IETF Logo Mail Archive

[openpgp] Re: Encryption subkey selection

Falko Strenzke <falko.strenzke@mtg.de> Tue, 06 May 2025 06:21 UTC

Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 479E725345BF for <openpgp@mail2.ietf.org>; Mon, 5 May 2025 23:21:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cxCOv9bo0dfF for <openpgp@mail2.ietf.org>; Mon, 5 May 2025 23:21:54 -0700 (PDT)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 674EE25345B1 for <openpgp@ietf.org>; Mon, 5 May 2025 23:21:54 -0700 (PDT)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.1/8.18.1) with ESMTPS id 5466LoUS016405 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 6 May 2025 08:21:50 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1746512510; bh=mVGLbbubYz2WWtbr3W5IvyFw2nz/BTAoYA4lQ4OmDbw=; h=Date:Subject:To:References:From:In-Reply-To; b=aYXN1/y+CmKfogyAMHdVPcN/WaaHExlgbRJj6X+kkxCtrGcMdWHC8cVnauq9bMs7C NMPvQ1cFidQO49HmFKaH5l4hOJfKj8i/xEHHg4t7GlxCUV6RluqPKFBxnzJMrFIo1W PSPpImA17BSCf3daB/FbqQwTDRu7n6AdhqzRU/dMX840P96eC3iukY9fPH/U79eDZe xCptv9I4TSbL6GF5od3LPcIJf98QQqhcalcX8a7pp6BH/3j/UzCYDKReScmTiAkA2R cDH8RhJ8b6ReMnPoW0KNFPTe2IZqpP8BFMsWdQOzMC3+4phHQrIjL+Q8YdIoyqnk1J 2CN6Zn6pgtCog==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.18.1/8.18.1) with ESMTPS id 5466Ln5k021263 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 6 May 2025 08:21:49 +0200
Message-ID: <0d7e2367-c6fa-483b-af3b-59cdb0a98c1f@mtg.de>
Date: Tue, 06 May 2025 08:21:49 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, openpgp@ietf.org
References: <87h631mvol.fsf@thinbox> <dI4YtuyWCyCqKizRafc2sNHBFSRSuQEt-03l8CBI-bRD4SPN7701nRDLFYtu0hwve96cG3Q4kIglx6oVTIAiJbVJseQRzLrt2AoKpSLes28=@protonmail.com> <87ecxupx9w.fsf@europ.lan> <ToH9iWOoC_CgdIu1k9gaMAaNzpZ5nwHbPScoiuJr_RIQpz6Wv1Z7qY9iaKepYMwLlynVkNytyotr-FWEFRBA5saNHy7N_1dmbcMC310quFM=@protonmail.com> <878qnahdhv.fsf@fifthhorseman.net>
Content-Language: en-GB
From: Falko Strenzke <falko.strenzke@mtg.de>
Organization: MTG AG
In-Reply-To: <878qnahdhv.fsf@fifthhorseman.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms060206000104040603080803"
Message-ID-Hash: BXNBFSUWO3XEEKF6XQN3HPNE7PGNZU5E
X-Message-ID-Hash: BXNBFSUWO3XEEKF6XQN3HPNE7PGNZU5E
X-MailFrom: falko.strenzke@mtg.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Encryption subkey selection
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/yZjq-vxosuH-V9cp_-DQYlQ-McY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Am 06.05.25 um 00:57 schrieb Daniel Kahn Gillmor:
> Hi Daniel--
>
> Thanks for this concrete proposal.  With no hats on, I really like the
> simplicity.  A few questions below about wire format, algorithmic
> selection details, and semantics.
>
> I note that this proposal is a mix of hard-coded ecosystem-wide
> assumptions (dates matter; higher algo-ids are preferable) and minimal
> explicit signalling (one cert-wide flag).

Preferring the higher algorithm ID doesn't work for a simple reason: 
there are different security levels for each algorithm stacked one after 
another as code points (2 for ML-KEM currently). This means that the 
suggested selection mechanism might result in the preference of strictly 
weaker keys.

Best regards,
Falko

>
> I think it can successfully communicate several reasonable simple
> strategies that keyholders might want to opt into.  I don't see any
> plausibly executable strategies that are superior to the supported ones
> that wouldn't be supported by this scheme.  Maybe if such a strategy
> does turn up, we could have some additional mode to support it, if it's
> worth the additional complexity?
>
> On Thu 2025-05-01 17:10:46 +0000, Daniel Huigens wrote:
>
>> I would propose that we add a single flag to the certificate, in a
>> direct-key signature (for v6) or primary User ID binding signature (v4)
>> subpacket, which says: "please encrypt to all valid encryption subkeys
>> in this certificate". By default, the flag would be off.
> Are you imagining this as a flag in the Features subpacket?  or some
> other way to implement the flag?
>
>> If it's off (explicitly or implicitly), the implementation should select
>> the newest valid encryption subkey, or - if there are multiple valid
>> encryption subkeys with the same creation timestamp - the subkey with
>> the highest _algorithm ID_.
> Some algorithm IDs support multiple security levels, right?  for
> example, an RSA encryption key (algo ID 1) can have a 1024-bit modulus
> or a 3072-bit modulus.  Or a generic "ECDH" key (algo ID 18) can
> (depending on OID) offer brainpoolP256r1, Curve25519Legacy, or NIST
> p521.  It seems not impossible to have two ECDH subkeys with different
> curves on the same certificate (possibly even created at the same time).
> What should happen in that case?  Maybe we should explicitly allow the
> implementer to choose their own preference ordering between curve OIDs
> for this legacy EDCH case rather than bikeshedding over some strict
> ordering?
>
> Semantically, i think when you say "valid encryption subkey" you mean
> "supported valid encryption subkey", right?  that is, the sender allows
> fallback to "older" keys (or "lower" algorithm IDs) when the newest (or
> highest by algorithm ID) isn't supported.
>
> This would allow a very ambitiously-backward-compatible certificate to
> publish a cert with six encryption-capable subkeys with increasing
> timesteps:
>
>    K0: RSA
>    K1: ECDH/Curve25519Legacy
>    K2: X25519
>    K3: X448
>    K4: ML-KEM-768+X25519
>    K5: ML-KEM-1024+X448
>
> I'm not recommending anyone actually create such a monstrosity, but the
> scheme described would certainly support this use case.
>
> What do other folks think about Daniel's proposed scheme?
>
>       --dkg
>
> _______________________________________________
> openpgp mailing list --openpgp@ietf.org
> To unsubscribe send an email toopenpgp-leave@ietf.org
-- 

*MTG AG*
Dr. Falko Strenzke

Phone: +49 6151 8000 24
E-Mail: falko.strenzke@mtg.de
Web: mtg.de <https://www.mtg.de>

------------------------------------------------------------------------

MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde

This email may contain confidential and/or privileged information. If 
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised 
copying or distribution of this email is not permitted.

Data protection information: Privacy policy 
<https://www.mtg.de/en/privacy-policy>

v2.31.3 | Report a Bug | By Email | System Status