Re: [openpgp] [FORGED] RE: Fingerprint schemes versus what to fingerprint

"Derek Atkins" <derek@ihtfp.com> Mon, 11 April 2016 19:31 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3860312DE3F for <openpgp@ietfa.amsl.com>; Mon, 11 Apr 2016 12:31:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mfQh0PCcMaqb for <openpgp@ietfa.amsl.com>; Mon, 11 Apr 2016 12:31:01 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B546A12D9FA for <openpgp@ietf.org>; Mon, 11 Apr 2016 12:31:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 8910CE2036; Mon, 11 Apr 2016 15:30:54 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 08318-05; Mon, 11 Apr 2016 15:30:46 -0400 (EDT)
Received: by mail2.ihtfp.org (Postfix, from userid 48) id 82458E203F; Mon, 11 Apr 2016 15:30:43 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1460403043; bh=m2HbVeEIvG86uLRMNgVBLyfbg3IfJZkV+NlLDZI+5xY=; h=In-Reply-To:References:Date:Subject:From:To:Cc; b=EUkKe37WiaFCSdlHbPE11/DsGTTO3LUztz0y3o+KCLIGEFXFMzFsiyqaTfNosd0oB nnFSxuCDDGH/7nsmjo5R/613+jplOkN7esAtDE7JJGe7NGVxK+JZ1JiJ8GntYD8P0S n5gPjGRzKWzTHhmVEYojkZPuRIuNSzKZ/TFf3TCs=
Received: from 24.54.172.229 (SquirrelMail authenticated user warlord) by mail2.ihtfp.org with HTTP; Mon, 11 Apr 2016 15:30:43 -0400
Message-ID: <1025d76f337d2f2fe8a11d7626b11158.squirrel@mail2.ihtfp.org>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4C57DA7@uxcn10-5.UoA.auckland.ac.nz>
References: <43986BDA-010F-4DBF-8989-53E71B74E66A@gmail.com> <20151110021943.GH3896@vauxhall.crustytoothpaste.net> <72665D15-F685-41F6-A477-8E65DBBC5A04@gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C42AC4@uxcn10-5.UoA.auckland.ac.nz>, <sjm1t6c40uy.fsf@securerf.ihtfp.org> <9A043F3CF02CD34C8E74AC1594475C73F4C56BF1@uxcn10-5.UoA.auckland.ac.nz>, <9652a57c1e22f4ac3d417aebca44851c.squirrel@mail2.ihtfp.org> <9A043F3CF02CD34C8E74AC1594475C73F4C57DA7@uxcn10-5.UoA.auckland.ac.nz>
Date: Mon, 11 Apr 2016 15:30:43 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/8HWn3P99tGHcRsyCt-mfRj9GgNU>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>, Derek Atkins <derek@ihtfp.com>, Bryan Ford <brynosaurus@gmail.com>
Subject: Re: [openpgp] [FORGED] RE: Fingerprint schemes versus what to fingerprint
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2016 19:31:03 -0000

Paul,

On Mon, April 11, 2016 3:21 pm, Peter Gutmann wrote:
> Derek Atkins <derek@ihtfp.com> writes:
>
>>Are you expecting this would work in a vacuum?  I.e., would you expect
>> that
>>you can take your OpenPGP smart card to a fresh system on which you've
>> never
>>used OpenPGP ever and be able to plug in that smart card and have it be
>> able
>>to sign a document?
>
> I'm not sure what OpenPGP cards have to do with this, since I'm talking
> about
> PKCS #11.  I can use a PKCS #11 device with X.509, with S/MIME, with TLS,
> with
> SSH, with IKE, and quite probably with a number of other, lesser-known
> Internet security protocols.  The one significant one I can't use it with
> is
> PGP.

Sorry, by "OpenPGP Card" I mean "a smart card to use with OpenPGP".

You can absolutely use PKCS#11 with PGP; there are plenty of instances
today where that is the case.  You just need an implementation where the
secring.skr file contains the reference handle to your smartcard key
materials.

More specifically:  when you have your card generate your key material,
you pull off the public key and then generate your public key, compute
your fingerprint data (including OpenPGP metadata), and also create
secring data
 that contains whatever PKCS#11 reference data you need to re-access that
key.  Later when you use that card/key you know how to reference it.

So what exactly is the issue?

>>Is this a real use case?
>
> Yes, see above.
>
>>It depends.  If I've got an X509 cert I can convert that to an OpenPGP
>> cert,
>>and all the appropriate metadata is there.
>
> You still can't use it with PKCS #11.

Sure you can.

>
> Peter.

-derek
-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant