IETF Logo Mail Archive

Re: [openpgp] To bind or not to bind

Aron Wussler <aron@wussler.it> Tue, 02 April 2024 07:56 UTC

Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9261C151980 for <openpgp@ietfa.amsl.com>; Tue, 2 Apr 2024 00:56:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gMXJtC5YKR20 for <openpgp@ietfa.amsl.com>; Tue, 2 Apr 2024 00:56:24 -0700 (PDT)
Received: from mail-40136.proton.ch (mail-40136.proton.ch [185.70.40.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE80CC14CE39 for <openpgp@ietf.org>; Tue, 2 Apr 2024 00:56:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail3; t=1712044580; x=1712303780; bh=muOwvVz2aaxqrClRx0/gb67PGAmtDMFCk6OIxkBs1uY=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=1W0R+ajecghHI7hGN7YHQosOZwqMmlOlvLWRH3zlDBLu9MC0oUEDA/PrrPzTYs1cQ AQsyP/lhdpCjr0NnHfsQeFkDGbTOx7VZQo86dfj4xhjlcwSFk/Kk6eg4SryHYNvLeM sTRqgR5zNvke/ldEJjROaEROL0SBH7YmQ2Crxg6g7g50DBIC3l3JolYOlTrum6XHvS a9a9SGuhcgrT2F79dTYE15L3sKuG3oB+xQTVrxGRtTNRhSFKS0siw8N2UcWKrCD+Wm mRtl1/YNqIa0fajX943vKExkUhsYlgQAk9MKKUqB3Ls/pHcqJG/0cYLeM85GtYwodm sp3Qkt3n91J0g==
Date: Tue, 02 Apr 2024 07:56:12 +0000
To: Justus Winter <justus@sequoia-pgp.org>
From: Aron Wussler <aron@wussler.it>
Cc: Andrew Gallagher <andrewg@andrewg.com>, Falko Strenzke <falko.strenzke@mtg.de>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, openpgp@ietf.org
Message-ID: <tjnjaB52IRv2u1L5YENIvZ1NU0_AcMm3hH_sKvcDCg0Y9gD0cCE16H0A2Nqd0B6FnJ5rc_d_3ziyiNvDj1C0xlGWbHhkbqzjgwQD3abYUL8=@wussler.it>
In-Reply-To: <87sf0bhnjc.fsf@europ.lan>
References: <87a5mqi0xi.fsf@europ.lan> <23B46D65-EAF7-43D0-A5F1-04D28B698559@andrewg.com> <87sf0h32d3.fsf@fifthhorseman.net> <cd9a18d9-2d13-48d2-98e0-2ae268f68215@mtg.de> <87y1a6has4.fsf@europ.lan> <14a80b96-9860-461d-b9fe-e38e3bf651b1@mtg.de> <87v858gcmv.fsf@europ.lan> <8169558D-E770-495C-89BB-93F9BD42035A@andrewg.com> <87sf0bhnjc.fsf@europ.lan>
Feedback-ID: 10883271:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------66d5102025345fce0f8942f5633747bff7d9d7b71e1eab6c083bbe319f387152"; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/yzsZNRknKhJSsj57GM-Ih7txenc>
Subject: Re: [openpgp] To bind or not to bind
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 07:56:29 -0000

Hi Justus,

I can't see the irreparable damage that you're referring to. Making a key that a few implementations can't parse IMO offers the same friction than having an expired old key around, and having to distribute a new one to the contacts still using the old one.

On the other hand, I think the argument "whatever is compatible with PQC should also be compatible with V6" is a valid one - and this may boil down to Kai's point, that they're not ready to move to V6.

I agree that adding a V4 PQC key is a bit of a dirty hack, but mandating their refusal may be a too hard solution.

Cheers,
Aron

--
Aron Wussler
Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930



On Wednesday, 27 March 2024 at 13:22, Justus Winter <justus@sequoia-pgp.org> wrote:

> Hi Andrew :)
> 

> Andrew Gallagher andrewg@andrewg.com writes:
> 

> > On 27 Mar 2024, at 11:03, Justus Winter justus@sequoia-pgp.org wrote:
> > 

> > > I could also add a PQC encryption subkey to my existing v4 key.
> > > In this case, I think it is not unreasonable to expect it to continue to
> > > work with PGPy (or GopenPGPv2), but it does not.
> > 

> > I think this is a valid concern, however the impact is highly
> > dependent on how many deployed clients rely on these libs. If Proton
> > and Thunderbird were able to migrate themselves within a reasonable
> > timeframe, what would be left outstanding? Are we getting worked up
> > over something that has a relatively straightforward fix?
> 

> 

> I don't think the fix is as straight forward. Because there are a great
> number of v4 implementations out there, some of which we don't even know
> exist. How can we know how these are sufficiently robust to support
> this opportunistic upgrade path?
> 

> We can not, of course, but we can make an educated guess based on the
> available data. I survey a subset of implementations, among them the
> most notable ones. And the results indicate that even among the most
> notable ones (which are presumably of higher quality), we don't see the
> required robustness that we'd need to do this right now.
> 

> This leads me to believe that many of the unknown implementations (which
> are presumably of lower quality, not because of a lack of skill, but due
> to a lower amount of (public) exposure) will also not be robust enough.
> 

> As a single data point, we know that Github uses an implementation
> derived from Google's OpenPGP implementation for Go (which aiui GopenPGP
> is also derived from). Assuming the test results for GopenPGPv2 hold
> for x/crypto/openpgp, adding a PQC encryption subkey to a v4 key would
> break Github's signature verification.
> 

> Best,
> Justus
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp

v2.23.0 | Report a Bug | By Email