

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 06 August 2019 11:26 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC431200C7 for <openpgp@ietfa.amsl.com>; Tue, 6 Aug 2019 04:26:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.951
X-Spam-Level:
X-Spam-Status: No, score=-0.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_12_24=1.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=ps7mvNYO; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=FQCZycCT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SdSdiEpQncHw for <openpgp@ietfa.amsl.com>; Tue, 6 Aug 2019 04:26:54 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94673120077 for <openpgp@ietf.org>; Tue, 6 Aug 2019 04:26:54 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1565090813; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=gy37irzTcZyMonC/AUdXEIi3Rzt/W4ruJDaXzJmlm60=; b=ps7mvNYOz/+gqOn7mHwAxsLApUeW4s+ZmGXJSkQPTB1R7U3z7WxZlVPo 2pLhKBS3b+Pq5UMKaZ8MswHv21Z+BA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1565090813; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=gy37irzTcZyMonC/AUdXEIi3Rzt/W4ruJDaXzJmlm60=; b=FQCZycCT9Xez84w7qNc/oabnedmvTGYVq0eYyEj/CtM6dzzE1c7xnU6N 2VNS8VxOGPOZhncR4f/EKUu5+Khn2feHkRRgQLMQSBkoj+5F/iYgeqeULZ Q4Xiu15jvMRwUIiZ/m2RwjsPwDBvIyP91kUm6V7zKJIfh7rp8uergantSW eZdl5gaknypgVVP77mxpKKLvRByUL995vDtZpwrXAEzq1f+gDiug7TViD3 xdK0WCEjMAXu9HSZuTOT9hH/+7X5rd1UB0cqL9KLNA49A+aQ8YGPUaqmI0 bfR2VKEkFSccQ2W0eLONEY369rjFeFlsHBRt46QSsEipGR/vt1DgEw==
Received: from fifthhorseman.net (unknown [98.11.158.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 33CC8F99D; Tue, 6 Aug 2019 07:26:51 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id B6B23204C8; Mon, 5 Aug 2019 16:16:27 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Werner Koch <wk@gnupg.org>
Cc: IETF OpenPGP WG <openpgp@ietf.org>
In-Reply-To: <87wofrmrry.fsf@wheatstone.g10code.de>
References: <87iocqepta.fsf@littlepip.fritz.box> <20190731203444.4822-1-dkg@fifthhorseman.net> <87wofrmrry.fsf@wheatstone.g10code.de>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Mon, 05 Aug 2019 16:16:27 -0400
Message-ID: <87v9vbpdus.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/xRPEH1LRtGWV1gbCDrkkMpoFZiI>
Subject: Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revocation Key", replacing with full-key "Designated Revoker"
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 11:26:57 -0000

On Mon 2019-08-05 19:44:01 +0200, Werner Koch wrote:
> On Wed, 31 Jul 2019 16:34, dkg@fifthhorseman.net said:
>> The "revocation key" subpacket is problematic.  It is the the most
>> fragile piece of the specification wrt the fingerprint (collisions
>> against a fingerprint can create surprising revocation effects).  And
>
> With the move to v5 keys this will be solved en-passant.

Sure, but this isn't the most important part of the problem.

The important part is that people need to be able to see the public key
of the revoker, and it's not always clear that this will be available.

>> replaces it with a "designated revoker" subpacket that includes the
>> full key, rather than the fingerprint.
>
> I view this as problematic in the light of our preparations to allow for
> larger key material.  With PQC we may need megabyte large keys and then
> including an entire key would double the size of a keyblock.

I agree with you that this would make such a packet larger.  And
therefore, the people who want to make use of such a scheme -- and the
peers that they contact -- would need to accept a larger
certificate/keyblock size as a result.  It's not quite doubling, though:
given that there may be subkeys the certificate, and non-negligible
certifications themselves (including self-sigs and subkey binding
signatures, etc), such a subpacket is likely to be smaller than the rest
of the surrounding certificate.  and in any case, it's comparatively
small compared to some things we distribute today in much more common
circumstances than a "designated revoker".

Moreover, the verifier who discovers a third-party revocation needs to
check fetch the associated public key somehow no matter what.  And it's
always possible to distribute a "designated revoker" packet alongside
the revocation itself.  This approach increases the size of a
revocation, but incurs *no extra cost* compard to "normal" certificate
size (and no metadata leakage).  For a single verification, this is
likely to be less traffic for the verifier than if they were obliged to
fetch the full transferable public key associated with the revoker in
the first place.

So: my argument here remains that shipping the revoker's key in
"designated revoker" has benefits in terms of:

 * more convenience for verifiers
 * higher likelihood that verifiers can actually assess and accept a
   delegated revocation when encountered
 * better metadata properties (self-contained messages reduce side
   channels for their users)
 * lower traffic/bandwidth costs for a verifier who encounters a
   delegated revocation from an unknown key

And is only a marginal costs in terms of:

 * in one possible deployment configuration, for the uncommon user of
   such a packet, a modest increase in certificate size.

This seems like a clear win to me, though i acknowledge that it is not
without some minor tradeoffs.

        --dkg

v2.23.0 | Report a Bug | By Email