Hi Werner,
thanks for your response!
A) Distribute updates to subkeys and the primary key (expiry, revocation,
etc),
without revealing the key's UserIDs.
Easy for new and revoked subkeys.
Easy how? You mean by allowing import of subkeys from TPKs without user ids? I'm
a bit confused here: in the patch series I submitted to GnuPG towards that
effect, said you weren't happy with this approach and referred to this thread.
Perhaps I misunderstood.
Right, direct key signatures can be used but I we have not much
experience with them.
Agreed. There are a bunch of details that would have to be figured out for this
approach.
I hope we can agree though that the idea of per-userid preferences ("this user
id prefers Twofish, this other one AES") causes more problems and
inconsistencies than it is worth.
Why should one want to do that? The user id (i.e. mail address or DNS
name) is important meta data.
User IDs have value when a key wants to publicly claim a designation, and this
is necessary for WoT style workflows where people sign this binding. But this
use case hasn't exactly stood the test of time.
With key discovery mechanisms like Autocrypt or WKD (the future!), we don't
really depend on user ids anymore. Clients that have domain knowledge of the
context that keys are used in (e.g. email clients) can assign much more useful
labels than openpgp implementations themselves. This isn't just theory:
OpenKeychain and K-9 associate keys with email addresses from Autocrypt keys
independently from user ids, and can even work without user ids altogether.
Enigmail maintains a similar mapping, and it is a central part of the Autocrypt
spec. Sequoia uses a "pet names" concept that works similarly. I also think
this is basically what GnuPG does with its TOFU trust model, at least that's
what the database structure looks like.
All of that said, I don't want to push super hard towards getting rid of user
ids right now, or even at all. Perhaps we never can get that far. But thinking
about where we can reduce metadata that isn't strictly necessary is a good
thing, so yes I would welcome if we converged in a direction that reduced our
reliance on user ids a bit.
Moving from user ids to direct key signatures is probably too difficult in terms
of backwards compatibility. But "unstated user ids", as similarly suggested in
the abuse-resistant-keyserver draft, could be a good compatible step in this
direction.
- V
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp