Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revocation Key", replacing with full-key "Designated Revoker"

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 31 July 2019 22:01 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54476120152 for <openpgp@ietfa.amsl.com>; Wed, 31 Jul 2019 15:01:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=0Sdwk4zR; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=iMdK/aNP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sEU6OD0VX2o7 for <openpgp@ietfa.amsl.com>; Wed, 31 Jul 2019 15:01:17 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36BF012006D for <openpgp@ietf.org>; Wed, 31 Jul 2019 15:01:17 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1564610476; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=iePwTSuz+WuVDOGQqSDGZZ32mC9WZbZdDVd5GxotsPg=; b=0Sdwk4zRn5YTgGp+fZLaVXhz5wMOf8hHiSyn1FAOlAIBhTj36cyU0Yf5 tInmEBv22/LMitD8XuO15v5/cwBcCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1564610475; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=iePwTSuz+WuVDOGQqSDGZZ32mC9WZbZdDVd5GxotsPg=; b=iMdK/aNPR1WlDdvo3pmCjW+Qd8oxDzyxRWb61d4Ho0adECoCCgLV6r4l Xl4/LM5xiakdIzCFbI5o3/vnLXOylCZScSRLyWEfjfz/CYBqqntY55ZAYe 5iLmynKBeO1q5CbskQt18RA0z1Z3pA0Xgl4G4CQJRILEC4ZZzkJhiCVerY oGVw/p5wNj6XYRZtoP1bfRLFgQk0DPRoAmn057XMjcgx8EKJBXdR50/e7s fzf8ShXLTcRZpKZXD8FGNYhxuDsVYP6btbD5zin15n0VgDpORn/GC1gu+X mPcVBzTvnmwML9ZcLDTavTW2tGAxqb1GKTYW40sNA6P8r+Eil7ZcUA==
Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id C9CA3F99D; Wed, 31 Jul 2019 18:01:15 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 7F49B2025E; Wed, 31 Jul 2019 18:01:12 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: "Neal H. Walfield" <neal@walfield.org>
Cc: IETF OpenPGP WG <openpgp@ietf.org>
In-Reply-To: <87v9vh53gw.wl-neal@walfield.org>
References: <87iocqepta.fsf@littlepip.fritz.box> <20190731203444.4822-1-dkg@fifthhorseman.net> <87v9vh53gw.wl-neal@walfield.org>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Wed, 31 Jul 2019 18:01:12 -0400
Message-ID: <877e7xsw2f.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/zPQMyhSQPoOZagN9KT2m60T2CeM>
Subject: Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revocation Key", replacing with full-key "Designated Revoker"
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2019 22:01:20 -0000

On Wed 2019-07-31 22:55:11 +0200, Neal H. Walfield wrote:
> Justus proposed an embedded TPK subpacket for cases like this with
> this as a motivating example.  See:
>
>   Subject: [openpgp] Embedded TPK subpacket
>   From: Justus Winter <justuswinter@gmail.com>
>   Date: Mon, 25 Mar 2019 10:20:45 +0100
>   Message-ID: <87ef6v71jm.fsf@europa.jade-hamburg.de>
>
>   https://mailarchive.ietf.org/arch/msg/openpgp/F1Wdrldzd3k9tqOos4hmokOV0r0
>
> Do you think a point solution is better?

sure, i think Embedded TPK is interesting, but it's much more than is
needed for having a designated revoker.  The additional complexity comes
at a cost i'd rather not impose for implementers.

For a designated revoker, we don't care about who the revoking key
belongs to.  we just care that we know it.

once you have an embedded TPK, then you have some kind of potentially
recursive situation (as Marcus pointed out).  it's also strange because
a TPK is not a static entity -- it changes over time as the composable
certificate mutates.  So embedding such a thing in a self-sig is looking
at a particular version, and implies things like expiration, etc.  we
don't want an endpoint that is trying to process a designated revoker to
be distracted by the additional non-public-key packets.

it's also not clear that an embedded TPK subpacket in a self-sig that
also has a "Revoker Key" subpacket is necessarily referring to the
revoker key itself -- the semantics are potentially ambiguous, as an
embedded TPK subpacket in a different signature packet would have
different semantics.  I'm not fond of that kind of ambiguity.

Additionally, what if there are multiple embedded TPK subpackets, or if
the embedded TPK subpacket's primary key fingerprint doesn't match the
"revoker key" fingerprint?

Finally, if a client processes a direct-key signature with a "revoker
key" subpacket that *doesn't* have an embedded TPK, they're just back in
the soup.  I think the deprecation story is clearer to just burn the old
subpacket type entirely (it was originally specified very much in
v4-only mode), and have an unambiguous subpacket for this use case.  It
is at least marginally simpler for an implementation to say "i don't
support 'revoker key' but i do support 'designated revoker'" than it is
to say "i only support 'revoker key' if it is in a direct key signature
that contains exactly one embedded TPK whose primary key fingerprint
matches the 'revoker key' fingerprint". 

In general, i think we should not aim for maximum flexibility in the
format specification, because that flexibility is a major cost for
implementers.  I'd rather identify the specific use cases we want to
support and clearly and unambiguously ensure that the spec meets those
use cases.

        --dkg