IETF Logo Mail Archive

[openpgp] primary key binding signature requirement

"Neal H. Walfield" <neal@walfield.org> Thu, 01 December 2022 09:33 UTC

Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3551C152584 for <openpgp@ietfa.amsl.com>; Thu, 1 Dec 2022 01:33:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.896
X-Spam-Level:
X-Spam-Status: No, score=-6.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rmILB-D1o9Rc for <openpgp@ietfa.amsl.com>; Thu, 1 Dec 2022 01:33:15 -0800 (PST)
Received: from mail.dasr.de (mail.dasr.de [202.61.250.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1551EC14CE5F for <openpgp@ietf.org>; Thu, 1 Dec 2022 01:33:14 -0800 (PST)
Received: from p5de92f23.dip0.t-ipconnect.de ([93.233.47.35] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1p0fwM-0002n9-IY for openpgp@ietf.org; Thu, 01 Dec 2022 10:33:10 +0100
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <neal@walfield.org>) id 1p0fwL-006h5L-Km for openpgp@ietf.org; Thu, 01 Dec 2022 10:33:10 +0100
Date: Thu, 01 Dec 2022 10:33:09 +0100
Message-ID: <87v8mv4gfe.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: IETF OpenPGP WG <openpgp@ietf.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (Gojō) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/zmZkNg42Dw_H6S6KyNu09GIgv2Y>
Subject: [openpgp] primary key binding signature requirement
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 09:33:18 -0000

Section 11.1.1 Common requirements says:

   Each Subkey packet MUST be followed by one Signature packet, which
   should be a subkey binding signature issued by the top-level key.
   For subkeys that can issue signatures, the subkey binding signature
   MUST contain an Embedded Signature subpacket with a primary key
   binding signature (0x19) issued by the subkey on the top-level key.

   https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-07#section-11.1.4

What does it mean for a subkey to issue signatures?  I think
authentication subkeys technically issue signatures, but they don't
normally include a primary key binding signature.  For instance,
here's the `sq packet dump` output for an authentication-capable
subkey created using gpg 2.2.27:

  Public-Subkey Packet, old CTB, 397 bytes
      Version: 4
      Creation time: 2022-12-01 09:26:21 UTC
      Pk algo: RSA
      Pk size: 3072 bits
      Fingerprint: 136ABFA01DD47269514F757B10F4A631F1CB5D14
      KeyID: 10F4A631F1CB5D14

  Signature Packet, old CTB, 438 bytes
      Version: 4
      Type: SubkeyBinding
      Pk algo: RSA
      Hash algo: SHA512
      Hashed area:
        Issuer Fingerprint: 188A993D54814E76FF988779E962990F14D5ACA4
        Signature creation time: 2022-12-01 09:26:21 UTC
        Key flags: A
      Unhashed area:
        Issuer: E962990F14D5ACA4
      Digest prefix: 3C63
      Level: 0 (signature over data)

Should authentication-capable subkeys include a primary key binding
signature?  If not, perhaps it makes sense to change the language in
11.1.1 to say something like:

  if a subkey binding signature includes the Key Flags subpacket and
  the certification capability (0x1) or the signing capability (0x2)
  is set, then the subkey binding signature must also contain a valid
  primary key binding signature issued by the subkey over the primary
  key.

Neal

v2.23.0 | Report a Bug | By Email