mirror of
https://codeberg.org/openpgp/notes.git
synced 2025-09-10 11:49:40 +02:00
Add notes about certificate minimization
This commit is contained in:
Wiktor Kwapisiewicz
parent
c410108a67
commit
7cd587e8dd
1 changed files with 52 additions and 0 deletions
|
|
@ -251,6 +251,58 @@ This section only contains notes and still needs to be written
|
|||
|
||||
Minimized versions, merging, effective "append only" semantics, ...
|
||||
|
||||
#### Certificate minimization
|
||||
|
||||
Certificate minimization is a practice of presenting partial view of a certificate by filtering out selected components.
|
||||
|
||||
Stripping some components has several benefits:
|
||||
- since everyone can append data to other certificates by certifying User IDs this in the worst case can lead to ["certificate flooding"](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html) which inflates the target certificate to the point that the consumer software rejects the certificate completely,
|
||||
- in some contexts it's clear that the entire certificate is not necessary to facilitate some workflows, for example e-mail clients require only encryption, signing and certifying component keys and they don't need authentication subkeys that are used for SSH connections,
|
||||
- sometimes the certificate grows naturally so big that the user software [has problems handing it](https://www.reddit.com/r/GnuPG/comments/bp23p4/my_key_is_too_large/).
|
||||
|
||||
##### Implementations
|
||||
|
||||
GnuPG is [stripping signatures on key import](https://dev.gnupg.org/T4607#127792).
|
||||
|
||||
Besides that GnuPG also offers two ways of cert minimization, described [in their manual](https://www.gnupg.org/documentation/manuals/gnupg-devel/OpenPGP-Key-Management.html) as:
|
||||
|
||||
> - clean
|
||||
> Compact (by removing all signatures except the selfsig) any user ID that is no longer usable (e.g. revoked, or expired). Then, remove any signatures that are not usable by the trust calculations. Specifically, this removes any signature that does not validate, any signature that is superseded by a later signature, revoked signatures, and signatures issued by keys that are not present on the keyring.
|
||||
> - minimize
|
||||
> Make the key as small as possible. This removes all signatures from each user ID except for the most recent self-signature.
|
||||
|
||||
`clean` removes signatures from keys that are not present in current keyring as well as stale data while `minimize` removes signatures that are not needed at the point when the command is executed.
|
||||
|
||||
Some libraries, such as Sequoia, depend on old self-signatures as they construct a view of the certificate in the past, when the signature was allegedly created. This can cause problems with signature verification as [reported in rpm-sequoia ticket](https://github.com/rpm-software-management/rpm-sequoia/issues/50#issuecomment-1689642607) where Sequoia ultimately would revert back to GnuPG-specific approach.
|
||||
|
||||
##### Autocrypt/WKD minimization
|
||||
|
||||
E-mail clients depend only on a limited subset of components of the certificate, thus it's possible to construct a smaller key that will be easier to transfer buy mail user-agents.
|
||||
|
||||
For example the following fragment drops any subkey that is not usable at the time of export. Additionally all Authentication subkeys are stripped since they do not have any use for e-mail:
|
||||
|
||||
```sh
|
||||
gpg --export-options export-minimal,export-clean,no-export-attributes --export-filter keep-uid=mbox=wiktor@metacode.biz --export-filter 'drop-subkey=expired -t || revoked -t || usage =~ a' --export wiktor@metacode.biz
|
||||
```
|
||||
|
||||
At the time of writing this exported key has exactly 3771 bytes which is significantly smaller from a full key which weights 152322 bytes. The minimization made the key 40 times smaller which may be important in some contexts (e.g. e-mail headers).
|
||||
|
||||
Note that in some contexts it's not clear if minimization brings more benefit than harm. Consider ProtonMail client which fetches OpenPGP certificates via WKD automatically when composing a message. It needs only subkeys. But if the same key is fetched as part of automatic signature verification then stripping certifications and leaving only subkeys would prevent the client from performing Web of Trust calculations and authenticating the certificate.
|
||||
|
||||
##### Pitfalls of minimization
|
||||
|
||||
Disadvantages of minimized certificates:
|
||||
- does not present full view on how the certificate evolved,
|
||||
- as other certificates are collected, the certifications that were previously unusable become usable again, minimization prevents this mechanism,
|
||||
- removing keys unusable by the minimizing implementation may mean the receiver will not see them even if *they* support them,
|
||||
- refreshing keys from keyservers will inflate the key again since OpenPGP certificates are append-only structures,
|
||||
- carelessly stripping all invalid components may make the key unusable. Some libraries, such as [anonaddy-sequoia](https://gitlab.com/willbrowning/anonaddy-sequoia/-/blob/master/src/sequoia.rs?ref_type=heads#L125) strip all unusable encryption subkeys unless it leaves the key with no encryption subkeys. In this case at least one subkey is left. Even though it may be expired it presents a better UX for the end-user who probably is still in possesion of the private key for decryption.
|
||||
|
||||
##### Guidelines
|
||||
|
||||
1. Don't minimize certificates unless you have a good reason to
|
||||
2. If presenting minimzied certificate view consider when it needs updates. In the best case the certificate would be minimized on demand (e.g. Autocrypt header constructed when the e-mail is sent or composed) and the client would merge all data collected.
|
||||
|
||||
### "Naming" a certificate in user-facing contexts - fingerprints and beyond
|
||||
|
||||
```{admonition} TODO
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue