[openpgp] OpenPGP Web Key Directory I-D
Ian Jackson <ijackson@chiark.greenend.org.uk> Wed, 07 November 2018 19:49 UTC
Return-Path: <ijackson@chiark.greenend.org.uk>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5394A127B92 for <openpgp@ietfa.amsl.com>; Wed, 7 Nov 2018 11:49:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s261cIfoPBG8 for <openpgp@ietfa.amsl.com>; Wed, 7 Nov 2018 11:49:21 -0800 (PST)
Received: from chiark.greenend.org.uk (v6.chiark.greenend.org.uk [IPv6:2001:ba8:1e3::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5098127133 for <openpgp@ietf.org>; Wed, 7 Nov 2018 11:49:21 -0800 (PST)
Received: by chiark.greenend.org.uk (Debian Exim 4.84_2 #1) with local (return-path ijackson@chiark.greenend.org.uk) id 1gKTpI-0001Kv-4q; Wed, 07 Nov 2018 19:49:20 +0000
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23523.16831.292658.490356@chiark.greenend.org.uk>
Date: Wed, 07 Nov 2018 19:49:19 +0000
To: openpgp@ietf.org
CC: Werner Koch <wk@gnupg.org>
X-Mailer: VM 8.2.0b under 24.4.1 (i586-pc-linux-gnu)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/a4ls85C2lalThR7m5QWO9HGD9tQ>
Subject: [openpgp] OpenPGP Web Key Directory I-D
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 19:49:23 -0000
I was referred here https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/ I'm not sure exactly what the status of this I-D is or whether the openpgp ietf list is the right place, but it seems to be the best place to send comments. I. URL final pathname component format It specifies a URL format ending in a base-32-encocded SHA-1 of a mangled version of the email address associated with the PGP key. This seems rather odd. 1. SHA-1 is obsolete. 2. The use of a cryptographic hash here makes it harder for a server to conduct an appropriate lookup. For example, if a server defines that all email addresses alice+<something>@example.com are owned by Alice, and Alice tells the server `please advertise my one OpenPGP key for all my email addresses', it is not clear how the server could implement that. 2a. The cryptographic hash does not, however, provide any significant degree of useful obfuscation since a search will usually be able to reverse it. 2b. The cryptographic hash is not needed for space reasons since URLs can easily be as long as email addresses. 3. Supposing the hash were to be retained, choice of base-32 rather than base-64 is unusual and needs to be justified. 4. The lowercasing of the email address is contrary to the Internet mail specifications, where case-sensitivity of the email address is up to the mail domain in question. If the email address were not obfuscated by hashing it would be easy for the webserver to handle case-sensitivity by URL remapping. Suggested modification: Replace this part of the URL with the URL-encoded email address. II. URL domain name part The mail system for some domain, and its web server, are not necessarily on the same host or under the same practical administration. Often webservers are outsourced. Trying to provide this .well-known/openpgpkey subpath may therefore involve complicated interactions between different teams or even different organisations entirely. Furthermore, the webserver may be less secure than the mail system; whereas this protocol assumes that it is at least as secure. Suggested modification: the domain name part should have a fixed string prepended. III. Normative status of this document I was referred to this I-D from this trail of web pages: https://wiki.gnupg.org/EasyGpg2016/PubkeyDistributionConcept https://wiki.gnupg.org/WKDDetails which I reached from someone who asked whether they should deploy this system. This seems a bit odd. Ian. -- Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
- [openpgp] OpenPGP Web Key Directory I-D Ian Jackson
- Re: [openpgp] OpenPGP Web Key Directory I-D NIIBE Yutaka
- Re: [openpgp] OpenPGP Web Key Directory I-D brian m. carlson
- Re: [openpgp] OpenPGP Web Key Directory I-D Werner Koch
- Re: [openpgp] OpenPGP Web Key Directory I-D Werner Koch
- Re: [openpgp] OpenPGP Web Key Directory I-D Paul Fawkesley
- Re: [openpgp] OpenPGP Web Key Directory I-D Werner Koch
- Re: [openpgp] OpenPGP Web Key Directory I-D Ian Jackson
- Re: [openpgp] OpenPGP Web Key Directory I-D Werner Koch
- Re: [openpgp] OpenPGP Web Key Directory I-D Wiktor Kwapisiewicz
- Re: [openpgp] OpenPGP Web Key Directory I-D Werner Koch
- Re: [openpgp] OpenPGP Web Key Directory I-D Wiktor Kwapisiewicz
- Re: [openpgp] OpenPGP Web Key Directory I-D brian m. carlson
- Re: [openpgp] OpenPGP Web Key Directory I-D Bart Butler
- Re: [openpgp] OpenPGP Web Key Directory I-D Bart Butler
- Re: [openpgp] OpenPGP Web Key Directory I-D Benjamin Kaduk
- Re: [openpgp] OpenPGP Web Key Directory I-D Werner Koch
- Re: [openpgp] OpenPGP Web Key Directory I-D Werner Koch
- Re: [openpgp] OpenPGP Web Key Directory I-D Benjamin Kaduk
- Re: [openpgp] OpenPGP Web Key Directory I-D Benjamin Kaduk
- Re: [openpgp] OpenPGP Web Key Directory I-D Bjarni Runar Einarsson
- Re: [openpgp] OpenPGP Web Key Directory I-D Werner Koch