Re: [openpgp] Non-SHA-1 fingerprints in signatures [was: Proposal for a separable ring signature scheme...]

[Peter Pentchev <roam@ringlet.net>]

On Thu, Mar 13, 2014 at 10:39:31PM -0400, Vincent Yu wrote:
> On 03/13/2014 10:26 PM, Daniel Kahn Gillmor wrote:
> >the OpenPGP fingerprint revision discussions have not yet terminated in
> >a clear conclusion -- the last stage we reached was was "wait until
> >SHA-3 has settled down and then reconsider".
> >
> >You should *not* use keyIDs as distinct identifiers in the subpacket
> >body of the ring signature design; the use of keyIDs in the traditional
> >issuer subpacket is a mistake that i hope we don't propagate if/when
> >OpenPGPv5 ever gets standardized.
> >
> >Your I-D should have the subpacket body built from either OpenPGPv4
> >fingerprints, or full public key packets.  the search space for key IDs
> >is too small to distinguish "bad signature" from "i don't have the
> >appropriate key" with sufficient confidence, which causes all sorts of
> >nasty UI edge cases.
> 
> Thanks for the info. I will likely follow your suggestion and modify
> my proposal to use V4 fingerprints rather than key IDs.

Hm, how exactly would this deal with the existence of multiple signing
subkeys, all associated with the same master public key?  Your current
proposal explicitly allows for that, using the key IDs; I guess there
might be a need to include *both* the fingerprint of the master key
*and* some kind of identification of the subkey actually used for
signing.

G'luck,
Peter

-- 
Peter Pentchev	roam@ringlet.net roam@FreeBSD.org p.penchev@storpool.com
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
I am jealous of the first word in this sentence.