semantics of pgp-sign-rsa and pgp-sign-dss with subkeys

["Joel N. Weber II" <ietf-secsh%joelweber.com@localhost>]

When using the pgp-sign-rsa and pgp-sign-dss methods as specified in
draft-ietf-secsh-transport-15, it seems pretty obvious whether to use
pgp-sign-rsa or pgp-sign-dss if you're using the primary public key to
make the signature that verifies that the host knows the private key.

However, GPG also supports using subkeys to make signatures, and GPG
doesn't require that the subkey be of the same type as the primary
key.  (Whether the commercial PGP also has this property, I'm not sure.)

It seems that one possible interpretation of the current internet
draft is that if you have a primary public key of one type, and a
subkey of another type, that whether you use pgp-sign-rsa or
pgp-sign-dss is determined entirely by the type of the subkey.  The
argument here would be that the primary public key is just a part of
the certificate which certifies the signing key that ssh is using.

But I think the crucial question is whether the key type exists to
provide compatibility information, or to provide information about
what exactly the signature actually is, or both.  ssh-rsa and ssh-dss
need to be distinct types, because an ssh-rsa or ssh-dss signature
doesn't embed information about its key type.  On the other hand, all
OpenPGP format signatures do embed information about the key type, so
an implementation which supported both RSA and DSS OpenPGP keys would
be able to do the right thing even if the ssh standard had been
defined as having only a pgp-sign type which was used for both key
types.

For the purpose of indicating compatibility, there are really three
distinct possibilities: someone might in theory be using an early
version of GPG, which would only support DSS (in pratice, I'm not sure
this is likely, since to my knowlege, GPG supported RSA as well long
before anyone wrote GPG support in any SSH implementation); there may
be older versions of PGP which only support RSA which could be used
with SSH; and there are modern implementations which support both.

I do think I want to see ssh allow a subkey of a type which is
different than the type of the primary signing key.  The web of trust
among people in the world I happen to live in is sufficiently mixed
that I can't imagine an OpenPGP implementation actually being useful
unless it supported both.  On the other hand, I can imagine that some
people might live in a world where only one key type needs to work,
and letting them express that sort of compatibility in the ssh
protoctol is reasonable.

So I think I would like to see some new types added.  A first attempt
at defining them would be to keep:

   The "pgp-sign-rsa" method indicates the certificates, the public key,
   and the signature are in OpenPGP compatible binary format
   ([RFC2440]).  This method indicates that the key is an RSA-key.

   The "pgp-sign-dss".  As above, but indicates that the key is a DSS-
   key.

and then add:

   The "pgp-sign-rsa-dss".  As above, but indicates that the key is a DSS-
   subkey of an RSA key.

   The "pgp-sign-dss-rsa".  As above, but indicates that the key is a RSA-
   subkey of an DSS-key.

(It is also probably tangentially relevant to point out that I've
written code to make openssh use GPG host keys; one version of the
code, which certainly does not get subkeys right, and may well have
other problems, is available at http://www.red-bean.com/~nemo/openssh-gpg/
I am continuing to work on improving the code.)