Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey
Andrew Gallagher <andrewg@andrewg.com> Mon, 29 April 2024 17:21 UTC
Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8F4AC19ECBD for <openpgp@ietfa.amsl.com>; Mon, 29 Apr 2024 10:21:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mZWLRJQM4z8k for <openpgp@ietfa.amsl.com>; Mon, 29 Apr 2024 10:21:37 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 725E9C1C4124 for <openpgp@ietf.org>; Mon, 29 Apr 2024 10:20:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1714411219; bh=0rigRIszF0qLF8IGVUgva4W6bMXm6xxEu3xpZbQzoug=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=QiKSxO+GUI2z8UpJMw02OPSaUTJSqyZFLNfMMlY9GvhXymEqhX4yYy39K2POCs1KE RLfo28TeUHhGLt/TSIO59CVUOPu9f0WItpzWralzvwxaxYYb/y3TQ74zWCEDha/Cn8 Cfeula21xzCwk8XWAaSuhRQ6AR2sXdYLASuX0l8+Ky8USeLg5v7607iN4qQMFTjLUn T5DH74tLL8n27pvz2e2jyMg1rS+zW4orvHvroTaIRaKfkqVwX0tmyF7A3VB/T6a+7e a7e/c21NDfRWV1c/sf9SGufEngWO4kvq7ndU5TTd0StlHTfpw5K0iRYfom51WVslXq K/lxdBE+ZaFiA==
Received: from smtpclient.apple (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id C6A705DE60; Mon, 29 Apr 2024 17:20:18 +0000 (UTC)
Content-Type: multipart/signed; boundary="Apple-Mail=_E3BB702F-CA68-4A94-BE35-61B63A1EC6C2"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <tPdBr7QK7VoBsKag0QafjtDv9mB_jBTxHI00f_gSyM8SnUPkPukP2FqmSc-zcccXkvl13s8pDhnuNr9JkzgnY_XVNJlEEpUpqWvN1Ufw2Jg=@protonmail.com>
Date: Mon, 29 Apr 2024 18:20:00 +0100
Cc: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Simon Josefsson <simon@josefsson.org>, IETF OpenPGP WG <openpgp@ietf.org>
Message-Id: <64E6E654-BE59-4F7F-83ED-34E9AFA89E52@andrewg.com>
References: <87o7anhybr.fsf@fifthhorseman.net> <87jzkunest.fsf@fifthhorseman.net> <87y199g67k.fsf@kaka.sjd.se> <A0B535B4-215B-4159-9F39-0D33C24ECF2F@andrewg.com> <87frvhnhx0.fsf@fifthhorseman.net> <74AAE7BF-BD6C-4F27-9BFF-A4AA972056A4@andrewg.com> <tPdBr7QK7VoBsKag0QafjtDv9mB_jBTxHI00f_gSyM8SnUPkPukP2FqmSc-zcccXkvl13s8pDhnuNr9JkzgnY_XVNJlEEpUpqWvN1Ufw2Jg=@protonmail.com>
To: Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/y5JU2ncIdkVcM75WAdmP0gLM9Ws>
Subject: Re: [openpgp] Call for adoption of draft-gallagher-openpgp-replacementkey
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Apr 2024 17:21:42 -0000
On 29 Apr 2024, at 16:10, Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org> wrote: > > On Wednesday, April 24th, 2024 at 16:41, Andrew Gallagher wrote: >> Key distribution methods that carry implicit trust (such as Autocrypt and WKD) do not strictly require a key replacement mechanism, however implementations that perform TOFU should(!) normally warn if they see that a key has changed. > > IMO, this is only true if we are in a scenario where the user has > explicitly opted to trust the original key. If we use Autocrypt or WKD > for "opportunistic" (so to speak) encryption automatically, without any > user interaction, we shouldn't then turn around and warn the user when > the key changes, either, as they'll have no context on what they're > being warned about. Opportunistic encryption with silent key rollover isn’t really TOFU though, and IMO neither is anything that requires explicit confirmation on first use. To me at least, TOFU means (automatic) trust on *first* use (only), as implemented in SSH. I agree completely about TOFU’s bad UX, but making all the warnings go away is surely closer to dkg’s “YOLO". :-) I’d also argue that WKD isn’t really TOFU either, since unlike Autocrypt it has a fairly secure binding to the X.509 trust framework. >> In such a scenario the key replacement subpacket could suppress the TOFU key-change warning. > > ... this is only true if the key replacement subpacket is considered > to transfer the trust from the old key to the new one, right? Not necessarily. Say that a particular correspondent’s emails starts to include a new key in their autocrypt header. In the absence of a replacement key subpacket on the old key, it could be considered suspicious. An MUA might use this to decide whether or not to display a “this person’s security key recently changed” notification (similar to e.g. WhatsApp). > I read > Section 5 of draft-gallagher-openpgp-replacementkey as saying that > we shouldn't place any special trust in the new key based on this > subpacket. I'd imagine, that if we do want to transfer trust, we can > sign the new key using the old key - but that's already possible today. Sure, but certifying key B with key A will generally result in a weaker trust value for B than A, and unless key A had explicit or delegated ownertrust, the trust value allocated to B due purely to A’s certification would probably be zero. Only by recommending that B is also certified by the same upstream signatories as A do we have a decent chance of B getting a meaningful trust value. > But, both of those things are only true if the key already has a > preferred key server subpacket when it's uploaded (or if the client is > willing to make some guess(es) about which key server might likely have > updates to the key - but at that point, it might as well query by email > address, rather than querying by fingerprint and then following the > replacement key subpacket to find the new key). Say that a key has been hard revoked, and we are following the advice in https://datatracker.ietf.org/doc/html/draft-dkg-openpgp-abuse-resistant-keystore-06#section-7.4 : > If the primary key of a certificate is revoked via a key revocation signature (type 0x20), an abuse-resistant keystore SHOULD drop all the rest of the associated data (user IDs, user attributes, and subkeys, and all attendant certifications and subkey signatures). This defends against an adversary who compromises a primary key and tries to flood the certificate to hide the revocation. In that case, key lookup by user ID will fail to return the revoked key, so we still need to update by fingerprint. A
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- [openpgp] Call for adoption of draft-gallagher-op… Daniel Kahn Gillmor
- Re: [openpgp] Call for adoption of draft-gallaghe… Stephen Farrell
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Kahn Gillmor
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Heiko Schäfer
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Kahn Gillmor
- Re: [openpgp] Call for adoption of draft-gallaghe… Falko Strenzke
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Simon Josefsson
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Kahn Gillmor
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Huigens
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Huigens
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- Re: [openpgp] Call for adoption of draft-gallaghe… Daniel Huigens
- Re: [openpgp] Call for adoption of draft-gallaghe… Bart Butler
- Re: [openpgp] Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Daniel Huigens
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Falko Strenzke
- [openpgp] Re: Call for adoption of draft-gallaghe… Falko Strenzke
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Simon Josefsson
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Falko Strenzke
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Stephen Farrell
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher
- [openpgp] Re: Call for adoption of draft-gallaghe… Andrew Gallagher