IETF Logo Mail Archive

Re: [openpgp] To bind or not to bind

Justus Winter <justus@sequoia-pgp.org> Sat, 23 March 2024 23:41 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 645D0C14CEFD for <openpgp@ietfa.amsl.com>; Sat, 23 Mar 2024 16:41:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jClhoEt4lsc3 for <openpgp@ietfa.amsl.com>; Sat, 23 Mar 2024 16:41:34 -0700 (PDT)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEBC6C14F73E for <openpgp@ietf.org>; Sat, 23 Mar 2024 16:41:33 -0700 (PDT)
Received: (qmail 29598 invoked by uid 500); 23 Mar 2024 23:41:31 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Sun, 24 Mar 2024 00:41:30 +0100
From: Justus Winter <justus@sequoia-pgp.org>
To: Aron Wussler <aron@wussler.it>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
In-Reply-To: <mUg-9v4FTMUYeDGa3AimMKuJI7Zy5ycxfEpfHN64enr0BP85qK6-Pt3lcgD-VzUfNLBMy2DLha7k_cmP8YXu2c_yMj68sVsPecwOpsiRItA=@wussler.it>
References: <EGivTgyfjNm_TAvhds1OPA2c0O6LP9lFnkwWHHKLJY8ReJOgtDh3tnYsCSR8yrrBLbpeehtUgIJEhynae8L3daRimNiGO7BAb3cVvC66q-4=@wussler.it> <87a5mqi0xi.fsf@europ.lan> <WKKpi2FW6r9Pftm6kgrVNtXvOXa2U9kz9R0wqlGYuPDl9nRkrcvVM3a2cfviolf1XN83lhPh2KxfzXb2A6d8HeQ4qdKYNd8LlqbtC1cRgCM=@wussler.it> <mUg-9v4FTMUYeDGa3AimMKuJI7Zy5ycxfEpfHN64enr0BP85qK6-Pt3lcgD-VzUfNLBMy2DLha7k_cmP8YXu2c_yMj68sVsPecwOpsiRItA=@wussler.it>
Date: Sun, 24 Mar 2024 00:41:29 +0100
Message-ID: <874jcwikie.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: --
X-Rspamd-Report: BAYES_HAM(-0.19338) SIGNED_PGP(-2) MIME_GOOD(-0.2)
X-Rspamd-Score: -2.39338
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from:to:cc:subject:date; bh=Y5He+tmTJ2AeEZ2eFOzjeOhwhVipfk8ZP61nIMGBqhA=; b=LMmno/uJEzlhAyy68R+CkileoNDT03+0Daz3NXvjuW8n/aY3MdTimnNVQTpGsaA1IY7FFpk+ra E9lPnRbDLJtd4PZnoU6n6wqUHxd1aKCbbBOuNW2aIQwiN5hNS53aUci4ovNpq5dgJK3WYv2KjWez kZSz2yf0TF0IXgPjyj7hTcFI9Ae4P1O4r5EY5975hXfMfsfNNEhdtTUCTyGGavsZLubrcDFQMiob +eobkdIB68UixyCW3eM0zGqqxK0fVP7kcRqZETxBtIbmJWQmvDRwNu/tctWRn9rNTl2yVuzkzHCN ZD/B6UIi7AAkcxHmZOiaC6WxB9o5w0629F4t7dEupc6jT/Bz3atNqD5bvXTtQsMhkJQdAxThCDhT Yy5sbTdXX6VEn50nrNbuc2VZ/+/rdEdfED9w+teWwHeNhKKJ2Wd3kEMb0a37dxU3H2Qrp0zDqLaK pzbjvLqj4HUIQ145a+3z5aVNGEz0fY0WjqErct7wRzrsdo4oEIFgoECg3GyL4b5nYS9D5KKzwOXS kQW/l0MUp5G/R6uKvJJ+Ne2UMfff5Hw13VXH8n7mXpETC6Z1fWIFih4tfh7hj786pLSinSLh+KHx gwaOe4r+W6dXqAC1Z470NVzb1ChUy+cfC4l8nzPTTE+5V8prqq4ZNGkGYexkaK237pZNeuQi7hDc A=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/z-nBOo3dbQ3dOJ6r4x3JPWIciIE>
Subject: Re: [openpgp] To bind or not to bind
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2024 23:41:38 -0000

Aron Wussler <aron@wussler.it> writes:

> And add an explanation, the test failures are:
> - pgpy that is a fairly niche implementation
> - gopenpgp that is mostly in control of a single provider (and we should take care of updating our clients to v3)

I had a closer look at the test past-me wrote.  Quoting the description:

> The test verifies a signature with a certificate containing a mock key
> using an unsupported algorithm or curve. The signature is made using
> the primary key over the message Hello World :). The mock subkey is
> not involved in any way, besides being present in the certificate.

So the test is trying to verify a signature using the certificate that
contains the PQC encryption key, it is not only affecting encryption.

For example, this will likely affect Github, who is using an
implementation related to gopenpgp, and, given that they haven't even
managed to migrate to gopenpgp v2, I doubt that they will in due time
migrate to the not yet released gopenpgp v3.

I don't want to pick on gopenpgp too much, but I have been identifying
forward compatibility problems in gopenpgp and other implementations for
years, and right now, as I'm writing this, there are open issues in the
tracker:

- https://github.com/ProtonMail/gopenpgp/issues/69
- https://github.com/ProtonMail/gopenpgp/issues/70
- https://github.com/ProtonMail/gopenpgp/issues/72

All these issues include the words "Unknown versions [...] should be
ignored to allow for a smooth evolution of the OpenPGP message format",
or words to that effect.

I think it would have been great to allow PQC encryption subkeys in v4
certificates.  But now I fear that this ship has sailed, and introducing
PQC encryption subkeys to v4 certificates will break in unexpected
places and this will outweigh the benefits that you see.

> - rnp, that AFAIK mostly affects Thunderbird. Given that Kai seems to be fairly supportive of v4, it's in his interest adding that flag to the packaged build.

And then we tell every downstream consumer of RNP that they must use
this one weird trick when importing certificates or RNP will choke on
PQC-enabled v4 keys?  That doesn't seem viable to me.

Best,
Justus

v2.23.0 | Report a Bug | By Email