Internet-Draft pgp-grease February 2025
Gallagher Expires 7 August 2025 [Page]
Workgroup:
openpgp
Internet-Draft:
draft-gallagher-openpgp-grease-00
Updates:
9580 (if approved)
Published:
Intended Status:
Standards Track
Expires:
Author:
A. Gallagher, Ed.
PGPKeys.EU

GREASE Code Points in OpenPGP

Abstract

This document reserves code points in various OpenPGP registries for use in interoperability testing, by analogy with GREASE in TLS.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://andrewgdotcom.gitlab.io/openpgp-grease. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-gallagher-openpgp-grease/.

Discussion of this document takes place on the OpenPGP Working Group mailing list (mailto:openpgp@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/openpgp/. Subscribe at https://www.ietf.org/mailman/listinfo/openpgp/.

Source for this draft and an issue tracker can be found at https://gitlab.com/andrewgdotcom/openpgp-grease.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 August 2025.

Table of Contents

1. Introduction

GREASE [RFC8701] is an existing specification to ensure forwards compatibility of assigned code points in TLS. We wish to specify a similar mechanism for OpenPGP. This will be particularly useful in the OpenPGP Interoperability Test Suite [INTEROP], but is not restricted to controlled environments. It is expected that implementations will include PGP-GREASE code points in real-world artifacts on an ongoing basis, to encourage forwards-compatible coding across multiple implementations.

2. Conventions and Definitions

The term "OpenPGP Certificate" is used in this document interchangeably with "OpenPGP Transferable Public Key", as defined in Section 10.1 of [RFC9580].

For avoidance of confusion with GREASE in TLS, we will use the term "PGP-GREASE" for the equivalent mechanism in OpenPGP.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Reservation of PGP-GREASE Code Points

We assign the following one-octet code points to PGP-GREASE:

Table 1: OpenPGP GREASE Code Points
Sequence Code Point (Decimal) Code Point (Hexadecimal)
1 123 0x7b
2 44 0x2c
3 55 0x37
4 66 0x42
5 77 0x4d
6 88 0x58
7 99 0x63
8 111 0x6f

These code points will be reserved for PGP-GREASE in the following registries:

Table 2: OpenPGP GREASE Registries
Registry Name Notes
OpenPGP String-to-Key (S2K) Types (1)
OpenPGP User Attribute Subpacket Types  
OpenPGP Image Attribute Encoding Format  
OpenPGP Signature Subpacket Types (2)
OpenPGP Reason for Revocation (Revocation Octet) (1)
OpenPGP Public Key Algorithms  
OpenPGP Symmetric Key Algorithms  
OpenPGP Hash Algorithms  
OpenPGP Compression Algorithms  
OpenPGP Secret Key Encryption (S2K Usage Octet) (3)
OpenPGP Signature Types  
OpenPGP Image Attribute Versions  
OpenPGP AEAD Algorithms  
OpenPGP Key and Signature Versions  

  1. The use of PGP-GREASE code points in the String-to-Key Types and Reason for Revocation registries is not currently specified, however the code points will be reserved for consistency.

  2. When PGP-GREASE code points from the Signature Subpacket Types registry are used, the critical bit MUST NOT be set.

  3. All code points allocated in the Symmetric Key Algorithms registry are automatically also allocated in the S2K Usage Octet registry.

Due to the smaller number of allocatable code points (63) in the OpenPGP Packet Types registry, most PGP-GREASE values cannot be used as Packet Types. In addition, implementations pre-dating [RFC9580] are not required to ignore unknown packet types. A Marker packet (Section 5.8 of [RFC9580]) SHOULD therefore be used instead. Packet Types 44 and 55 MAY be used if it is known that the receiving implementation supports [RFC9580].

Note that [INTEROP] currently uses signature version 23 as a de-facto GREASE code point. This is intentionally not included here, as we prefer code points that are available for reservation across multiple registries.

4. Usage of PGP-GREASE Code Points

An implementation MAY insert dummy packets or subpackets into otherwise valid packet sequences. It MAY also include dummy code points in preference lists. The data section of dummy packets and subpackets SHOULD contain only the ten octets "PGP-GREASE", in UTF-8 encoding. All other fields of dummy packets and subpackets SHOULD correspond to those of a real packet or subpacket.

A generating implementation SHOULD choose code points deterministically, while ensuring that all PGP-GREASE code points are eventually used.

(TODO: how often should we add GREASE?)

A receiving implementation MUST gracefully ignore unknown code points when required to by [RFC9580], including PGP-GREASE code points. It MUST NOT treat PGP-GREASE code points any differently from other unknown code points; this includes detecting or indicating the presence of PGP-GREASE code points.

PGP-GREASE codepoints MAY be used in either certificates or messages.

Since existing legacy implementations have not consistently followed the requirement to ignore unknown code points, a generating implementation is RECOMMENDED to introduce PGP-GREASE code points gradually, over several release cycles. This should ensure that legacy receiving implementations are not overwhelmed by errors in a short period of time.

4.1. Certificates

An implementation MAY use PGP-GREASE codepoints in the following certificate contexts:

  • Dummy algorithm IDs in algorithm-preference signature subpackets (subpacket types 11, 21, 22, and 39).

  • Signature subpacket IDs of dummy signature subpackets, in either the hashed or unhashed area.

  • User attribute subpacket types, versions and encoding formats of dummy user attribute subpackets.

  • Packet versions and algorithm IDs in dummy subkey packets.

  • Signature and hash algorithm IDs and signature version numbers in dummy third-party certification signatures.

  • Hash algorithm IDs in dummy self-signatures.

  • Packet and signature types in dummy packets.

A generating implementation MAY also generate dummy primary keys with PGP-GREASE version numbers or algorithm IDs.

4.2. Messages

An implementation MAY use PGP-GREASE codepoints in the following message contexts:

  • Signature subpacket IDs of dummy signature subpackets in the hashed or unhashed signature subpacket area.

  • Signature and hash algorithm IDs and signature version numbers in dummy document signature packets and their corresponding OPS packets.

  • Packet and signature types in dummy packets.

Note that when an OPS packet is present, any PGP-GREASE code points it contains MUST be duplicated in the corresponding signature packet.

5. Security Considerations

Legacy implementations that do not properly ignore unknown code points will experience failures; this is intentional. None of these failures should have security consequences in themselves, unless other coding errors are present in the legacy implementation. While this should result in increased security in the long term, exposing such bugs may cause problems in the short term.

Generating implementations are therefore RECOMMENDED to be cautious in deploying PGP-GREASE initially. In particular, implementations SHOULD NOT generate PGP-GREASE code points in production unless they have been tested first in a controlled environment such as the Interoperability Test Suite [INTEROP].

6. IANA Considerations

IANA is requested to allocate the code points listed in Table 1 in each of the registries listed in Table 2, with the note "Reserved (PGP-GREASE)" and a reference pointing to this document.

IANA is also requested to allocate code points 44 and 55 in the "OpenPGP Packet Types" registry, with the note "Reserved (PGP-GREASE)" and a reference pointing to this document.

7. References

7.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC9580]
Wouters, P., Ed., Huigens, D., Winter, J., and Y. Niibe, "OpenPGP", RFC 9580, DOI 10.17487/RFC9580, , <https://www.rfc-editor.org/rfc/rfc9580>.

7.2. Informative References

[INTEROP]
"OpenPGP Interoperability Test Suite", n.d., <https://tests.sequoia-pgp.org/>.
[RFC8701]
Benjamin, D., "Applying Generate Random Extensions And Sustain Extensibility (GREASE) to TLS Extensibility", RFC 8701, DOI 10.17487/RFC8701, , <https://www.rfc-editor.org/rfc/rfc8701>.

Appendix A. Acknowledgments

The author would like to thank Daniel Huigens for inspiring this work.

Author's Address

Andrew Gallagher (editor)
PGPKeys.EU