From nobody Thu Jul 30 11:52:13 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA133A08E9; Thu, 30 Jul 2020 11:52:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GIb4VEUhWQBp; Thu, 30 Jul 2020 11:52:07 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC2F13A0898; Thu, 30 Jul 2020 11:52:06 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id ADB06389E4; Thu, 30 Jul 2020 14:31:31 -0400 (EDT) Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id PjOwaLTH1JJd; Thu, 30 Jul 2020 14:31:30 -0400 (EDT) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 3E211389E2; Thu, 30 Jul 2020 14:31:30 -0400 (EDT) Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id E031E281; Thu, 30 Jul 2020 14:52:03 -0400 (EDT) From: Michael Richardson To: openpgp@ietf.org cc: draft-ietf-sacm-coswid@ietf.org X-Attribution: mcr X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: [openpgp] signing COSE (RFC8152) artifacts with openpgp keys X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2020 18:52:10 -0000 --=-=-= Content-Type: text/plain Hi, there is a use case in Software Bill of Materials work (SBOM), where we'd like to integrate into current open source practices easily. Open source projects usually announce new releases with a PGP signed email, a PGP signed git commit, and/or PGP signed tar.gz, usually with a detached signature. The community has developed (web-of-)trust in the release key. (Although in my experience given that I don't have a password that says "TCPDUMP Group", it is often difficult to get people to sign that key, so the web-of-trust is less solid than I'd like) In a number of fora, we are suggesting use of RFC8152 (COSE) objects. One example is draft-ietf-sacm-coswid-15, but there is other work at OMG as well. I would rather not force developers to generate some new key with some new tool. I'd like to let them use their existing PGP keypair(s). Let's forget the software work to make this happen for the moment. (There certainly could be challenges if the key is in a hardware token, and it won't generate raw signatures needed for COSE) Do you think it's appropriate to use the primary key? Would you consider that a specific purpose subkey would be better? It's likely we'd always want to use ECDSA (or EdDSA), so if the primary key wasn't ECDSA, then generating a new subkey would be required anyway. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAl8jFtMACgkQgItw+93Q 3WVkvwgAu5rqtOUa+UAwz6B7ft9tYW86Aqt2T6glad097SHqCpDyMswN5HliK+Ll NMNryX2RizogP92zcRlZAjdzsU7gWxyYgEV4JOpkeNZKW1scvkKIGJOukVQlUQK0 W2Sr+rv1CNyolROCsQkC5mHa82ZZa894DSkiA5RIiyLDwmuvfveDuWcZvUx0/t1e /uOixtW+6Wh5Pv/0HF//y7M9SlWO8gQhZEXJWC+IOxg9U2t4BshMjPaRKyKIQKnP ykiK8xBocUCbu6xv7zYYMJRyMis24wtOyzjA6ZKehyKPUpPbn6rl3qs5+Re9RUb4 1vElPrp3Z0uPla4JloTWiiCtRzoIEQ== =Xzz4 -----END PGP SIGNATURE----- --=-=-=-- From nobody Thu Jul 30 14:21:35 2020 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FC343A0DCA; Thu, 30 Jul 2020 14:21:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.141 X-Spam-Level: X-Spam-Status: No, score=-1.141 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x-lkTNK6gpp0; Thu, 30 Jul 2020 14:21:30 -0700 (PDT) Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 381B93A0DE8; Thu, 30 Jul 2020 14:21:29 -0700 (PDT) Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4BHjyd0PdyzFfdw; Thu, 30 Jul 2020 14:21:29 -0700 (PDT) X-Riseup-User-ID: 244AC37863D249A8BB3341145AB8FD002042E523419D36B7D81DA4C300836917 Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id 4BHjyc3PZSzJmwF; Thu, 30 Jul 2020 14:21:28 -0700 (PDT) Date: Thu, 30 Jul 2020 17:21:27 -0400 From: Santiago Torres-Arias To: Michael Richardson Cc: openpgp@ietf.org, draft-ietf-sacm-coswid@ietf.org Message-ID: <20200730212127.jg572eubfthlf2m4@LykOS.localdomain> References: <29058.1596135123@localhost> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mkhs7ilfudkkjmek" Content-Disposition: inline In-Reply-To: <29058.1596135123@localhost> Archived-At: Subject: Re: [openpgp] signing COSE (RFC8152) artifacts with openpgp keys X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2020 21:21:34 -0000 --mkhs7ilfudkkjmek Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Michael. My very personal take on this is: On Thu, Jul 30, 2020 at 02:52:03PM -0400, Michael Richardson wrote: > Do you think it's appropriate to use the primary key? I'd assume that any key that's tagged as a signing subkey would be the appropriate one for this. Generally, primary keys are mainly used for certification and can be used for signing. I think either a primary key or a subkey as long as it is marked for signing. > Would you consider that a specific purpose subkey would be better? >=20 I think in general that is up to the owner of that particular set of keys to decide how to split the functions between his primary key and subkeys. > It's likely we'd always want to use ECDSA (or EdDSA), so if the primary k= ey > wasn't ECDSA, then generating a new subkey would be required anyway. Not sure if this is completely necessary to determine, there are many algorithms that can fit the bill (say, ed25519 is supported in gnupg for a little while)... Cheers! -Santiago --mkhs7ilfudkkjmek Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEkDurc2QOttZVM+/zRo8SLOgWIpUFAl8jOdcACgkQRo8SLOgW IpW8GxAAgasUB0vSlrgPi54OuitSKDIdLBycf6l5DO+lhnJ7KJzIi4KY+Nctl0Yb HJQvE6r6E5YFgLQcXTE2gYfyu/Lj8Wk2LOFcbZsTeSUnB84+A6ItNdO09WBdqsk2 NoiGiQKZXh7hummjcy6UrHhpzuR5V/2TnobCKtFH+etsV4X/k4frdjJWNF/5TFSb NBIq2PCXH8ekjwzmxbkbfOnJiQo78VLTEp5AawyNdVKjQTIP4fuCgtsYrLgA9A3R szwPB728zaPG1H5ojpc9hzh9OgvFjZjKCiUTGX0AJjxuXyqIqLoUhNeK7b7CjaY1 IrFB9Vi5e1x49VFIC+SP+5uyGL82GG3U6upWXRdFmQkQ6Tm2ojocsKDq3B+aPyDa 4HjUIVtaPgkNDcLYbdewHDp9SVIanFcaQxWK1STnj/1wGUX8M4E6RhpF23tKniWE Plee1uV/lorHjuRLdi18jRcjElUARDktpONS3OfdXXQ5rqSPLVXh4l7PbRXRcum4 99R0glYRoaoGmf0KTsep1Ib7AtVaCP7Z8LgExaB8JzpIgrhMtlKgwLkDr0vq1OYC RvYTUC8JHIDtFxTZSHUBqCBwLGyQwK1GQktnKfOvQSxJd8mkPXXzEHv0hUKcO1wC 9PDOh30TXXE6UXBeUcbxH7YW7ICf3whjtva/HOf8LTUd0MZvSjE= =+6T0 -----END PGP SIGNATURE----- --mkhs7ilfudkkjmek--