Re: [openpgp] Non-SHA-1 fingerprints in signatures [was: Proposal for a separable ring signature scheme...]

Peter Pentchev <roam@ringlet.net> Fri, 14 March 2014 14:25 UTC

Return-Path: <roam@ringlet.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57A141A014F for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 07:25:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id So_WCNRuiVPW for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 07:24:57 -0700 (PDT)
Received: from nimbus.fccf.net (nimbus.fccf.net [77.77.144.35]) by ietfa.amsl.com (Postfix) with ESMTP id B27F51A014E for <openpgp@ietf.org>; Fri, 14 Mar 2014 07:24:57 -0700 (PDT)
Received: from straylight.m.ringlet.net (unknown [78.90.13.150]) by nimbus.fccf.net (Postfix) with ESMTPSA id 6E84D388 for <openpgp@ietf.org>; Fri, 14 Mar 2014 16:24:49 +0200 (EET)
Received: from roam (uid 1000) (envelope-from roam@ringlet.net) id dae09e by straylight.m.ringlet.net (DragonFly Mail Agent v0.9); Fri, 14 Mar 2014 16:24:48 +0200
Date: Fri, 14 Mar 2014 16:24:47 +0200
From: Peter Pentchev <roam@ringlet.net>
To: Vincent Yu <v@v-yu.com>
Message-ID: <20140314142447.GA6744@straylight.m.ringlet.net>
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <23C2DE82-93B7-48A6-95A6-14B4F5DD1F42@callas.org> <3e9143bf60d2252a67149eb4b984bcdb@smtp.hushmail.com> <532268E5.8090001@fifthhorseman.net> <1e053aff143a868d303cb483949bcd31@smtp.hushmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ"
Content-Disposition: inline
In-Reply-To: <1e053aff143a868d303cb483949bcd31@smtp.hushmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/6IyYs5KAEYfnLA6osdf4NxWp8YU
Cc: openpgp@ietf.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [openpgp] Non-SHA-1 fingerprints in signatures [was: Proposal for a separable ring signature scheme...]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2014 14:25:00 -0000

On Thu, Mar 13, 2014 at 10:39:31PM -0400, Vincent Yu wrote:
> On 03/13/2014 10:26 PM, Daniel Kahn Gillmor wrote:
> >the OpenPGP fingerprint revision discussions have not yet terminated in
> >a clear conclusion -- the last stage we reached was was "wait until
> >SHA-3 has settled down and then reconsider".
> >
> >You should *not* use keyIDs as distinct identifiers in the subpacket
> >body of the ring signature design; the use of keyIDs in the traditional
> >issuer subpacket is a mistake that i hope we don't propagate if/when
> >OpenPGPv5 ever gets standardized.
> >
> >Your I-D should have the subpacket body built from either OpenPGPv4
> >fingerprints, or full public key packets.  the search space for key IDs
> >is too small to distinguish "bad signature" from "i don't have the
> >appropriate key" with sufficient confidence, which causes all sorts of
> >nasty UI edge cases.
> 
> Thanks for the info. I will likely follow your suggestion and modify
> my proposal to use V4 fingerprints rather than key IDs.

Hm, how exactly would this deal with the existence of multiple signing
subkeys, all associated with the same master public key?  Your current
proposal explicitly allows for that, using the key IDs; I guess there
might be a need to include *both* the fingerprint of the master key
*and* some kind of identification of the subkey actually used for
signing.

G'luck,
Peter

-- 
Peter Pentchev	roam@ringlet.net roam@FreeBSD.org p.penchev@storpool.com
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
I am jealous of the first word in this sentence.