ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[openpgp] [RFC4880bis PATCH] Deprecate "Revocation Key", replacing with full-key "Designated Revoker"

2019-07-31 15:35:00
from [Daniel Kahn Gillmor] [Permanent Link] 
The "revocation key" subpacket is problematic.  It is the the most
fragile piece of the specification wrt the fingerprint (collisions
against a fingerprint can create surprising revocation effects).  And
it is potentially difficult to rely on for clients which might not be
able to find the revoking key (for example, if keyservers are
unavailable).

It is also not currently widely used.

This patch to the spec deprecates the "revocation key" subpacket and
replaces it with a "designated revoker" subpacket that includes the
full key, rather than the fingerprint.

The only cost here appears to be slightly increased size of the new
subpacket type by comparison, which is an entirely reasonable cost
that the (rare) users of this feature should be able to bear.

I've cargo-culted in the "class" octet from "Revocation Key".  I'm not
sure that octet is particularly useful, and i'd be happy to drop it if
folks want to, but i didn't want to muddle the waters with a semantic
change in addition to this mechanical change.

Signed-off-by: Daniel Kahn Gillmor <dkg(_at_)fifthhorseman(_dot_)net>
---
 middle.mkd | 61 ++++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 46 insertions(+), 15 deletions(-)

diff --git a/middle.mkd b/middle.mkd
index 51f71a6..a2d3ae6 100644
--- a/middle.mkd
+++ b/middle.mkd
@@ -757,7 +757,7 @@ These meanings are as follows:
       directly on a key.  It binds the information in the Signature
       subpackets to the key, and is appropriate to be used for
       subpackets that provide information about the key, such as
-      the Revocation Key subpacket.  It is also appropriate for
+      the Designated Revoker subpacket.  It is also appropriate for
       statements that non-self certifiers want to make about the
       key itself, rather than the binding between a key and a
       name.
@@ -766,7 +766,7 @@ These meanings are as follows:
   :   Key revocation signature. The signature is calculated
       directly on the key being revoked. A revoked key is not to
       be used.  Only revocation signatures by the key being
-      revoked, or by an authorized revocation key, should be
+      revoked, or by a designated revoker, should be
       considered valid revocation signatures.
 
 0x28
@@ -774,7 +774,7 @@ These meanings are as follows:
       directly on the subkey being revoked. A revoked subkey is
       not to be used.  Only revocation signatures by the top-level
       signature key that is bound to this subkey, or by an
-      authorized revocation key, should be considered valid
+      designated revoker, should be considered valid
       revocation signatures.
 
 0x30
@@ -782,7 +782,7 @@ These meanings are as follows:
       earlier User ID certification signature (signature class
       0x10 through 0x13) or direct-key signature (0x1F).  It should
       be issued by the same key that issued the revoked signature
-      or an authorized revocation key.  The signature is computed
+      or a designated revoker.  The signature is computed
       over the same data as the certificate that it revokes, and
       should have a later creation date than that certificate.
 
@@ -1039,7 +1039,7 @@ The value of the subpacket type octet may be:
            9   Key Expiration Time
           10   Placeholder for backward compatibility
           11   Preferred Symmetric Algorithms
-          12   Revocation Key
+          12   Revocation Key (deprecated)
     13 to 15   Reserved
           16   Issuer
     17 to 19   Reserved
@@ -1058,6 +1058,7 @@ The value of the subpacket type octet may be:
           32   Embedded Signature
           33   Issuer Fingerprint
           34   Preferred AEAD Algorithms
+          35   Designated Revoker
   100 to 110   Private or experimental
 
 An implementation SHOULD ignore any subpacket of a type that it does
@@ -1294,18 +1295,48 @@ description of the syntax is found in 
[](#regular-expressions) below.
 
 #### Revocation Key
 
-(1 octet of class, 1 octet of public-key algorithm ID, 20 or 32 octets
-of fingerprint)
+(1 octet of class, 1 octet of public-key algorithm ID, 20 octets
+of v4 fingerprint)
 
-V4 keys use the full 20 octet fingerprint; V5 keys use the
-full 32 octet fingerprint
+This mechanism is deprecated.  Applications MUST NOT generate such a
+subpacket.  An application that wants this functionality SHOULD
+instead produce a Designated Revoker subpacket described in
+[](#designated-revoker).  The advantage of the Designated Revoker
+packet is twofold: it can be used unambiguously to validate
+revocations without causing an extra lookup; and it is resistant to
+any flaws found in the fingerprint.
 
-Authorizes the specified key to issue revocation signatures for this
-key.  Class octet must have bit 0x80 set.  If the bit 0x40 is set,
-then this means that the revocation information is sensitive.  Other
-bits are for future expansion to other kinds of authorizations.  This
-is only found on a direct-key self-signature (type 0x1f).  The use on
-other types of self-signatures is unspecified.
+This packet authorizes the specified v4 key to issue revocation
+signatures for this key.  Class octet must have bit 0x80 set.  If the
+bit 0x40 is set, then this means that the revocation information is
+sensitive.  Other bits are reserved and MUST be 0.  This is only found
+on a direct-key self-signature (type 0x1f).  The use on other types of
+self-signatures is unspecified.
+
+If the "sensitive" flag is set, the keyholder feels this subpacket
+contains private trust information that describes a real-world
+sensitive relationship.  If this flag is set, implementations SHOULD
+NOT export this signature to other users except in cases where the
+data needs to be available: when the signature is being sent to the
+designated revoker, or when it is accompanied by a revocation
+signature from that revoker.  Note that it may be appropriate to
+isolate this subpacket within a separate signature so that it is not
+combined with other subpackets that need to be exported.
+
+#### Designated Revoker
+
+(1 octet of class, N octets of public key)
+
+Authorizes the embedded public key to issue revocation signatures for
+this key.  Class octet must have bit 0x80 set.  If the bit 0x40 is
+set, then this means that the revocation information is sensitive.
+Other bits are for future expansion to other kinds of authorizations.
+This is only found on a direct-key self-signature (type 0x1f).  The
+use on other types of self-signatures is unspecified.
+
+The remaining N octets of the of the packet MUST consist of a complete
+Public-Key Packet (tag 6) that can be used to verify revocation
+signatures.
 
 If the "sensitive" flag is set, the keyholder feels this subpacket
 contains private trust information that describes a real-world
-- 
2.20.1

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Bug#931238: hot armor: please drop "Version: " header, Daniel Kahn Gillmor
Next by Date:  Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revocation Key", replacing with full-key "Designated Revoker", Daniel Kahn Gillmor
Previous by Thread:  Re: [openpgp] Bug#931238: hot armor: please drop "Version: " header, Clint Adams
Next by Thread:  Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revocation Key", replacing with full-key "Designated Revoker", Daniel Kahn Gillmor
Indexes:  [Date] [Thread] [Top] [All Lists]