Compare commits

..

No commits in common. "98162b87d6e0a85777c6ca5069d9e9be91431a0e" and "6d0deb643b721345ca537f4a606b10a299a4f596" have entirely different histories.

View file

@ -130,45 +130,47 @@ One mechanism that addresses a part of this issue is *expiration*: By setting th
(minimization)=
## Certificate minimization
Certificate minimization involves selectively filtering out components of a certificate that are not essential for its intended use-case or to mitigate specific security concerns. This practice aims to enhance performance particularly for client software address security vulnerabilities like certificate flooding, and protect user privacy.
Certificate minimization is the practice of presenting a partial view of a certificate by filtering out some of its components.
### Rationale and techniques for minimization
Filtering out some elements of a certificate can serve various purposes:
The strategy behind certificate minimization focuses on creating a streamlined certificate by removing elements not required for its specific application. This approach not only boosts operational efficiency and client software performance but also safeguards OpenPGP communications against various threats. By filtering which components to retain or omit, the process can serve distinct purposes:
- Omitting unnecessary components for specific use-cases. For example, email clients need encryption, signing and certification component keys, but not authentication subkeys, which are used, e.g., for SSH connections.
- Omitting third-party certifications if they are not required for a use-case. ["Certificate flooding,"](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html) for example, can lead to consumer software rejecting a certificate entirely. Filtering out third-party User ID certifications on import can mitigate this.
- Sometimes, a certificate organically grows so big that the user software [has problems handling it](https://www.reddit.com/r/GnuPG/comments/bp23p4/my_key_is_too_large/).
- **Omitting unnecessary components**: In contexts such as email encryption, only the keys necessary for encryption, signing, and certification are retained, excluding those like authentication subkeys that are irrelevant to the primary use-case.
- **Omitting third-party certifications**: Proactively filtering these out upon import can prevent the overload of a certificate with excessive certifications, a common tactic in [certificate flooding](https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html) that is designed to render a certificate unusable. This is particularly relevant when certificates grow organically large, to the point that user software [encounters difficulties handling them](https://www.reddit.com/r/GnuPG/comments/bp23p4/my_key_is_too_large/).
### Elements that can be omitted as part of a minimization process
Additionally, specific elements of a certificate can be selectively omitted during the minimization process to tailor the certificate to its use-case, improve manageability, and ensure software compatibility:
There are different types of elements that can be omitted during minimization:
- **Subkeys and their signatures**: Subkeys not used for the current application, along with their associated signatures, can be omitted.
- **Identity components and outdated signatures**: Both self-signatures that have been superseded by newer versions and third-party signatures on identity components that are not necessary can be excluded. This helps keep the certificate lean and focused on its current application, reducing bloat and enhancing performance.
- Subkeys (along with signatures on those subkeys)
- Identity components (along with both their self-signatures and third-party signatures)
- Signatures, by themselves:
- Self-signatures that have been superseded by newer self-signatures for the same purpose
- Third-party certifications
Through these targeted techniques, certificate minimization serves to enhance the practical usability of certificates in various environments and protect against potential security threats and privacy concerns. It strikes a careful balance, maintaining the OpenPGP trust framework while optimizing certificates for efficiency and specific operational contexts.
### Minimization in applications
### Application-specific approaches: Hagrid and GnuPG
#### Hagrid, which runs keys.openpgp.org
#### Hagrid
The [hagrid keyserver software](https://gitlab.com/keys.openpgp.org/hagrid) doesn't publish the identity components in certificates by default. This is a central aspect of the [privacy policy](https://keys.openpgp.org/about/privacy) of the service. Certificates can be uploaded to the service by third parties, which is useful. However, identifying information is only distributed by the service on an explicit opt-in basis.
[Hagrid keyserver software](https://gitlab.com/keys.openpgp.org/hagrid), operating keys.openpgp.org, adopts a privacy-centric model by not automatically publishing identity components of certificates. According to its [privacy policy](https://keys.openpgp.org/about/privacy), the service allows certificates to be uploaded by anyone, but identifying information is shared only with the certificate owner's explicit opt-in. This measure significantly contributes to user privacy and aids in minimizing certificates by default.
Additionally, to mitigate the risk of certificate flooding, Hagrid currently filters out third-party certifications, further aligning with certificate minimization principles.
Separately, third-party certifications are currently filtered out by the service, to avoid flooding attacks.
#### GnuPG
GnuPG introduces two explicit commands for certificate minimization, `clean` and `minimize`, aimed at optimizing certificate size and content.
GnuPG offers two explicit methods for certificate minimization, described [in the GnuPG manual](https://www.gnupg.org/documentation/manuals/gnupg-devel/OpenPGP-Key-Management.html) as:
The `clean` command streamlines certificates by removing all but the most recent self-signature for user IDs that are no longer usable due to revocation or expiration, and also purges signatures not contributing to trust calculations.
*clean*
: *Compact (by removing all signatures except the selfsig) any user ID that is no longer usable (e.g. revoked, or expired). Then, remove any signatures that are not usable by the trust calculations. Specifically, this removes any signature that does not validate, any signature that is superseded by a later signature, revoked signatures, and signatures issued by keys that are not present on the keyring.*
The `minimize` command further reduces the certificate size by retaining only the latest self-signature for each user ID.
*minimize*
: *Make the key as small as possible. This removes all signatures from each user ID except for the most recent self-signature.*
Detailed in the [GnuPG manual](https://www.gnupg.org/documentation/manuals/gnupg-devel/OpenPGP-Key-Management.html), these functionalities allow users to manage their certificates efficiently, directly supporting the goals of minimization.
`clean` removes third-party signatures by certificates that are not present in current keyring, as well as other stale data. `minimize` removes superseded signatures that are not needed at the point when the command is executed.
Moreover, GnuPG's approach to handling incoming certificates includes stripping some signatures by default[^gpg-default-strip] to prevent bloating, although this behavior varies across different Linux distributions. For instance, distributions like Debian and Arch Linux have altered this default setting, affecting how third-party certifications are managed upon import.
Independently, GnuPG by default [strips some signatures on key import](https://dev.gnupg.org/T4607#127792)[^gpg-default-strip]. However, a number of Linux distributions change this default behavior, and continue to import signatures without minimization by default. e.g. [Debian](https://dev.gnupg.org/T4628#128513) and Arch Linux: stripping third-party certifications on import, by default, is problematic for users who want to leverage authentication based on the [Web of Trust mechanism](wot).
This variance underscores the importance of understanding your specific GnuPG configuration and its effects on certificate minimization, especially for users relying on the [Web of Trust mechanism](wot) for authentication.
[^gpg-default-strip]: GnuPG's changes in the default handling of third-party certifications on imports were prompted by the 2019 [keyserver flooding event](https://dev.gnupg.org/T4607#127792).
[^gpg-default-strip]: GnuPG's changes in the default handling of third-party certifications on imports were prompted by the 2019 [keyserver flooding](keyserver-flooding) event.
### Limitations that can result from stripping historical self-signatures