Re: Line spacing in normative references
Jon Callas <jon@callas.org> Sat, 01 October 2005 01:26 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELW8f-00084t-D2 for openpgp-archive@megatron.ietf.org; Fri, 30 Sep 2005 21:26:09 -0400
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA02652 for <openpgp-archive@lists.ietf.org>; Fri, 30 Sep 2005 21:26:07 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j910n9WV029477; Fri, 30 Sep 2005 17:49:09 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j910n9SG029476; Fri, 30 Sep 2005 17:49:09 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j910n9l3029469 for <ietf-openpgp@imc.org>; Fri, 30 Sep 2005 17:49:09 -0700 (PDT) (envelope-from jon@callas.org)
Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6); Fri, 30 Sep 2005 17:49:07 -0700
Received: from [63.251.255.205] ([63.251.255.205]) by keys.merrymeet.com (PGP Universal service); Fri, 30 Sep 2005 17:49:07 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Fri, 30 Sep 2005 17:49:07 -0700
In-Reply-To: <20050920173939.33F0957EF5@finney.org>
References: <20050920173939.33F0957EF5@finney.org>
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <83B08249-1403-49A2-8218-2B860243982C@callas.org>
Cc: ietf-openpgp@imc.org
Content-Transfer-Encoding: 7bit
From: Jon Callas <jon@callas.org>
Subject: Re: Line spacing in normative references
Date: Fri, 30 Sep 2005 17:49:06 -0700
To: Hal Finney <hal@finney.org>
X-Mailer: Apple Mail (2.734)
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit
On 20 Sep 2005, at 10:39 AM, Hal Finney wrote: > > A minor point, I notice that the spacing is inconsistent in the > normative > references. Some are separated by blank lines and some are not. It > would > look nicer to be consistent here. I don't know if some macro is > misfiring > or if we could clean it up and make it look better. Cleaned up. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j910n9WV029477; Fri, 30 Sep 2005 17:49:09 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j910n9SG029476; Fri, 30 Sep 2005 17:49:09 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j910n9l3029469 for <ietf-openpgp@imc.org>; Fri, 30 Sep 2005 17:49:09 -0700 (PDT) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6); Fri, 30 Sep 2005 17:49:07 -0700 Received: from [63.251.255.205] ([63.251.255.205]) by keys.merrymeet.com (PGP Universal service); Fri, 30 Sep 2005 17:49:07 -0700 X-PGP-Universal: processed; by keys.merrymeet.com on Fri, 30 Sep 2005 17:49:07 -0700 In-Reply-To: <20050920173939.33F0957EF5@finney.org> References: <20050920173939.33F0957EF5@finney.org> Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <83B08249-1403-49A2-8218-2B860243982C@callas.org> Cc: ietf-openpgp@imc.org Content-Transfer-Encoding: 7bit From: Jon Callas <jon@callas.org> Subject: Re: Line spacing in normative references Date: Fri, 30 Sep 2005 17:49:06 -0700 To: Hal Finney <hal@finney.org> X-Mailer: Apple Mail (2.734) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 20 Sep 2005, at 10:39 AM, Hal Finney wrote: > > A minor point, I notice that the spacing is inconsistent in the > normative > references. Some are separated by blank lines and some are not. It > would > look nicer to be consistent here. I don't know if some macro is > misfiring > or if we could clean it up and make it look better. Cleaned up. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8O7VWpH050071; Sat, 24 Sep 2005 00:31:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8O7VWW8050070; Sat, 24 Sep 2005 00:31:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtpb.itss.auckland.ac.nz (chico.itss.auckland.ac.nz [130.216.190.12]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8O7VUA7050061 for <ietf-openpgp@imc.org>; Sat, 24 Sep 2005 00:31:31 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtpb.itss.auckland.ac.nz (Postfix) with ESMTP id 404C13439D; Sat, 24 Sep 2005 19:31:25 +1200 (NZST) Received: from smtpb.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpb.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23538-22; Sat, 24 Sep 2005 19:31:25 +1200 (NZST) Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by smtpb.itss.auckland.ac.nz (Postfix) with ESMTP id 05AE633F45; Sat, 24 Sep 2005 19:31:24 +1200 (NZST) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 473D23775D; Sat, 24 Sep 2005 19:31:24 +1200 (NZST) Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1EJ4VO-0002AP-00; Sat, 24 Sep 2005 19:31:30 +1200 From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-openpgp@imc.org, nagydani@epointsystem.org Subject: Re: Plausible deniability (a feature to think about) In-Reply-To: <20050922135632.GA1725@epointsystem.org> Message-Id: <E1EJ4VO-0002AP-00@medusa01.cs.auckland.ac.nz> Date: Sat, 24 Sep 2005 19:31:30 +1200 X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> nagydani@epointsystem.org (Daniel A. Nagy) writes: >On Thu, Sep 22, 2005 at 05:43:57PM +1200, Peter Gutmann wrote: >> X9.42 was only added to S/MIME for political reasons. AFAIK only one >> implementation ever supported it, and that was the USG-funded reference >> implementation that was required to support it. In addition, MS supported a >> read-only implementation just so they couldn't be accused of not supporting >> it. > >>What political reasons? For a brief period during the S/MIME development, RSA was still owned by RSADSI while DH wasn't. From "The Crypto Gardening Guide and Planting Tips", http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt: An Internet standard RFC required that implementors support X9.42 DH key agreement, and provided RSA as an option (in IETF terms, "MUST X9.42, MAY RSA"). However, no existing software supported X9.42, no CAs would issue certificates for it, even if they did no-one wanted to renew all of their certificates ($$$) for an algorithm that provided no advantages over RSA, and no hardware (either crypto accelerators or smart cards) supported it (there was some token support after a few years, although even now there are problems being found with the X9.42 test vectors which indicate that no-one has really looked at them). As a result, even though the standard mandated use of X9.42, everyone treated it as if it said "MUST RSA, SHOULD NOT X9.42", pretending to do X9.42 while running business as usual with RSA. >And why is there a reserved ID in OpenPGP? OpenPGP has reserved IDs for all sorts of weird and wonderful stuff. I guess X9.42 is no exception. Peter. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8NBkuxQ047188; Fri, 23 Sep 2005 04:46:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8NBkuLM047187; Fri, 23 Sep 2005 04:46:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [63.240.76.28]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8NBktMJ047168 for <ietf-openpgp@imc.org>; Fri, 23 Sep 2005 04:46:55 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (sccrmhc13) with ESMTP id <2005092311464901300a7f0be>; Fri, 23 Sep 2005 11:46:50 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8NBkn0m029565; Fri, 23 Sep 2005 07:46:49 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8NBknFG003008; Fri, 23 Sep 2005 07:46:49 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8NBkhNp003007; Fri, 23 Sep 2005 07:46:43 -0400 Date: Fri, 23 Sep 2005 07:46:43 -0400 From: David Shaw <dshaw@jabberwocky.com> To: Ben Laurie <ben@algroup.co.uk> Cc: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050923114643.GA861@jabberwocky.com> Mail-Followup-To: Ben Laurie <ben@algroup.co.uk>, ietf-openpgp@imc.org References: <20050921212613.09EAF57EF5@finney.org> <20050921215503.GA18343@jabberwocky.com> <4333DA7E.1000301@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4333DA7E.1000301@algroup.co.uk> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Fri, Sep 23, 2005 at 11:35:42AM +0100, Ben Laurie wrote: > > David Shaw wrote: > >On Wed, Sep 21, 2005 at 02:26:13PM -0700, "Hal Finney" wrote: > > > > > >>>If you're importing a foreign key or generating one on the fly, you don't > >>>put subpackets into the key that cannot be determined next time you use > >>>the > >>>same source to get the key. A flag in a subpacket indicating where the > >>>key > >>>comes from might be useful, though. > >> > >>This is a good point, I'll have to think about it. I'm still not > >>sure that covering this material with key fingerprints and keyids is > >>the right thing to do. What would the security threats be from being > >>able to bring a key back to life with the same fingerprint and keyid, > >>but without any signatures on it being valid? > > > > > >My original idea with subpackets was that they would be part of the > >fingerprint, and changing a subpacket was akin to making a whole new > >key as the fingerprint and key ID (though not the key material) would > >change. I see some advantages of what you are discussing. It would > >(somewhat) allow someone to violate a hard expiration date on their > >key: make the key, get signatures, and then when the key expires, just > >remake the key. Essentially you can buy an extension on your "hard" > >expiration time at the cost of losing all of your signatures. > > > >The thing is, I can't really decide if that is a threat or a > >feature... > > You can already do this by signing the new version of the key with the > old version of the key - same keypair, so messages to either will work, > and signatures made by either key will still check - but different IDs > and signatures on the keys. Absolutely, but from the trust perspective (at least using the web of trust), this second key is one further "hop" away from the one that was signed. It becomes the same situation as if someone generated a brand new key without doing any trickery by keeping the same key material and just signed it with the old one; the fact that the key material is the same is interesting, but not really useful in practice since the (changed) key ID is used to locate it in a keyring when verifying a signature or handling a PKESK. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8NBG2PX043806; Fri, 23 Sep 2005 04:16:02 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8NBG25f043805; Fri, 23 Sep 2005 04:16:02 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8NBG1hF043793 for <ietf-openpgp@imc.org>; Fri, 23 Sep 2005 04:16:01 -0700 (PDT) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 0BF8E5ADC4; Fri, 23 Sep 2005 12:15:59 +0100 (BST) Message-ID: <4333E413.4000308@systemics.com> Date: Fri, 23 Sep 2005 12:16:35 +0100 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050921) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Daniel A. Nagy" <nagydani@epointsystem.org> Cc: David Shaw <dshaw@jabberwocky.com>, ietf-openpgp@imc.org Subject: Re: Some thoughts on a v5 key and why it shouldn't be a mess (fwd) References: <20050921202208.GB18050@jabberwocky.com> <20050921210015.GA2316@epointsystem.org> <200509222100.01040@zaphod.konrad.silmor.de> <20050922191832.GB2481@epointsystem.org> <20050922193636.GE32759@jabberwocky.com> <20050922195710.GA24782@epointsystem.org> In-Reply-To: <20050922195710.GA24782@epointsystem.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Daniel A. Nagy wrote: > I think that SHA1 for key identification and fingerprinting is still a > comfortable overkill. It would seem that most efforts in this direction are divisible into two classes - those with human interaction and those without. For the latter, it would seem reasonable to always use full strength - the full bits available for all computations. Overkill is not a problem for computers. For human interaction issues, it is clearly tricky in some cases that are hard to predict to use a full length identifier. So the notion could be that each usage of a hash presented to humans simply defines its own minimum portion of bits, but also can and will accept a longer or even full length hash without complaint. (In effect that is what is done but the minimums seem to be more hard coded and larger portions have no acceptibility.) From this pov, we should * use the best hash available (e.g. SHA512, excessively) * convert to the display form as late as possible in the code * make sure that the "short form" convention is understood by all inputs * and recognisable/parsable in its text form. (Something like a dotted notation: DEAD.BEEF would give us the 32 bits, DEAD.BEEF.C001.D00D would be 64 bits. These are relatively easy to parse, easier than the whitespace separated form.) iang PS: I'm not recommending SHA512 here, just conceptualising the software engineering principles involved. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8NAZfWK040042; Fri, 23 Sep 2005 03:35:41 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8NAZf7K040041; Fri, 23 Sep 2005 03:35:41 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8NAZen9040032 for <ietf-openpgp@imc.org>; Fri, 23 Sep 2005 03:35:41 -0700 (PDT) (envelope-from ben@algroup.co.uk) Received: from [193.133.15.219] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id BB69333C1D; Fri, 23 Sep 2005 11:35:39 +0100 (BST) Message-ID: <4333DA7E.1000301@algroup.co.uk> Date: Fri, 23 Sep 2005 11:35:42 +0100 From: Ben Laurie <ben@algroup.co.uk> User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: David Shaw <dshaw@jabberwocky.com> CC: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format References: <20050921212613.09EAF57EF5@finney.org> <20050921215503.GA18343@jabberwocky.com> In-Reply-To: <20050921215503.GA18343@jabberwocky.com> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> David Shaw wrote: > On Wed, Sep 21, 2005 at 02:26:13PM -0700, "Hal Finney" wrote: > > >>>If you're importing a foreign key or generating one on the fly, you don't >>>put subpackets into the key that cannot be determined next time you use the >>>same source to get the key. A flag in a subpacket indicating where the key >>>comes from might be useful, though. >> >>This is a good point, I'll have to think about it. I'm still not >>sure that covering this material with key fingerprints and keyids is >>the right thing to do. What would the security threats be from being >>able to bring a key back to life with the same fingerprint and keyid, >>but without any signatures on it being valid? > > > My original idea with subpackets was that they would be part of the > fingerprint, and changing a subpacket was akin to making a whole new > key as the fingerprint and key ID (though not the key material) would > change. I see some advantages of what you are discussing. It would > (somewhat) allow someone to violate a hard expiration date on their > key: make the key, get signatures, and then when the key expires, just > remake the key. Essentially you can buy an extension on your "hard" > expiration time at the cost of losing all of your signatures. > > The thing is, I can't really decide if that is a threat or a > feature... You can already do this by signing the new version of the key with the old version of the key - same keypair, so messages to either will work, and signatures made by either key will still check - but different IDs and signatures on the keys. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MJvHUl062903; Thu, 22 Sep 2005 12:57:17 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MJvH5U062902; Thu, 22 Sep 2005 12:57:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MJvFNX062892 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 12:57:16 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 6D9752B47F0; Thu, 22 Sep 2005 21:57:13 +0200 (CEST) Date: Thu, 22 Sep 2005 21:57:13 +0200 To: David Shaw <dshaw@jabberwocky.com>, ietf-openpgp@imc.org Subject: Re: Some thoughts on a v5 key and why it shouldn't be a mess (fwd) Message-ID: <20050922195710.GA24782@epointsystem.org> References: <20050921202208.GB18050@jabberwocky.com> <20050921210015.GA2316@epointsystem.org> <200509222100.01040@zaphod.konrad.silmor.de> <20050922191832.GB2481@epointsystem.org> <20050922193636.GE32759@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050922193636.GE32759@jabberwocky.com> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Sep 22, 2005 at 03:36:36PM -0400, David Shaw wrote: > Well yes, but someone can generate a key with an arbitrary ID today. > Even forgetting the DEADBEEF games that are possible with v3 RSA keys, > there is a program out there that generates v4 DSA keys over and over > until the requested (short) key ID comes up. As I understand, that's precisely thre reason why long IDs are used as key pointers. It would take 4 million times longer to generate one of those. Still possible for a determined, well-funded adversary, but expensive. In case of v3 keys, it was trivial. In case of the proposed hash function choice, it will be still expensive, but substantially cheaper (even if nothing is broken) than with current v4 keys, and in a "brittle" way: a breaktrough in one case breaks the whole thing. I think that SHA1 for key identification and fingerprinting is still a comfortable overkill. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MJaiba060894; Thu, 22 Sep 2005 12:36:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MJaii4060893; Thu, 22 Sep 2005 12:36:44 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [63.240.76.21]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MJah6D060884 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 12:36:43 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (sccrmhc11) with ESMTP id <2005092219363801100pd5gre>; Thu, 22 Sep 2005 19:36:38 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8MJac0m026622 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 15:36:38 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8MJaapt000457 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 15:36:36 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8MJaate000456 for ietf-openpgp@imc.org; Thu, 22 Sep 2005 15:36:36 -0400 Date: Thu, 22 Sep 2005 15:36:36 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Some thoughts on a v5 key and why it shouldn't be a mess (fwd) Message-ID: <20050922193636.GE32759@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20050921202208.GB18050@jabberwocky.com> <20050921210015.GA2316@epointsystem.org> <200509222100.01040@zaphod.konrad.silmor.de> <20050922191832.GB2481@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050922191832.GB2481@epointsystem.org> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Sep 22, 2005 at 09:18:36PM +0200, Daniel A. Nagy wrote: > > On Thu, Sep 22, 2005 at 09:00:00PM +0200, Konrad Rosenbaum wrote: > > > Let's say MDX is broken by some genius. > > Remember, that the key ID is the last 8 (or four) byes of the fingerprint. > If MDX is broken, one can generatet a key with an arbitrary ID. Well yes, but someone can generate a key with an arbitrary ID today. Even forgetting the DEADBEEF games that are possible with v3 RSA keys, there is a program out there that generates v4 DSA keys over and over until the requested (short) key ID comes up. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MJIeao059223; Thu, 22 Sep 2005 12:18:40 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MJIeLY059222; Thu, 22 Sep 2005 12:18:40 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MJIdJk059216 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 12:18:39 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 0B8988002; Thu, 22 Sep 2005 21:18:37 +0200 (CEST) Date: Thu, 22 Sep 2005 21:18:36 +0200 To: ietf-openpgp@imc.org Subject: Re: Some thoughts on a v5 key and why it shouldn't be a mess (fwd) Message-ID: <20050922191832.GB2481@epointsystem.org> References: <20050921202208.GB18050@jabberwocky.com> <20050921210015.GA2316@epointsystem.org> <200509222100.01040@zaphod.konrad.silmor.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200509222100.01040@zaphod.konrad.silmor.de> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Sep 22, 2005 at 09:00:00PM +0200, Konrad Rosenbaum wrote: > Let's say MDX is broken by some genius. Remember, that the key ID is the last 8 (or four) byes of the fingerprint. If MDX is broken, one can generatet a key with an arbitrary ID. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MJ6xbf058370; Thu, 22 Sep 2005 12:06:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MJ6xHL058369; Thu, 22 Sep 2005 12:06:59 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc12.comcast.net (rwcrmhc14.comcast.net [204.127.198.54]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MJ6wY9058354 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 12:06:59 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (rwcrmhc14) with ESMTP id <2005092219065001400oma58e>; Thu, 22 Sep 2005 19:06:50 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8MJ6o0m026505 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 15:06:50 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8MJ6mOG000415 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 15:06:48 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8MJ6mbH000414 for ietf-openpgp@imc.org; Thu, 22 Sep 2005 15:06:48 -0400 Date: Thu, 22 Sep 2005 15:06:48 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050922190648.GD32759@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20050921212613.09EAF57EF5@finney.org> <200509222047.06402@zaphod.konrad.silmor.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200509222047.06402@zaphod.konrad.silmor.de> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Sep 22, 2005 at 08:47:05PM +0200, Konrad Rosenbaum wrote: > On Wednesday 21 September 2005 23:26, Hal Finney wrote: > > This is a good point, I'll have to think about it. I'm still not > > sure that covering this material with key fingerprints and keyids is > > the right thing to do. What would the security threats be from being > > able to bring a key back to life with the same fingerprint and keyid, > > but without any signatures on it being valid? > > It becomes a threat once you get hold of the private key (through some > accident, a data leak, whatever) because then you can also issue new > self-signatures. > > I see two possibilities to limit the damage: > > a) changing the expiration also changes the fingerprint, so the key does no > longer match whatever users have in their keyring and would basically be a > new key. > > b) changing the expiration breaks ALL signatures (not only self-sig) on the > key. (Actually b must be implemented as well, when a is implemented.) If I understand what Hal was proposing, then b is already true. Self-sigs aren't treated any differently than any other certification signature. > On the other hand: expiration dates are a very weak measure against key > abuse (they only limit the damage), un-revocable revocation sigs seem much > more effective to me. True, but an unrevocable revocation signature can be stripped off the key, so it becomes a key distribution problem. Expiration dates are naturally carried along with the key. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MJ0Z2e057707; Thu, 22 Sep 2005 12:00:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MJ0Zot057706; Thu, 22 Sep 2005 12:00:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from p15139323.pureserver.info (silmor.de [217.160.219.75]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MJ0Y0o057696 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 12:00:34 -0700 (PDT) (envelope-from konrad@silmor.de) Received: from p54b3db8c.dip.t-dialin.net ([84.179.219.140] helo=zaphod.local) by p15139323.pureserver.info with asmtp (Exim 3.35 #1 (Debian)) id 1EIWJ1-00074L-00 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 21:00:28 +0200 From: Konrad Rosenbaum <konrad@silmor.de> To: ietf-openpgp@imc.org Subject: Re: Some thoughts on a v5 key and why it shouldn't be a mess (fwd) Date: Thu, 22 Sep 2005 21:00:00 +0200 User-Agent: KMail/1.8 References: <20050921202208.GB18050@jabberwocky.com> <20050921210015.GA2316@epointsystem.org> In-Reply-To: <20050921210015.GA2316@epointsystem.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1493410.qBePzIRu3u"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509222100.01040@zaphod.konrad.silmor.de> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --nextPart1493410.qBePzIRu3u Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 21 September 2005 23:00, Daniel A. Nagy wrote: > As before, I would like to express my concerns about allowing a choice of > hash algorithms. Here's some detail: > > A complete break (feasible reversal) of ANY ONE of the supported hash > algorithms would allow generating keys with arbitrary long key IDs, > possibly colliding with an attacked key. This was a major problem with v3 > and v4 was a giant step in the right direction. This would be a small > step backwards. I don't see how this attack would work. Let's say MDX is broken by some genius. =46irst the trivial case:=20 Alices Key A uses MDX as its fingerprint algorithm. The fingerprint looks=20 like: 99:AB 12 34 56 78 90 CD EF... Mallory can now generate an arbitrary key M, that has the same algorithm an= d=20 fingerprint. Now the less trivial: Bobs key B uses MDY (which was not broken). Fingerprint: A0:12 34 56 78... Mallory could attempt to create a key M2 which has the same hash value usin= g=20 MDY as Bobs key using MDX, but the fingerprint would still be different:=20 99:12 34 56 78... I don't see any way for Mallory to compromise Bobs key without changing the= =20 first byte of the fingerprint. So allowing different algorithms AND=20 including their ID in the fingerprint would in my opinion be a good measure= =20 to limit the damage (only Alices key becomes ambiguous, not Bobs) in case=20 of a broken algorithm. Konrad --nextPart1493410.qBePzIRu3u Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQBDMv8xClt766LaIH0RAtNrAJ9DelOcMBWZ87cEhujc9XaCRHvvBgCeMjzN KN5LMmvOmftInwgjeYdvX1w= =GOMT -----END PGP SIGNATURE----- --nextPart1493410.qBePzIRu3u-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MIleVS056698; Thu, 22 Sep 2005 11:47:40 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MIlewf056697; Thu, 22 Sep 2005 11:47:40 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from p15139323.pureserver.info (silmor.de [217.160.219.75]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MIldUr056686 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 11:47:39 -0700 (PDT) (envelope-from konrad@silmor.de) Received: from p54b3db8c.dip.t-dialin.net ([84.179.219.140] helo=zaphod.local) by p15139323.pureserver.info with asmtp (Exim 3.35 #1 (Debian)) id 1EIW6X-00071y-00 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 20:47:33 +0200 From: Konrad Rosenbaum <konrad@silmor.de> To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Date: Thu, 22 Sep 2005 20:47:05 +0200 User-Agent: KMail/1.8 References: <20050921212613.09EAF57EF5@finney.org> In-Reply-To: <20050921212613.09EAF57EF5@finney.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1822501.mXWWIfq2zu"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509222047.06402@zaphod.konrad.silmor.de> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --nextPart1822501.mXWWIfq2zu Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 21 September 2005 23:26, Hal Finney wrote: > This is a good point, I'll have to think about it. I'm still not > sure that covering this material with key fingerprints and keyids is > the right thing to do. What would the security threats be from being > able to bring a key back to life with the same fingerprint and keyid, > but without any signatures on it being valid? It becomes a threat once you get hold of the private key (through some=20 accident, a data leak, whatever) because then you can also issue new=20 self-signatures. I see two possibilities to limit the damage:=20 a) changing the expiration also changes the fingerprint, so the key does no= =20 longer match whatever users have in their keyring and would basically be a= =20 new key.=20 b) changing the expiration breaks ALL signatures (not only self-sig) on the= =20 key. (Actually b must be implemented as well, when a is implemented.) On the other hand: expiration dates are a very weak measure against key=20 abuse (they only limit the damage), un-revocable revocation sigs seem much= =20 more effective to me. Konrad --nextPart1822501.mXWWIfq2zu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQBDMvwqClt766LaIH0RAg81AJ9YD2xQyzzH7YrH/TXO2wXkT2YEpACdHB1l CDGgQtLGiD/7m2hOcJbLfsw= =gVOb -----END PGP SIGNATURE----- --nextPart1822501.mXWWIfq2zu-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MIKarM054593; Thu, 22 Sep 2005 11:20:36 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MIKa2o054592; Thu, 22 Sep 2005 11:20:36 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MIKZDP054582 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 11:20:35 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 29BE92B47CD; Thu, 22 Sep 2005 20:20:31 +0200 (CEST) Date: Thu, 22 Sep 2005 20:20:29 +0200 To: ietf-openpgp@imc.org Subject: Re: Plausible deniability (a feature to think about) Message-ID: <20050922182025.GA2481@epointsystem.org> References: <20050922165108.EABD057EF5@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050922165108.EABD057EF5@finney.org> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Sep 22, 2005 at 09:51:08AM -0700, "Hal Finney" wrote: > These kinds of stories are often used to motivate cryptographic > constructions, but the real world generally doesn't work that way. > An infiltrator does not need cryptographic proof of his information > about who is in the conspiracy! After all, he doesn't have any such > proof in the physical world, yet infiltrators, informants and spies have > long been used as valuable sources of information. I don't fully agree. Obviously, I wrote the story about the conspiracy and the infiltrator with tongue firmly embedded in cheek. That's a long-standing tradition in the crypto community and I certainly enjoy it. But nevertheless, in many cases the presented scenario is precisely what happens, just there's a lot less pathos surrounding it: The overwhelming majority of "goverment agents" "infiltrating" "conspiracies" are not politically motivated counter-intetlligence operations but tax audits. A tax auditor pretends to be a customer and buys someting. He sure as hell needs a rock-solid third-party proof to crack down on you if you fail to report that income. Now, what is taxed and what is not (by law!) depends on what is easy to tax and what is hard to tax. If something is easy to tax, laws are passed and it gets taxed. If something is hard to tax, if it's necessary for the functioning of the society, it is not taxed, if it's not necessary, then it's outlawed. Right now, e-commerce falls into the hard-to-tax-but-necessary category, but the arms race is on. I'd certainly like it to stay the way it is. While commerce is the single biggest user of crypto, there are other uses, which we cannot even imagine. I don't have any reason to doubt that the activist who wrote me about the missing feature in PGP could really use it. Since ePointSystem is first and foremost a financial cryptography consultancy, the first application on my mind was deniable invoicing. It's a fair choice: either you use undeniable invoices, pay your taxes and resolve your disputes in court relying on government enforcement, or you use deniable invoices, don't pay taxes, and rely solely on reputational self-regulation. I am pretty sure that most e-commerce will get taxed like everything else, as soon as governments sort out their jurisdictional problems. Having working deniable invoices would be a powerful argument in the ensuing debate over taxation policies. > I admit to a fondness for fancy crypto and it would be fun to see some > form of deniable authentication in OpenPGP, but realistically it is not > going to meet our customers' needs. How do you know? In my experience, predicting what people will use your product for is one of the most difficult tasks an engineer or a scientist faces. People are amazingly inventive. > If we do want to pursue it, there > are a number of technologies, like the DH shared keys you describe, > the signed ESK packets Vedaal mentioned, or ring signatures and other > variants of Chaum's designated-confirmer signatures. All of which have slightly different characteristics and are therefore optimal solutions for slightly different problems. In all cases, however, interoperability is a major boon, and thus it's ITEF's business to provide for it, isn't it? DH shared keys and signed ESK packets are both very easy to incorporate into the OpenPGP framework, and if we do it early on, we can hope that different implementations will interoperate right away. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MGpFq9042952; Thu, 22 Sep 2005 09:51:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MGpFgc042951; Thu, 22 Sep 2005 09:51:15 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MGpE7e042945 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 09:51:14 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id EABD057EF5; Thu, 22 Sep 2005 09:51:08 -0700 (PDT) To: ietf-openpgp@imc.org Subject: Re: Plausible deniability (a feature to think about) Message-Id: <20050922165108.EABD057EF5@finney.org> Date: Thu, 22 Sep 2005 09:51:08 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Daniel Nagy writes: > Imagine, that a conspiracy expects to be infiltrated. They send encrypted > messages back and forth but they have a dilemma: to sign or not to sign? If > they do sign, the infiltrator will have damning evidence on his hands and > the bad guys will be able to crack down on the conspirators. If they don't > sign, the infiltrator will be able to forge messages and thus seriously > interfere with the activities of the group (e.g. call off action in the name > of the ringleader, etc.). These kinds of stories are often used to motivate cryptographic constructions, but the real world generally doesn't work that way. An infiltrator does not need cryptographic proof of his information about who is in the conspiracy! After all, he doesn't have any such proof in the physical world, yet infiltrators, informants and spies have long been used as valuable sources of information. I admit to a fondness for fancy crypto and it would be fun to see some form of deniable authentication in OpenPGP, but realistically it is not going to meet our customers' needs. If we do want to pursue it, there are a number of technologies, like the DH shared keys you describe, the signed ESK packets Vedaal mentioned, or ring signatures and other variants of Chaum's designated-confirmer signatures. Hal Finney Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MFoeOM038030; Thu, 22 Sep 2005 08:50:40 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MFoerW038029; Thu, 22 Sep 2005 08:50:40 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.135]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MFod4m038017 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 08:50:39 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from smtp3.hushmail.com (localhost.hushmail.com [127.0.0.1]) by smtp3.hushmail.com (Postfix) with SMTP id BFFDDA3549 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 08:50:38 -0700 (PDT) Received: from mailserver3.hushmail.com (mailserver3.hushmail.com [65.39.178.20]) by smtp3.hushmail.com (Postfix) with ESMTP for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 08:50:38 -0700 (PDT) Received: (from nobody@localhost) by mailserver3.hushmail.com (8.12.11/8.12.9/Submit) id j8MFocVe057963 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 08:50:38 -0700 (PDT) (envelope-from vedaal@hush.com) Message-Id: <200509221550.j8MFocVe057963@mailserver3.hushmail.com> Date: Thu, 22 Sep 2005 08:50:34 -0700 To: <ietf-openpgp@imc.org> Cc: Subject: Re: Plausible deniability (a feature to think about) From: <vedaal@hush.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, 22 Sep 2005 07:52:08 -0700 "Daniel A. Nagy" <nagydani@epointsystem.org> wrote: >Simply? How exactly do you suggest to share a common key so that >the parties >can be reassured that it's their shared secret? >> many variations of this are possible; >> >> new signing subkeys, set to expire within hours of the message >> time, > >Again, how do you share them? the sender generates the new keypair, and sends it signed and encrypted, to the receiver it is neither more nor less trustworthy than the primary keys of the sender and receiver, which could also conceivably be given to other parties, >> split key systems with shares set to one, and split to only the >> receiver and sender keys, etc. > >I haven't seen split key implementations either in OpenPGP >compliant tools, >though I know they are mentioned in RFC2440. pgp has had them implemented since 6.x a new type of pgp signature to deal with this issue was proposed by Ian Brown and Adam Back, http://www.cs.ucl.ac.uk/staff/I.Brown/nts.htm where the session key is signed, not the plaintext (don't know if people want to explore this now, or wait until after the rfc 2440 is finalized, and save it for a further update, i would welcome this useful type of signature, as i imagine many users would ) vedaal >-- >Daniel Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MEqA5n032587; Thu, 22 Sep 2005 07:52:10 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MEqAkh032586; Thu, 22 Sep 2005 07:52:10 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MEq8pf032580 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 07:52:09 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 4696C2B47DB; Thu, 22 Sep 2005 16:52:08 +0200 (CEST) Date: Thu, 22 Sep 2005 16:52:08 +0200 To: ietf-openpgp@imc.org Subject: Re: Plausible deniability (a feature to think about) Message-ID: <20050922145208.GB20419@epointsystem.org> References: <200509221421.j8MELgMq047103@mailserver3.hushmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200509221421.j8MELgMq047103@mailserver3.hushmail.com> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Sep 22, 2005 at 07:21:39AM -0700, vedaal@hush.com wrote: > this can easily be accomplished now, > within the existing standard, and existing implementations: > > any two correspondents, > can simply make a third keypair, with a third name, > and each have the public and private signing and encrypting keys, Simply? How exactly do you suggest to share a common key so that the parties can be reassured that it's their shared secret? > anything signed with the third key, authenticates only to the > correspondents > where the receiver knows that the sender signed it, > but cannot be proved to any third party, > other than the fact that any possessor of the signing key, signed > it. Actually, once you share some secret, you don't need to use asymmetric crypto anymore. A message with MDC encrypted with a shared symmetric key has all the necessary reassurances. Sharing the secret is the tricky part. > many variations of this are possible; > > new signing subkeys, set to expire within hours of the message > time, Again, how do you share them? > split key systems with shares set to one, and split to only the > receiver and sender keys, etc. I haven't seen split key implementations either in OpenPGP compliant tools, though I know they are mentioned in RFC2440. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MEjLM1031758; Thu, 22 Sep 2005 07:45:21 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MEjLmh031757; Thu, 22 Sep 2005 07:45:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MEjJwB031726 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 07:45:20 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 11E172B47DB; Thu, 22 Sep 2005 16:45:19 +0200 (CEST) Date: Thu, 22 Sep 2005 16:45:19 +0200 To: ietf-openpgp@imc.org Subject: Re: Plausible deniability (a feature to think about) Message-ID: <20050922144518.GA20419@epointsystem.org> References: <20050922042955.GA30473@epointsystem.org> <200509220628.33636.brian@braverock.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200509220628.33636.brian@braverock.com> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Sep 22, 2005 at 06:28:33AM -0500, Brian G. Peterson wrote: > We were most concerned with chain of evidence and verifiability, not plausible > deniability. Different people have different concerns, I suppose. > In the real world, most human rights organizations already have > extensive methods of verifying information that is provided to them, and > informers have elaborate methods of communicating that information, that only > rarely involves electronic communication, encrypted or otherwise, becasue of > the danger of interception. The "real world" keeps changing. If you can make something cheaper, more reliable, simpler, etc., why stop short of doing so? Also, I am not convinced that what you're stating is universally true. AFAIK, PGP has been quite popular with activists since its very first public releases. > In a country (like China) where much/most > private use of encryption is disallowed anyway, sending *any* encrypted > message is a risk that most human rights workers and informers will not take. The world is not black and white. "Countries like that" are not the only places where basic human rights are under assault, and not even necessarily by the government. There's a large number of considerably less-than-democratic governments that for one reason or another must maintain a democratic facade. And again, the government is not necessarily the threat you're caring about. > I don't think that OpenPGP needs a new shared-secret method of communication, > or that the spec needs another wrinkle for implementors to chew on. It would be obviously optional, and as outlined in the first email of the thread, not much of a trouble to design or implement. Bests, -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MELi6N029311; Thu, 22 Sep 2005 07:21:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MELia1029310; Thu, 22 Sep 2005 07:21:44 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.135]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MELhQg029304 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 07:21:43 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from smtp3.hushmail.com (localhost.hushmail.com [127.0.0.1]) by smtp3.hushmail.com (Postfix) with SMTP id 3E7F7A34DA for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 07:21:43 -0700 (PDT) Received: from mailserver3.hushmail.com (mailserver3.hushmail.com [65.39.178.20]) by smtp3.hushmail.com (Postfix) with ESMTP for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 07:21:42 -0700 (PDT) Received: (from nobody@localhost) by mailserver3.hushmail.com (8.12.11/8.12.9/Submit) id j8MELgMq047103 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 07:21:42 -0700 (PDT) (envelope-from vedaal@hush.com) Message-Id: <200509221421.j8MELgMq047103@mailserver3.hushmail.com> Date: Thu, 22 Sep 2005 07:21:39 -0700 To: <ietf-openpgp@imc.org> Cc: Subject: Re: Plausible deniability (a feature to think about) From: <vedaal@hush.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, 21 Sep 2005 21:29:55 -0700 "Daniel A. Nagy" <nagydani@epointsystem.org> wrote: > Now, >the >receiving party can be sure that it was composed by the sender, >but has no >means of proving it to a third party. The sender can plausibly >deny >authorship, claiming that the receiver has forged it using his >private key >and the sender's public key. >Has anybody ever bothered implementing (or even designing an >implementation >of) this in an OpenPGP-friendly manner? this can easily be accomplished now, within the existing standard, and existing implementations: any two correspondents, can simply make a third keypair, with a third name, and each have the public and private signing and encrypting keys, anything signed with the third key, authenticates only to the correspondents where the receiver knows that the sender signed it, but cannot be proved to any third party, other than the fact that any possessor of the signing key, signed it. many variations of this are possible; new signing subkeys, set to expire within hours of the message time, split key systems with shares set to one, and split to only the receiver and sender keys, etc. vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MDudbO027449; Thu, 22 Sep 2005 06:56:39 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MDudoa027448; Thu, 22 Sep 2005 06:56:39 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MDuc7d027442 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 06:56:38 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 5F3252B47E4; Thu, 22 Sep 2005 15:56:34 +0200 (CEST) Date: Thu, 22 Sep 2005 15:56:34 +0200 To: ietf-openpgp@imc.org Subject: Re: Plausible deniability (a feature to think about) Message-ID: <20050922135632.GA1725@epointsystem.org> References: <20050922042955.GA30473@epointsystem.org> <E1EIJsD-0008KQ-00@medusa01.cs.auckland.ac.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <E1EIJsD-0008KQ-00@medusa01.cs.auckland.ac.nz> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Sep 22, 2005 at 05:43:57PM +1200, Peter Gutmann wrote: > nagydani@epointsystem.org (Daniel A. Nagy) writes: > > >Now, there exists a cryptographic solution for this problem, moreover, > >RFC2440 even hints that it might be implemented in OpenPGP, though I have > >never seen it used: X9.42 Diffie-Hellman key agreement (see also RFC2630, > >RFC2631 and RFC2633). > > X9.42 was only added to S/MIME for political reasons. AFAIK only one > implementation ever supported it, and that was the USG-funded reference > implementation that was required to support it. In addition, MS supported a > read-only implementation just so they couldn't be accused of not supporting > it. What political reasons? And why is there a reserved ID in OpenPGP? > (I remember having a conversation with a rather baffled security application > developer who wanted to see X9.42 in an S/MIME toolkit and just couldn't > understand that although the spec had it as a MUST requirement, all the > implementors knew that you should ignore it). X9.42 may be flawed (is it?), but DH key agreement is one of the strongest primitives in asymmetric cryptography. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MDDDAQ023054; Thu, 22 Sep 2005 06:13:13 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MDDDsY023053; Thu, 22 Sep 2005 06:13:13 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MDDCxq023043 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 06:13:12 -0700 (PDT) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 09DC45ACCC; Thu, 22 Sep 2005 14:13:07 +0100 (BST) Message-ID: <431093A0.90102@systemics.com> Date: Sat, 27 Aug 2005 17:24:00 +0100 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050726) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Daniel A. Nagy" <nagydani@epointsystem.org> Cc: ietf-openpgp@imc.org Subject: Re: Signature types References: <20050827075018.GA17967@epointsystem.org> <20050827135551.GA1832@jabberwocky.com> <20050827152645.GA20223@epointsystem.org> In-Reply-To: <20050827152645.GA20223@epointsystem.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Daniel A. Nagy wrote: > It's actually RFC1991 that got me wondering: > > <40> - time stamping ("I saw this document") (*) > ... Type <40> is intended to > be a signature of a signature, as a notary seal on a signed document. > > Now, this is contradictory. If a signature does not have any cryptograpic > binding (except the indirect one through the other signature) to the > document, it cannot be used to assert the integrity thereof. > > Someone with the public key of the notary cannot verify this claim. Also, it > makes a lot of sense to certify documents that have not been signed. [snip] >> This signature is a signature over some other OpenPGP >> signature packet(s). It is analogous to a notary seal on the >> signed data. > > > Except that if it's a signature on the signature, then it cannot be > analogous to a notary seal on the signed data (see above). One of the difficulties that may be occuring here is that the word 'notary' has different meanings in civil and common law contexts. In the former, a notary is likely to be interested in the content of the signed data; whereas in the latter, the notary is normally only interested in the quality of the signature, and not the data. We had a long threat on this about a year ago, and I believe some changes were made disambiguate .. I think the context that the Draft uses the word notary is more towards the common law case of just the signature and not the data that is signed. iang Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MBSamN013342; Thu, 22 Sep 2005 04:28:36 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8MBSa4h013341; Thu, 22 Sep 2005 04:28:36 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from ethos.braverock.com (ethos.braverock.com [66.92.142.163] (may be forged)) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8MBSZ5S013334 for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 04:28:35 -0700 (PDT) (envelope-from brian@braverock.com) Received: from [10.23.2.104] (dsl017-021-008.chi1.dsl.speakeasy.net [69.17.21.8]) (authenticated bits=0) by ethos.braverock.com (8.13.3/8.13.1) with ESMTP id j8MBSYGf012553 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for <ietf-openpgp@imc.org>; Thu, 22 Sep 2005 06:28:34 -0500 From: "Brian G. Peterson" <brian@braverock.com> To: ietf-openpgp@imc.org Subject: Re: Plausible deniability (a feature to think about) Date: Thu, 22 Sep 2005 06:28:33 -0500 User-Agent: KMail/1.8.1 References: <20050922042955.GA30473@epointsystem.org> In-Reply-To: <20050922042955.GA30473@epointsystem.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200509220628.33636.brian@braverock.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wednesday 21 September 2005 11:29 pm, Daniel A. Nagy wrote: > I just got a message from a human rights activist, who pointed out a > shortcoming of PGP for -- for the lack of a better word -- paranoid > conspirators. > > Imagine, that a conspiracy expects to be infiltrated. They send encrypted > messages back and forth but they have a dilemma: to sign or not to sign? If > they do sign, the infiltrator will have damning evidence on his hands and > the bad guys will be able to crack down on the conspirators. If they don't > sign, the infiltrator will be able to forge messages and thus seriously > interfere with the activities of the group (e.g. call off action in the > name of the ringleader, etc.). <...> >The sender can plausibly deny authorship, claiming that the receiver has >forged it using his private key and the sender's public key. Interesting thought experiement. I led the development team of the solution used by the CryptoRights Foundation http://www.cryptorights.org/ our solution consisted of management tools, user interfaces, translations, and other niceties around a gnupg based engine. We were most concerned with chain of evidence and verifiability, not plausible deniability. In the real world, most human rights organizations already have extensive methods of verifying information that is provided to them, and informers have elaborate methods of communicating that information, that only rarely involves electronic communication, encrypted or otherwise, becasue of the danger of interception. In a country (like China) where much/most private use of encryption is disallowed anyway, sending *any* encrypted message is a risk that most human rights workers and informers will not take. I don't think that OpenPGP needs a new shared-secret method of communication, or that the spec needs another wrinkle for implementors to chew on. Regards, - Brian Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8M5i09e080861; Wed, 21 Sep 2005 22:44:00 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8M5i0bn080860; Wed, 21 Sep 2005 22:44:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtpc.itss.auckland.ac.nz (harpo.itss.auckland.ac.nz [130.216.190.13]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8M5hwM7080835 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 22:43:59 -0700 (PDT) (envelope-from pgut001@cs.auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtpc.itss.auckland.ac.nz (Postfix) with ESMTP id 25ECF34F33; Thu, 22 Sep 2005 17:43:53 +1200 (NZST) Received: from smtpc.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpc.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07132-10; Thu, 22 Sep 2005 17:43:53 +1200 (NZST) Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by smtpc.itss.auckland.ac.nz (Postfix) with ESMTP id DBAD834F32; Thu, 22 Sep 2005 17:43:52 +1200 (NZST) Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 42A6237756; Thu, 22 Sep 2005 17:43:52 +1200 (NZST) Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1EIJsD-0008KQ-00; Thu, 22 Sep 2005 17:43:57 +1200 From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-openpgp@imc.org, nagydani@epointsystem.org Subject: Re: Plausible deniability (a feature to think about) In-Reply-To: <20050922042955.GA30473@epointsystem.org> Message-Id: <E1EIJsD-0008KQ-00@medusa01.cs.auckland.ac.nz> Date: Thu, 22 Sep 2005 17:43:57 +1200 X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> nagydani@epointsystem.org (Daniel A. Nagy) writes: >Now, there exists a cryptographic solution for this problem, moreover, >RFC2440 even hints that it might be implemented in OpenPGP, though I have >never seen it used: X9.42 Diffie-Hellman key agreement (see also RFC2630, >RFC2631 and RFC2633). X9.42 was only added to S/MIME for political reasons. AFAIK only one implementation ever supported it, and that was the USG-funded reference implementation that was required to support it. In addition, MS supported a read-only implementation just so they couldn't be accused of not supporting it. (I remember having a conversation with a rather baffled security application developer who wanted to see X9.42 in an S/MIME toolkit and just couldn't understand that although the spec had it as a MUST requirement, all the implementors knew that you should ignore it). >Has anybody ever bothered implementing (or even designing an implementation >of) this in an OpenPGP-friendly manner? See above. Peter. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8M4Tv9p074436; Wed, 21 Sep 2005 21:29:57 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8M4TvFd074435; Wed, 21 Sep 2005 21:29:57 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8M4TuIp074428 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 21:29:56 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 28FCE2B479A; Thu, 22 Sep 2005 06:29:55 +0200 (CEST) Date: Thu, 22 Sep 2005 06:29:55 +0200 To: ietf-openpgp@imc.org Subject: Plausible deniability (a feature to think about) Message-ID: <20050922042955.GA30473@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I just got a message from a human rights activist, who pointed out a shortcoming of PGP for -- for the lack of a better word -- paranoid conspirators. Imagine, that a conspiracy expects to be infiltrated. They send encrypted messages back and forth but they have a dilemma: to sign or not to sign? If they do sign, the infiltrator will have damning evidence on his hands and the bad guys will be able to crack down on the conspirators. If they don't sign, the infiltrator will be able to forge messages and thus seriously interfere with the activities of the group (e.g. call off action in the name of the ringleader, etc.). Now, there exists a cryptographic solution for this problem, moreover, RFC2440 even hints that it might be implemented in OpenPGP, though I have never seen it used: X9.42 Diffie-Hellman key agreement (see also RFC2630, RFC2631 and RFC2633). In addition to signature and encryption keys, one can have a DH subkey which may be used to create a (salted) two-party shared secret session key and send an MDC-protected encnrypted message using that key. Now, the receiving party can be sure that it was composed by the sender, but has no means of proving it to a third party. The sender can plausibly deny authorship, claiming that the receiver has forged it using his private key and the sender's public key. Has anybody ever bothered implementing (or even designing an implementation of) this in an OpenPGP-friendly manner? Seems like it's just a matter of a third ESK type (tentatively called DH-ESK) and a clear definiton of DH keys (for which we have reserved identifier 21), which, I guess, should be identical to ElGamal keys, though it is instrumental that the entie conspiracy used the same modulus and generator element. DH-ESK should be very similar to SK-ESK with a salted (but not iterated) S2K, except for the additional 8-octet IDs of the sender's and the recipient's public DH keys. The usual traffic-analysis thwarting techniques of leaving one or both of them blank obviously apply. Allowing for an ephemeral sender PK to be included is pointless, as that would bring us back to ElGamal encryption (well, almost), for which there is already a PK-ESK. If the MDC verification works out on the receiving end, the implementation should show the message as being "sealed" by the sender on the date from the literal packet, in addition to decrypting it, much like it handles signed+encrypted messages. It's so easy and straightforward that I'd dare to propose it for 2440bis. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8M0m8jt055559; Wed, 21 Sep 2005 17:48:08 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8M0m82q055558; Wed, 21 Sep 2005 17:48:08 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [204.127.198.43]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8M0m7PN055548 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 17:48:07 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (rwcrmhc12) with ESMTP id <200509220048010140010bb8e>; Thu, 22 Sep 2005 00:48:01 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8M0m40m022410 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 20:48:04 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8M0lwtX018613 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 20:47:58 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8M0lwlw018612 for ietf-openpgp@imc.org; Wed, 21 Sep 2005 20:47:58 -0400 Date: Wed, 21 Sep 2005 20:47:58 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050922004758.GA18468@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20050921212613.09EAF57EF5@finney.org> <20050921215503.GA18343@jabberwocky.com> <20050921230320.GB8089@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050921230320.GB8089@epointsystem.org> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Sep 22, 2005 at 01:03:20AM +0200, Daniel A. Nagy wrote: > > On Wed, Sep 21, 2005 at 05:55:03PM -0400, David Shaw wrote: > > > The thing is, I can't really decide if that is a threat or a > > feature... > > In such cases isn't the best policy to let the users and/or implementers decide > for themselves? How about having hashed and unhashed subpackets just like in > v4 signatures, where all are subject to signatures but only the hashed ones > are included in the fingerprint? I think this might cause some serious user confusion. With both types of subpackets, plus the existing v4 signature subpackets, we would have three different ways to specify expiration, each with a slightly different meaning: key-subpacket-in-fingerprint: hard expiration date. All other expiration dates can only be extended to this point. Changing it changes the fingerprint and key ID. key-subpacket-in-signature: soft expiration date. Changing it invalidates all signatures, but does not change the fingerprint/key ID. regular-old-selfsig: very soft expiration date. Can be changed at any time with no impact on anything but the expiration date. Then we have various combinations of the above... David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LNORiA049141; Wed, 21 Sep 2005 16:24:27 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LNOR1l049140; Wed, 21 Sep 2005 16:24:27 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.135]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LNOQUm049134 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 16:24:26 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from smtp3.hushmail.com (localhost.hushmail.com [127.0.0.1]) by smtp3.hushmail.com (Postfix) with SMTP id 3AE50A3491 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 16:24:26 -0700 (PDT) Received: from mailserver5.hushmail.com (mailserver5.hushmail.com [65.39.178.19]) by smtp3.hushmail.com (Postfix) with ESMTP for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 16:24:25 -0700 (PDT) Received: by mailserver5.hushmail.com (Postfix, from userid 65534) id A64E933C58; Wed, 21 Sep 2005 16:24:25 -0700 (PDT) Date: Wed, 21 Sep 2005 16:24:22 -0700 To: <ietf-openpgp@imc.org> Cc: Subject: Re: Problems with v4 key packet format From: <vedaal@hush.com> Message-Id: <20050921232425.A64E933C58@mailserver5.hushmail.com> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, 21 Sep 2005 14:55:03 -0700 David Shaw <dshaw@jabberwocky.com> wrote: > It >would >(somewhat) allow someone to violate a hard expiration date on >their >key: make the key, get signatures, and then when the key expires, >just >remake the key. Essentially you can buy an extension on your >"hard" >expiration time at the cost of losing all of your signatures. > >The thing is, I can't really decide if that is a threat or a >feature... to the unsuspecting users who thought that an 'expired' key is *really* expired, it would be confusing to have someone claim, "i 'revived' it, it was dead, but it's better now, just re-sign it and trust it again ..." so, while not really a threat, and not really a feature, it potentially could add to the confusion of the key trust issue, rather than simplify it... vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LN3MnB046890; Wed, 21 Sep 2005 16:03:22 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LN3M5r046889; Wed, 21 Sep 2005 16:03:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LN3LBj046881 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 16:03:22 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id E3D302B47DB; Thu, 22 Sep 2005 01:03:20 +0200 (CEST) Date: Thu, 22 Sep 2005 01:03:20 +0200 To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050921230320.GB8089@epointsystem.org> References: <20050921212613.09EAF57EF5@finney.org> <20050921215503.GA18343@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050921215503.GA18343@jabberwocky.com> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Sep 21, 2005 at 05:55:03PM -0400, David Shaw wrote: > The thing is, I can't really decide if that is a threat or a > feature... In such cases isn't the best policy to let the users and/or implementers decide for themselves? How about having hashed and unhashed subpackets just like in v4 signatures, where all are subject to signatures but only the hashed ones are included in the fingerprint? -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LN0kXR046727; Wed, 21 Sep 2005 16:00:46 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LN0kZQ046726; Wed, 21 Sep 2005 16:00:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LN0i7P046719 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 16:00:45 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id D92882B47DB; Thu, 22 Sep 2005 01:00:43 +0200 (CEST) Date: Thu, 22 Sep 2005 01:00:43 +0200 To: Hal Finney <hal@finney.org>, ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050921230038.GA8089@epointsystem.org> References: <20050921212613.09EAF57EF5@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050921212613.09EAF57EF5@finney.org> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Sep 21, 2005 at 02:26:13PM -0700, "Hal Finney" wrote: > > Careful! If this information is not part of the fingerprint/keyID it can > > still be changed by updating the self-signature, no matter whether it's in > > thte signature packet or in the key packet. > > Not exactly, the self-signature would not (by convention) override the > information in the key subpackets. So just issuing a new self-signature > would not help. That's not what I meant. If the self-signanture is the only integrity protection measure, then someone in possession of the private part of the key can alter the expiration date in the key packet just as he can alter it in the signature subpacket. If it's hashed with the key ID, changing it would also change the key ID, ergo resulting in a different key. > What could happen is that someone who got hold of the private material > could create a new key packet with the same keyid/fingerprint but with > a different expiration date. But(!) the new key would not inherit the > signatures on the old key. That's correct. > That is what I was thinking of as important. > It would not be valid, it would not be part of the Web of Trust. > The idea is that key signatures would cover all of the subpackets, > even though fingerprints do not. And what about keys that are not part of WoT? In the present standard, I can trust a key not only because someone I trust has signed it, but also because I know the fingerprint. Should we break that? > This is a good point, I'll have to think about it. I'm still not > sure that covering this material with key fingerprints and keyids is > the right thing to do. Me neither, but the more I think about it, the more I am leaning towards giving the choice to the user by having hashed and unhashed subpackets, both of which are signed, but only the hashed ones being included in the fingerprint. But I'll have to think more about it myself. > What would the security threats be from being > able to bring a key back to life with the same fingerprint and keyid, > but without any signatures on it being valid? Well, it depends on the applicatiton and the user's trust model. What I like most about OpenPGP is the flexibility of the trust model. Ignoring the WoT is certainly an option I would like to have. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LLtC3q040049; Wed, 21 Sep 2005 14:55:12 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LLtCfc040048; Wed, 21 Sep 2005 14:55:12 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc12.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LLtBn4040039 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 14:55:12 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (rwcrmhc13) with ESMTP id <20050921215506015004247re>; Wed, 21 Sep 2005 21:55:06 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8LLt80m021948 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 17:55:08 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8LLt3GE018367 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 17:55:03 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8LLt3hE018366 for ietf-openpgp@imc.org; Wed, 21 Sep 2005 17:55:03 -0400 Date: Wed, 21 Sep 2005 17:55:03 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050921215503.GA18343@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20050921212613.09EAF57EF5@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050921212613.09EAF57EF5@finney.org> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Sep 21, 2005 at 02:26:13PM -0700, "Hal Finney" wrote: > > If you're importing a foreign key or generating one on the fly, you don't > > put subpackets into the key that cannot be determined next time you use the > > same source to get the key. A flag in a subpacket indicating where the key > > comes from might be useful, though. > > This is a good point, I'll have to think about it. I'm still not > sure that covering this material with key fingerprints and keyids is > the right thing to do. What would the security threats be from being > able to bring a key back to life with the same fingerprint and keyid, > but without any signatures on it being valid? My original idea with subpackets was that they would be part of the fingerprint, and changing a subpacket was akin to making a whole new key as the fingerprint and key ID (though not the key material) would change. I see some advantages of what you are discussing. It would (somewhat) allow someone to violate a hard expiration date on their key: make the key, get signatures, and then when the key expires, just remake the key. Essentially you can buy an extension on your "hard" expiration time at the cost of losing all of your signatures. The thing is, I can't really decide if that is a threat or a feature... David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LLQMTw036632; Wed, 21 Sep 2005 14:26:22 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LLQM82036631; Wed, 21 Sep 2005 14:26:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LLQLlo036625 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 14:26:21 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id 09EAF57EF5; Wed, 21 Sep 2005 14:26:13 -0700 (PDT) To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-Id: <20050921212613.09EAF57EF5@finney.org> Date: Wed, 21 Sep 2005 14:26:13 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Daniel Nagy writes: > On Wed, Sep 21, 2005 at 09:52:33AM -0700, "Hal Finney" wrote: > > I would like to see immutable material put there. One thing that bothers > > me in the current V4 is that the key's expiration date can be changed by > > updating the self-signature. Suppose your key has expired and you don't > > use it any more. As a result perhaps you don't protect it that well. > > If someone gets hold of the private part, they can issue a new self-sig > > with a new expiration date and bring this dead key back to life. It would > > be better if a dead key would stay dead. Expiration date and creation > > date would be better placed in the key packet, IMO (as they were with > > V3 keys). > > Careful! If this information is not part of the fingerprint/keyID it can > still be changed by updating the self-signature, no matter whether it's in > thte signature packet or in the key packet. Not exactly, the self-signature would not (by convention) override the information in the key subpackets. So just issuing a new self-signature would not help. What could happen is that someone who got hold of the private material could create a new key packet with the same keyid/fingerprint but with a different expiration date. But(!) the new key would not inherit the signatures on the old key. That is what I was thinking of as important. It would not be valid, it would not be part of the Web of Trust. The idea is that key signatures would cover all of the subpackets, even though fingerprints do not. > David's idea with sub-packets should be implemented in such a way that > hashed sub-packets are part of the fingerprint. Maybe, we don't even need > unhashed sub-packets. > > If you're importing a foreign key or generating one on the fly, you don't > put subpackets into the key that cannot be determined next time you use the > same source to get the key. A flag in a subpacket indicating where the key > comes from might be useful, though. This is a good point, I'll have to think about it. I'm still not sure that covering this material with key fingerprints and keyids is the right thing to do. What would the security threats be from being able to bring a key back to life with the same fingerprint and keyid, but without any signatures on it being valid? Hal Finney Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LLDIY8035056; Wed, 21 Sep 2005 14:13:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LLDIjr035055; Wed, 21 Sep 2005 14:13:18 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LLDGZF035049 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 14:13:17 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 2CF192B47DD; Wed, 21 Sep 2005 23:13:16 +0200 (CEST) Date: Wed, 21 Sep 2005 23:13:16 +0200 To: ietf-openpgp@imc.org Subject: Re: Some thoughts on a v5 key and why it shouldn't be a mess (fwd) Message-ID: <20050921211316.GB2316@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Sorry, something being "pareto complete for a particular purpose" is an abuse of Ian's definition. SHA1 is not pareto-complete, but still pareto-secure if collision-resistance is not an issue. There is a number of good papers on truncating hash functions for message authentication and there's a general consensus that at least 80 bits or half of the bits (whichever is more) of a full-stregth hash function are sufficient for medium-term security. For long term, I would upgrade that to 128 bits, and taking into account known and unforseen weeknesses of hash functions, using 160 bits should satisfy even the most paranoid. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LL0HgZ034028; Wed, 21 Sep 2005 14:00:17 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LL0H4R034026; Wed, 21 Sep 2005 14:00:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LL0GG9034020 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 14:00:16 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 769002B47E9; Wed, 21 Sep 2005 23:00:15 +0200 (CEST) Date: Wed, 21 Sep 2005 23:00:15 +0200 To: ietf-openpgp@imc.org Subject: Re: Some thoughts on a v5 key and why it shouldn't be a mess (fwd) Message-ID: <20050921210015.GA2316@epointsystem.org> References: <20050921202208.GB18050@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050921202208.GB18050@jabberwocky.com> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> As before, I would like to express my concerns about allowing a choice of hash algorithms. Here's some detail: A complete break (feasible reversal) of ANY ONE of the supported hash algorithms would allow generating keys with arbitrary long key IDs, possibly colliding with an attacked key. This was a major problem with v3 and v4 was a giant step in the right direction. This would be a small step backwards. For MDC purposes, it's even worse. Since collisions are of no concern in the case of the key fingerprint and MDC, I would just stick to SHA1 for the time being. Precisely because of this, assuming a full-strength hash function, half of the hash suffices. This is just a remark to the length requirement. 128 bit fingerprints are secure for the forseable future, but using the 160 bit SHA1 (with all its problems), is a reasonable overdesign taking into account what we don't know. Collision resistance is important for signatures and even more so for certifications, but it is of no concern whatsoever for fingerprints and MDC. Where RFC2440 has SHA1 hardwired into the spec, it is completely safe and even somewhat of an overkill. Using Ian's terminology, it's still pareto-secure and even pareto-complete. No alternative would provide more security. Signatures and certifications are a completely different issue altogether. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LKMgll027954; Wed, 21 Sep 2005 13:22:42 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LKMgtL027953; Wed, 21 Sep 2005 13:22:42 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc12.comcast.net (rwcrmhc14.comcast.net [216.148.227.89]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LKMgmV027939 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 13:22:42 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (rwcrmhc14) with ESMTP id <2005092120221201400oggeke>; Wed, 21 Sep 2005 20:22:13 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8LKMD0m021641 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 16:22:13 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8LKM8wn018152 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 16:22:08 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8LKM8bl018151 for ietf-openpgp@imc.org; Wed, 21 Sep 2005 16:22:08 -0400 Date: Wed, 21 Sep 2005 16:22:08 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Some thoughts on a v5 key and why it shouldn't be a mess (fwd) Message-ID: <20050921202208.GB18050@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> This is my original mail about V5 and keys with subpackets. Since V5 is being discussed now, it seems reasonable to repost. David ----- Forwarded message from David Shaw <dshaw@jabberwocky.com> ----- Date: Mon, 21 Feb 2005 12:11:31 -0500 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Some thoughts on a v5 key and why it shouldn't be a mess Mail-Followup-To: ietf-openpgp@imc.org OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc I had around 10 hours in a car this weekend, which gave me a good bit of time to think some more about the v5 key idea. I don't see this as a "drop everything and do v5" suggestion. It's more of a "design v5 in 2005, because we need it a few years from now". Attacks only get better, and if we want to be able to shrug off a future SHA-1 break like we were able to shrug off the MD5 break, we need to start the process. While this is prompted by the SHA-1 problems, note that NIST was already replacing SHA-1 with the SHA-2 family by 2010 for size reasons. Even if the recent SHA-1 problems hadn't happened, I'd still think it was time to start designing a v5 key. I don't think there needs to be a lot of fear over a version number bump. To be sure, the change from v3 to v4 was disruptive. In one step, the packet format, the default symmetric cipher, and the public-key algorithm was changed. Even the concept of a key was altered by adding subkeys. I'm not criticizing - the changes were necessary for many reasons, but unfortunately they also split the user base into "before" and "after", with interoperability problems between the two groups. In some (occasionally frustrating) corners, the change hasn't even happened yet. I don't see the change from v4 to v5 being nearly as disruptive as the v3 to v4 change. The straw proposal I'm putting forth here is an incremental change over v4, large enough to be worth doing, small enough that if the change is done carefully, it should be painless. v4 and the proposed v5 can also quite happily co-exist without anyone noticing or caring. Note that I'm not talking about making a v5 signature at this point. Here is a proposed packet format for a v5 key, interspersed with comments. Obviously, not every detail is given, but the general ideas should be clear: - A one-octet version number (5). - A one-octet hash algorithm number. This is an attempt to balance Jon's comments about 160 bits being all that a human user can handle for a fingerprint, and the desire to not be locked to SHA-1 in case of future trouble. Essentially you set this value to the fingerprint hash you want to use for this key. The value itself is hashed into the fingerprint (and signatures on the key), so it cannot be changed once the key is generated. Is is possible for different v5 key fingerprints to be of different lengths. A v5 fingerprint is written "algo - colon - data", like 2:12 34 56 78 9A BC DE F0 ...(etc). The v5 keyid concept is the same as v4: the keyid is the lower 32 or 64 bits of the fingerprint, however long it may be. There are some problems with this idea, not least that any implementation that doesn't understand the hash algorithm won't be able to use the key. It may well be better to lock this value to SHA-256 and be done with it. - A two-octet scalar octet count for the following subpacket data. Note that this is the length in octets of all of the hashed subpackets; a pointer incremented by this number will skip over the subpackets. - Subpacket data. Yes, v5 keys have subpackets. It's a bit of future-proofing since it is a lot easier to add a subpacket than it is to go to a v6 key format. Note that there are no "unhashed" subpackets here. All subpackets are hashed into the fingerprint, and therefore are fixed at key generation time. The subpacket numbers do not need to be the same as signature subpackets, but the encoding format is the same, and the critical bit has the same meaning here as it does for signatures. Only one subpacket comes to mind at the moment, and that is: Expiration time (4 octet time field) The validity period limit of the key. This is the number of seconds after the key creation time that the key must expire by. If this is not present or has a value of zero, the key has no hard expiration. This gives a "hard" expiration time which cannot be extended, unlike the current "soft" expiration in v4. There were a number of disagreements over the v4 soft expirations, and while it's an interesting discussion, at the end of the day there are good reasons to support both. In practice, this key subpacket sets a hard limit on the lifetime of a key, and any soft expirations can only affect the lifetime of the key up to that hard point. No hard expiration acts just like v4. Users can mix the two to give whatever semantics they want. - A four-octet number denoting the time that the key was created. This might be better as a subpacket, but then implementers would have to deal with the case if it was missing. - A one-octet number denoting the public key algorithm of this key. - A series of multiprecision integers comprising the key material. Same as v4. There is no need to change MPIs around. There are only so many ways to store large numbers in a row. The v5 secret keys, like the v4 secret keys, are the same as the public key with the secret material appended. An additional change, which is not part of the key packet format is that v5 keys have AES as both their "last resort" and "must implement" ciphers. When encrypting to v4 and v5 keys together, the default cipher is 3DES. One way to look at this is that cipher preferences on a v5 key have "AES, 3DES" implicitly at the end if not explicitly used earlier. When combined with the implicit "3DES" already at the end of a v4 preference list, the right thing will happen automatically. Note that while AES is the "must" cipher for v5, implementations that support v4 keys must also implement 3DES. To make the transition from v4 to v5 as invisible as possible, I'd suggest having read support for this in implementations for as long as possible (say, 1 year) before allowing users to create these keys. This gives time for upgrading (and there will be a certain amount of upgrading for other reasons during that time as well, which the v5 keys can be included with), and for various other processes that interact with OpenPGP like keyservers to be updated. I also suggest that this not be a part of 2440bis. The v5 discussions will undoubtedly take a while, and delaying 2440bis for an unknown (but probably long) period of time seems a shame. Anyway, this is a starting point. Please thow darts and make suggestions. David ----- End forwarded message ----- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LKJbkg027694; Wed, 21 Sep 2005 13:19:38 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LKJbxZ027693; Wed, 21 Sep 2005 13:19:37 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc14.comcast.net (sccrmhc14.comcast.net [63.240.76.49]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LKJbl6027682 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 13:19:37 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (sccrmhc14) with ESMTP id <2005092120192801400jq001e>; Wed, 21 Sep 2005 20:19:29 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8LKJW0m021625 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 16:19:32 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8LKJMRD018140 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 16:19:22 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8LKJL74018139 for ietf-openpgp@imc.org; Wed, 21 Sep 2005 16:19:21 -0400 Date: Wed, 21 Sep 2005 16:19:21 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050921201921.GA18050@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20050921165233.74FAA57EF5@finney.org> <20050921195621.GB10842@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050921195621.GB10842@epointsystem.org> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Sep 21, 2005 at 09:56:38PM +0200, Daniel A. Nagy wrote: > > On Wed, Sep 21, 2005 at 09:52:33AM -0700, "Hal Finney" wrote: > > > > 3. Key fingerprint depends on data unrelated to the actual key (namely: > > > creation date). > > > > Yes, this has hurt our PGP implementation when dealing with foreign keys > > such as X.509 certificates. If we want to import a raw modulus+exponent > > pair as a PGP key, and we want to know if we already have one on the > > keyring, we can't easily compute a fingerprint and look for a match, > > because creation date affects fingerprints. I agree that fingerprints > > should just be over the formatted key material. > > > > > 4. More generally, creation time does not belong to the key packet. > > > > > > Because it is just an attribute of the key as any other, thus belonging to > > > certificatiton signature sub-packets, rather than the key packet. > > > > I like David's idea better to have some sub-packets in the V5 key. > > Me too. > > > I would like to see immutable material put there. One thing that bothers > > me in the current V4 is that the key's expiration date can be changed by > > updating the self-signature. Suppose your key has expired and you don't > > use it any more. As a result perhaps you don't protect it that well. > > If someone gets hold of the private part, they can issue a new self-sig > > with a new expiration date and bring this dead key back to life. It would > > be better if a dead key would stay dead. Expiration date and creation > > date would be better placed in the key packet, IMO (as they were with > > V3 keys). > > Careful! If this information is not part of the fingerprint/keyID it can > still be changed by updating the self-signature, no matter whether it's in > thte signature packet or in the key packet. > > David's idea with sub-packets should be implemented in such a way that > hashed sub-packets are part of the fingerprint. Maybe, we don't even need > unhashed sub-packets. There have been a number of mentions of the key-with-subpackets idea recently, so I'll repost the mail where I first proposed the idea. It has many more details than I mentioned in this thread. In short though, the subpackets are hashed into the fingerprint and any certification signatures (including self signatures). In my proposal there are no unhashed subpackets. In the case of expiration, we would have two different ways to specify expiration. The expiration time hashed into the key is a hard expiration time that cannot be extended. The expiration time in the self-signature is a soft expiration time that can be extended or changed whenever desired - but only up to the hard limit given in the key itself. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LJugW6025241; Wed, 21 Sep 2005 12:56:42 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LJug0q025240; Wed, 21 Sep 2005 12:56:42 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LJuevi025234 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 12:56:41 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 4F9662B47ED; Wed, 21 Sep 2005 21:56:38 +0200 (CEST) Date: Wed, 21 Sep 2005 21:56:38 +0200 To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050921195621.GB10842@epointsystem.org> References: <20050921165233.74FAA57EF5@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050921165233.74FAA57EF5@finney.org> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Sep 21, 2005 at 09:52:33AM -0700, "Hal Finney" wrote: > > 3. Key fingerprint depends on data unrelated to the actual key (namely: > > creation date). > > Yes, this has hurt our PGP implementation when dealing with foreign keys > such as X.509 certificates. If we want to import a raw modulus+exponent > pair as a PGP key, and we want to know if we already have one on the > keyring, we can't easily compute a fingerprint and look for a match, > because creation date affects fingerprints. I agree that fingerprints > should just be over the formatted key material. > > > 4. More generally, creation time does not belong to the key packet. > > > > Because it is just an attribute of the key as any other, thus belonging to > > certificatiton signature sub-packets, rather than the key packet. > > I like David's idea better to have some sub-packets in the V5 key. Me too. > I would like to see immutable material put there. One thing that bothers > me in the current V4 is that the key's expiration date can be changed by > updating the self-signature. Suppose your key has expired and you don't > use it any more. As a result perhaps you don't protect it that well. > If someone gets hold of the private part, they can issue a new self-sig > with a new expiration date and bring this dead key back to life. It would > be better if a dead key would stay dead. Expiration date and creation > date would be better placed in the key packet, IMO (as they were with > V3 keys). Careful! If this information is not part of the fingerprint/keyID it can still be changed by updating the self-signature, no matter whether it's in thte signature packet or in the key packet. David's idea with sub-packets should be implemented in such a way that hashed sub-packets are part of the fingerprint. Maybe, we don't even need unhashed sub-packets. If you're importing a foreign key or generating one on the fly, you don't put subpackets into the key that cannot be determined next time you use the same source to get the key. A flag in a subpacket indicating where the key comes from might be useful, though. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LJnFfF024550; Wed, 21 Sep 2005 12:49:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LJnFSj024549; Wed, 21 Sep 2005 12:49:15 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LJnE0f024539 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 12:49:14 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 3C3C42B47EA; Wed, 21 Sep 2005 21:49:13 +0200 (CEST) Date: Wed, 21 Sep 2005 21:49:13 +0200 To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050921194913.GA10842@epointsystem.org> References: <20050921165233.74FAA57EF5@finney.org> <87aci6nxtp.fsf@wheatstone.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87aci6nxtp.fsf@wheatstone.g10code.de> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Sep 21, 2005 at 07:18:58PM +0200, Werner Koch wrote: > The suggestion was that we put a hard-expiration into a v5 key packet > but keep the existing soft-expiration in the self-signature. I think, David's subpacket solution accomodates for this without being overly restrictive. If you want to make sure your key stays dead after expiration, you put a hashed expiration date subpacket into your key. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LHLZlj010244; Wed, 21 Sep 2005 10:21:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LHLZe0010243; Wed, 21 Sep 2005 10:21:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LHLYWY010235 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 10:21:34 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1EI8O3-0000V0-6a for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 19:28:03 +0200 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1EI8FG-0003CL-Dg; Wed, 21 Sep 2005 19:18:58 +0200 To: hal@finney.org ("Hal Finney") Cc: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format References: <20050921165233.74FAA57EF5@finney.org> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Wed, 21 Sep 2005 19:18:58 +0200 In-Reply-To: <20050921165233.74FAA57EF5@finney.org> (Hal Finney's message of "Wed, 21 Sep 2005 09:52:33 -0700 (PDT)") Message-ID: <87aci6nxtp.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, 21 Sep 2005 09:52:33 -0700 (PDT), "Hal Finney" said: > be better if a dead key would stay dead. Expiration date and creation > date would be better placed in the key packet, IMO (as they were with > V3 keys). We discussed this issue a long time ago and came to the conclusion that both kinds of exiration dates make a lot of sense. Prolonging the expiration time is something what quite some users are doing now on a regular basis. If nothing else it helps against a lost passphrase. The suggestion was that we put a hard-expiration into a v5 key packet but keep the existing soft-expiration in the self-signature. Salam-Shalom, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LGqhNb007032; Wed, 21 Sep 2005 09:52:43 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LGqhst007031; Wed, 21 Sep 2005 09:52:43 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LGqgwZ007024 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 09:52:42 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id 74FAA57EF5; Wed, 21 Sep 2005 09:52:33 -0700 (PDT) To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-Id: <20050921165233.74FAA57EF5@finney.org> Date: Wed, 21 Sep 2005 09:52:33 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Let me give my responses to Daniel's points about V4 key packets. First I want to mention that Ian seemed to take a much larger view and wanted to redesign the whole of the OpenPGP format. V4 to V5 key packets is only one small part of the spec. No one is proposing to redo OpenPGP from scratch here. > 1. No cryptographic binding between the encrypted private key material and > the public key material. > > This results in a serious security issue, by allowing an attacker to replace > the public material thus compromising the private material with the first > use in the signature. There are various stop-gap measures to deal with this > attack, but the only sure protetction would be some MDC binding together the > private and the public key material. This is a very good point, and it is a little different from the previous attacks. If we had thought of it, we would have tried to fix it when we added the checksum over the private key material. The previous attack involved modifying some private key material and causing the signature algorithm to fail. In RSA keys, if you hack just one of p or q and get it to do the signature using the Chinese Remainder Theorem (CRT), the resulting value can leak the other of p or q and therefore leak your private key. To defend against this we added a SHA-1 hash over the private material as a checksum. Daniel proposes an extension to the attack where the private key material is left alone and the public material (in the private key packet) is modified. I don't think this would do anything on RSA keys, as the CRT based signature algorithm does not use the public modulus or exponent. However it would be effective against DSA keys. The attacker could change p and q to be much smaller values, such that discrete logs were feasible, then request a DSA signature using these values, solve the discrete log and reveal x (the private value) mod q. Do this a few times with different q's would reveal x. Had we thought about this, we could easily have had the SHA-1 hash cover the public as well as the private key material, but we didn't, unfortunately. Putting some size-based sanity checks in the DSA signature code might be a good idea though. I don't know if there are other variations on the attack that could also be addressed for now with sanity checks. > 2. No explicit count of MPIs constituting the key material (both public and > private). > > This information can only be inferred from the algorithm specifier, meaning > that any implementation that wants to perform key management must have some > rudimentary knowledge about all public key algorithms. This, in turn, > hampers forward-compatibility. I am inclined to agree with David that there is not much point to being able to parse a packet's details when we can't do anything useful with it. > 3. Key fingerprint depends on data unrelated to the actual key (namely: > creation date). > > This prevents solutions when signature keys are generated on the fly (e.g. > directly from a passphrase), as the key creation (or, in this case, key > registration) date is not available at the time of signing, thus making it > impossible to put am unambiguous reference to the public key into the > signature. Yes, this has hurt our PGP implementation when dealing with foreign keys such as X.509 certificates. If we want to import a raw modulus+exponent pair as a PGP key, and we want to know if we already have one on the keyring, we can't easily compute a fingerprint and look for a match, because creation date affects fingerprints. I agree that fingerprints should just be over the formatted key material. > 4. More generally, creation time does not belong to the key packet. > > Because it is just an attribute of the key as any other, thus belonging to > certificatiton signature sub-packets, rather than the key packet. I like David's idea better to have some sub-packets in the V5 key. I would like to see immutable material put there. One thing that bothers me in the current V4 is that the key's expiration date can be changed by updating the self-signature. Suppose your key has expired and you don't use it any more. As a result perhaps you don't protect it that well. If someone gets hold of the private part, they can issue a new self-sig with a new expiration date and bring this dead key back to life. It would be better if a dead key would stay dead. Expiration date and creation date would be better placed in the key packet, IMO (as they were with V3 keys). Hal Finney Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LGg0IP006194; Wed, 21 Sep 2005 09:42:00 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LGg07L006193; Wed, 21 Sep 2005 09:42:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LGfx5e006183 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 09:42:00 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id D33212B47DD; Wed, 21 Sep 2005 18:41:57 +0200 (CEST) Date: Wed, 21 Sep 2005 18:41:56 +0200 To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050921164155.GC10971@epointsystem.org> References: <20050920053207.GA5245@epointsystem.org> <433151EB.6050805@algroup.co.uk> <20050921125619.GB15822@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050921125619.GB15822@jabberwocky.com> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Sep 21, 2005 at 08:56:19AM -0400, David Shaw wrote: > You could also do what GnuPG does - if it doesn't know the algorithm > it just reads the entire list of MPIs (or anything else in the packet) > into an opaque buffer. I suppose it could figure out the MPIs, but > there seems to be little point since either way, the key is not usable > without support for the algorithm. I suppose if the implementation > stored keys in a backend that needed to know the individual key > parameters that would be different. That's what I actually do. But I don't like it. From an OO perspective, it makes certain abstractions less efficient. > Some people want to include things in the key fingerprint and some > don't. There are good reasons for both, so I favor v5 keys with > optional subpackets like v4 signatures. Within reason, it's a "make > everyone happy" solution. Excellent idea! Maybe, we can use a common set of subpackets, where some make sense only in signatures while others only in keys. There are too many overlaps for warranting a separate design. -- Daniels Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LGcEDU005861; Wed, 21 Sep 2005 09:38:14 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LGcE13005860; Wed, 21 Sep 2005 09:38:14 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LGcDGc005852 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 09:38:13 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 993F02B4806; Wed, 21 Sep 2005 18:36:48 +0200 (CEST) Date: Wed, 21 Sep 2005 18:36:48 +0200 To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050921163646.GB10971@epointsystem.org> References: <20050920053207.GA5245@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050920053207.GA5245@epointsystem.org> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Oh, one item that I forgot to include in my list: Encrypted private key packets are superfluous, IMO. Internally, it can be up to the implementation how it secures private keys (as it varies from situation to situation what the requirements and environmental assumptions are), while for interoperability, it's perfectly secure to export unencrypted private key packets (and the auxiliary stuff) within an MDC-protected encrypted data packet, with some ESK in front of it. This way, designers and implementers would only need to worry only about the security of one MDC-protected encrypted data packet format, instead of two, slightly different ones. The only capability that would be lost is exporting and importing private keys without knowing the corresponding passphrases, but I can't imagine legitimate uses for that anyway, while such an action may well be part of some more sophisticated active attack. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LGaeu1005609; Wed, 21 Sep 2005 09:36:40 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LGaeod005608; Wed, 21 Sep 2005 09:36:40 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtpauth08.mail.atl.earthlink.net (smtpauth08.mail.atl.earthlink.net [209.86.89.68]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LGaeUL005602 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 09:36:40 -0700 (PDT) (envelope-from frantz@pwpconsult.com) Received: from [68.164.87.96] (helo=[192.168.1.5]) by smtpauth08.mail.atl.earthlink.net with asmtp (Exim 4.34) id 1EI7aJ-0000Gs-Ra for ietf-openpgp@imc.org; Wed, 21 Sep 2005 12:36:40 -0400 Date: Wed, 21 Sep 2005 09:36:37 -0700 From: Bill Frantz <frantz@pwpconsult.com> Subject: Re: Bigger DSA keys To: ietf-openpgp@imc.org X-Priority: 3 In-Reply-To: <432D5936.5020701@algroup.co.uk> Message-ID: <r02010500-1039-E1E1E11A2ABD11DA8F8A0030658F0F64@[192.168.1.5]> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Mailer: Mailsmith 2.1.5 (Blindsider) X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec79c952702934c0bba4bd40b011a7917318350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 68.164.87.96 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id j8LGaeUL005603 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 9/18/05, ben@algroup.co.uk (Ben Laurie) wrote: > >Ian G wrote: >> Numbers? > >I was going to provide them, but accurate numbers for DSA is difficult, >because it requires modifying the core code in OpenSSL (or some other >DSA generator), and I couldn't be bothered. > >One can get a feel for it with: > >time openssl gendh <number of bits> I'm not sure, based on these numbers, that this benchmark procedure is reproducible enough to give valid data with only one sample per prime size. However, here is what I got. On a Mac G4/450MHz running OS 10.3.9: [G4:~] billfran% time openssl gendh 512 ... 9.850u 0.170s 0:18.39 54.4% 0+0k 3+7io 0pf+0w [G4:~] billfran% time openssl gendh 1024 ... 11.920u 0.070s 0:13.19 90.9% 0+0k 0+3io 0pf+0w [G4:~] billfran% time openssl gendh 2048 ... 5909.970u 24.060s 1:45:08.60 94.0% 0+0k 0+4io 0pf+0w [G4:~] billfran% time openssl gendh 3072 ... 21017.450u 166.540s 6:42:28.96 87.7% 0+0k 0+3io 0pf+0w Cheers - Bill ----------------------------------------------------------------------- Bill Frantz | gets() remains as a monument | Periwinkle (408)356-8506 | to C's continuing support of | 16345 Englewood Ave www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LGLZ85003687; Wed, 21 Sep 2005 09:21:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LGLZvY003686; Wed, 21 Sep 2005 09:21:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LGLYRb003679 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 09:21:35 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 65AA02B47E9; Wed, 21 Sep 2005 18:21:32 +0200 (CEST) Date: Wed, 21 Sep 2005 18:21:31 +0200 To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050921162119.GA10971@epointsystem.org> References: <20050920053207.GA5245@epointsystem.org> <433151EB.6050805@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <433151EB.6050805@algroup.co.uk> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Sep 21, 2005 at 01:28:27PM +0100, Ben Laurie wrote: > I don't understand this attack. It's the well-known Klima-Rosa attack. It has been discussed earlier on this list. > >2. No explicit count of MPIs constituting the key material (both public and > >private). > > > >This information can only be inferred from the algorithm specifier, meaning > >that any implementation that wants to perform key management must have some > >rudimentary knowledge about all public key algorithms. This, in turn, > >hampers forward-compatibility. > > This appears to me to be incorrect - an implementation that didn't know > the algorithm could still deduce the number of MPIs by parsing the > packet until it is exhausted. Except for private key packets. > This would mean introducing a requirement > that all public key parameters were MPIs, of course. That, too. > >3. Key fingerprint depends on data unrelated to the actual key (namely: > >creation date). > > > >This prevents solutions when signature keys are generated on the fly (e.g. > >directly from a passphrase), as the key creation (or, in this case, key > >registration) date is not available at the time of signing, thus making it > >impossible to put am unambiguous reference to the public key into the > >signature. > > Not impossible, but I'll agree, crufty. One could use a fixed creation date. That's a horrible cruft breaking all sorts of things (validity period, etc.). I like Dave's suggestion about adding optional subpackets, similar to those in signatures. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LCuQaD081294; Wed, 21 Sep 2005 05:56:26 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LCuQEG081293; Wed, 21 Sep 2005 05:56:26 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [63.240.76.28]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LCuQRU081282 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 05:56:26 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (sccrmhc13) with ESMTP id <2005092112562001300a77npe>; Wed, 21 Sep 2005 12:56:20 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8LCuM0m019742 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 08:56:22 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8LCuJZ8017441 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 08:56:19 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8LCuJfE017440 for ietf-openpgp@imc.org; Wed, 21 Sep 2005 08:56:19 -0400 Date: Wed, 21 Sep 2005 08:56:19 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format Message-ID: <20050921125619.GB15822@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20050920053207.GA5245@epointsystem.org> <433151EB.6050805@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <433151EB.6050805@algroup.co.uk> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Sep 21, 2005 at 01:28:27PM +0100, Ben Laurie wrote: > >2. No explicit count of MPIs constituting the key material (both public and > >private). > > > >This information can only be inferred from the algorithm specifier, meaning > >that any implementation that wants to perform key management must have some > >rudimentary knowledge about all public key algorithms. This, in turn, > >hampers forward-compatibility. > > This appears to me to be incorrect - an implementation that didn't know > the algorithm could still deduce the number of MPIs by parsing the > packet until it is exhausted. This would mean introducing a requirement > that all public key parameters were MPIs, of course. You could also do what GnuPG does - if it doesn't know the algorithm it just reads the entire list of MPIs (or anything else in the packet) into an opaque buffer. I suppose it could figure out the MPIs, but there seems to be little point since either way, the key is not usable without support for the algorithm. I suppose if the implementation stored keys in a backend that needed to know the individual key parameters that would be different. > >3. Key fingerprint depends on data unrelated to the actual key (namely: > >creation date). > > > >This prevents solutions when signature keys are generated on the fly (e.g. > >directly from a passphrase), as the key creation (or, in this case, key > >registration) date is not available at the time of signing, thus making it > >impossible to put am unambiguous reference to the public key into the > >signature. > > Not impossible, but I'll agree, crufty. One could use a fixed creation date. Some people want to include things in the key fingerprint and some don't. There are good reasons for both, so I favor v5 keys with optional subpackets like v4 signatures. Within reason, it's a "make everyone happy" solution. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LCmPUG080687; Wed, 21 Sep 2005 05:48:25 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LCmPDt080686; Wed, 21 Sep 2005 05:48:25 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LCmOCe080678 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 05:48:24 -0700 (PDT) (envelope-from ben@algroup.co.uk) Received: from [193.133.15.219] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id AACDE33C1A; Wed, 21 Sep 2005 13:48:23 +0100 (BST) Message-ID: <43315698.4030607@algroup.co.uk> Date: Wed, 21 Sep 2005 13:48:24 +0100 From: Ben Laurie <ben@algroup.co.uk> User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Daniel A. Nagy" <nagydani@epointsystem.org> CC: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Bigger DSA keys References: <20050920014429.2762157EF5@finney.org> <20050920083438.GA2105@bitchcake.off.net> <20050920085432.GC24261@epointsystem.org> In-Reply-To: <20050920085432.GC24261@epointsystem.org> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Daniel A. Nagy wrote: > On Tue, Sep 20, 2005 at 04:34:38AM -0400, Adam Back wrote: > > >>Could one not use the Lim Lee safe prime generation method for DSA? >> >>It has significant speed advantages. >> >>Adam > > > DSS explicitly specifies how to generate primes for DSA keys. It can be > easily generalized for larger keys and other hash functions, and its > reasonable to assume that the new DSS will do that. > > My estimates were based on that specification. You only have to follow DSS if you want FIPS-140 and the like, of course. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LCSRYP078817; Wed, 21 Sep 2005 05:28:27 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LCSRUj078816; Wed, 21 Sep 2005 05:28:27 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LCSREP078810 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 05:28:27 -0700 (PDT) (envelope-from ben@algroup.co.uk) Received: from [193.133.15.219] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 712BF33C1B; Wed, 21 Sep 2005 13:28:26 +0100 (BST) Message-ID: <433151EB.6050805@algroup.co.uk> Date: Wed, 21 Sep 2005 13:28:27 +0100 From: Ben Laurie <ben@algroup.co.uk> User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Daniel A. Nagy" <nagydani@epointsystem.org> CC: ietf-openpgp@imc.org Subject: Re: Problems with v4 key packet format References: <20050920053207.GA5245@epointsystem.org> In-Reply-To: <20050920053207.GA5245@epointsystem.org> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Daniel A. Nagy wrote: > In order to design a successor to v4 key packet format, it is important to > first identify its shortcomings. Here's a list of my problems with it: > > 1. No cryptographic binding between the encrypted private key material and > the public key material. > > This results in a serious security issue, by allowing an attacker to replace > the public material thus compromising the private material with the first > use in the signature. There are various stop-gap measures to deal with this > attack, but the only sure protetction would be some MDC binding together the > private and the public key material. I don't understand this attack. > 2. No explicit count of MPIs constituting the key material (both public and > private). > > This information can only be inferred from the algorithm specifier, meaning > that any implementation that wants to perform key management must have some > rudimentary knowledge about all public key algorithms. This, in turn, > hampers forward-compatibility. This appears to me to be incorrect - an implementation that didn't know the algorithm could still deduce the number of MPIs by parsing the packet until it is exhausted. This would mean introducing a requirement that all public key parameters were MPIs, of course. > 3. Key fingerprint depends on data unrelated to the actual key (namely: > creation date). > > This prevents solutions when signature keys are generated on the fly (e.g. > directly from a passphrase), as the key creation (or, in this case, key > registration) date is not available at the time of signing, thus making it > impossible to put am unambiguous reference to the public key into the > signature. Not impossible, but I'll agree, crufty. One could use a fixed creation date. > 4. More generally, creation time does not belong to the key packet. > > Because it is just an attribute of the key as any other, thus belonging to > certificatiton signature sub-packets, rather than the key packet. So? Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LCOLnq078598; Wed, 21 Sep 2005 05:24:21 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LCOL0c078597; Wed, 21 Sep 2005 05:24:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LCOKRp078587 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 05:24:20 -0700 (PDT) (envelope-from ben@algroup.co.uk) Received: from [193.133.15.219] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 579B233C1A; Wed, 21 Sep 2005 13:24:19 +0100 (BST) Message-ID: <433150F4.1000307@algroup.co.uk> Date: Wed, 21 Sep 2005 13:24:20 +0100 From: Ben Laurie <ben@algroup.co.uk> User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hal Finney <hal@finney.org> CC: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys References: <20050920014429.2762157EF5@finney.org> In-Reply-To: <20050920014429.2762157EF5@finney.org> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hal Finney wrote: > In contrast, finding "strong" primes p such that (p-1)/2 is also prime > does tend to be slow. I think there is a trick to do it using a double > sieve but it is still much slower than finding regular primes. There is - Geoff Thorpe and I planned to implement it for OpenSSL, but never got around to it. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LB0IvA070743; Wed, 21 Sep 2005 04:00:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LB0I0k070742; Wed, 21 Sep 2005 04:00:18 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LB0H1i070736 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 04:00:17 -0700 (PDT) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 631D85AA12; Wed, 21 Sep 2005 12:00:16 +0100 (BST) Message-ID: <43313D64.8070501@systemics.com> Date: Wed, 21 Sep 2005 12:00:52 +0100 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050831) X-Accept-Language: en-us, en MIME-Version: 1.0 To: OpenPGP <ietf-openpgp@imc.org> Cc: Jon Callas <jon@callas.org> Subject: Re: Interop grill-off References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> In-Reply-To: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Jon Callas wrote: > > I think it would be good for us to have some sort of interoperability > test and event. Putting on my PGP Corporation hat, I'm happy to sponsor > it. However, it doesn't *have* to be a physical event. Physics is fun, but net chemistry also works. I've had some degree of success in testing cross-platform code using a "webservice" approach. Basically, build a server that offers a number of actions over HTTP **. The basic action is an echo service that forms part of a read/write cycle to prove serialisation. It works roughly this way: 1. Create a garbage packet. 2. Serialise it into its network form. 3. Send it off to the other implementation over some sort of server protocol. 4. The echo server sits there and waits for packets: a. read a packet in, b. parse it, objectise it, c. write it out again in network form, d. return it as the response to the request. 5. The original sender reads back the response, recovers it and then compares it internally with the original packet it sent. This means that there needs to be two routines added to every packet: create a garbage packet, and compare two packets for equality. Once that basic architecture is defined, many variants are possible.... > Does anyone else > think it would be a good idea? Does anyone want to help put it on, come > up with test cases, that sort of thing? It's definately a good idea. The main thing above would be to define a list of the minimal packets that should be echoed: public key packet with basic feature set and only the MUST algorithms encrypted message, signed message, cleartext and binary encrypted + signed binary Start with the absolute minimum. (Obviously encrypted and signed messages will involve some state ....) iang PS: To add in another buzzword, I'd do it in REST format, which basically means do it as a simulated web server, and have the client and server deal with HTTP POST requests with some form of application binary data. This avoids most of the complications of defining ones own transport protocol, avoids having to talk to the firewall people, and for most languages means you don't have to run a server at all, just slot it in as a CGI into Apache. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LAw0f9070620; Wed, 21 Sep 2005 03:58:00 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8LAw0g2070619; Wed, 21 Sep 2005 03:58:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8LAvw7o070610 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 03:57:59 -0700 (PDT) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 615DE5AA0A; Wed, 21 Sep 2005 11:57:57 +0100 (BST) Message-ID: <43313CD8.6000303@systemics.com> Date: Wed, 21 Sep 2005 11:58:32 +0100 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050831) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-openpgp@imc.org Cc: "Daniel A. Nagy" <nagydani@epointsystem.org> Subject: [v5] Re: Problems with v4 key packet format References: <20050920053207.GA5245@epointsystem.org> In-Reply-To: <20050920053207.GA5245@epointsystem.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Daniel A. Nagy wrote: > In order to design a successor to v4 key packet format, it is important to > first identify its shortcomings. Here's a list of my problems with it: Perhaps a pass at listing the problems in v4 ** would be a fair first phase. Here's a couple of issues (although I admit to not bit-peeping as much as I should, most of these are user/mgr level grumbles): 5. Too many integers and formats and what have you. There should be a base level of formats which should cover all requirements, and these should be flexible enough to do that job, while simple and short enough to be easily implementable and understandable. 6. PGP's feedback mode. There's no point to this. It's a thing that PRZ added in because he thought it was cool; he was wrong on that point && and it would make matters easier if the standard CBC modes that are described in all the textbooks were used. 7. Cipher suites, not algorithms. Although I like OpenPGP's tradition of opening up to experiments in algorithms and so forth, I think it is a pain for interoperability and implementation. It might be fine to demand the "right" to implement odd-length RSA with Ripem-666 hashes and the latest chinese cipher feedback modes over GOST encryption, but this is just plain stupidity at the software engineering level. As much as possible, I'd suggest that a cipher suites approach be used: Cipher suite #1 should fix the PK, the encryption algorithm, the hash, the feedback modes, and all that. When something breaks, deprecate the whole sodding lot, and move on to #2. Life was really good in the days up to pgp2.6. Then it all went to pot. We may never go back to those simple times, but we can attempt to simulate it by using cipher suites $$. (some of these points are contradictory at some level :-) iang PS **: if we are going to start discussing futures like v5, it might be easier to stick something in the subject so people know quickly that it does not effect the current doc. PS &&: This is not a criticism of him; nobody ever builds a perfect cryptosystem, and it falls to later disciples to carefully clean out the mistakes. PS $$: Allowing experimental cipher suites would be fine. Another trap to avoid is the SSL cipher suite rabbit explosion ... but that should be easy to do if we allow people to experiment with their own and only promote the really useful, strong ones. I.e., rejection of marginal improvements as a routine. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8L9iTJQ064154; Wed, 21 Sep 2005 02:44:29 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8L9iTDW064153; Wed, 21 Sep 2005 02:44:29 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8L9iRQF064146 for <ietf-openpgp@imc.org>; Wed, 21 Sep 2005 02:44:28 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 5A87A2B47E3; Wed, 21 Sep 2005 11:44:26 +0200 (CEST) Date: Wed, 21 Sep 2005 11:44:26 +0200 To: ietf-openpgp@imc.org Subject: Re: Interop grill-off Message-ID: <20050921094426.GA26811@epointsystem.org> References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> <20050920151705.GA14884@jabberwocky.com> <20050920160452.GB16991@epointsystem.org> <20050920171247.GD14884@jabberwocky.com> <20050920235332.GB28452@epointsystem.org> <20050921011053.GA15822@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050921011053.GA15822@jabberwocky.com> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 20, 2005 at 09:10:53PM -0400, David Shaw wrote: > I'm all for getting these problems fixed, but we stand a better chance > of doing by working the actual problem. By all means, add some > clarifying text to the text for the issuer key ID subpacket, but > understand that won't change the keyserver situation. It's just two > different problems. Oh, there seems to be a misunderstanding between us, for which I should probably apologize. I never for a moment suggested that SKS's bad behavior was the result of the wording in RFC2440, though reading back, it might have indeed come across like I did. I simply listed interoperability problems that I have encountered that in my opinion resulted from not anticipating less obvious, yet perfectly RFC-compliant behavior. In this particular case, I have noted a minor possible ambiguity in the standard text, which, I repeat, should be obvious for anyone giving it a little thought. As an implementer myself, I have resorted to the same workarounds: canonizing public key packets before uploading to keyserver and using short key IDs. Also, I totally agree with you that clarification in the standard is not the way to fix this problem, but listing it as a known interoperability issue in the mailing list archive or even on some webpage dedicated to interoperability between OpenPGP applications (is that what Jon aims to do?) might help in two ways: culprits may eventually fix their bugs, and meanwhile others might avoid running into them. For example, if such a list existed when I coded the relevant parts of ePointPGP, it would have saved me a lot of time. I think, Jon's idea of an interop grill-off is an excellent opportunity for assembling such a list of known interoperability issues, before venturing into testing unknown, suspected ones. That said, SKS is by far the most standards-compliant HKP-compatible keyserver that I have seen. Others do horrible things to keys and search results. Since keyservers are (correctly) considered outside of security perimeters and should be treated as untrustworthy in any case, they tend to be the least carefully written and maintained applications in the OpenPGP world. That's just a fact of life, I guess, that we need to cope with. And again, apologies in case I have unintentionally offended someone. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8L1BBQw018181; Tue, 20 Sep 2005 18:11:11 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8L1BBAQ018180; Tue, 20 Sep 2005 18:11:11 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [204.127.198.43]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8L1B4g0018135 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 18:11:07 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (rwcrmhc12) with ESMTP id <20050921011056014000qpm9e>; Wed, 21 Sep 2005 01:10:56 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8L1Av0m017334 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 21:10:57 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8L1AriR015973 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 21:10:53 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8L1Ar0P015972 for ietf-openpgp@imc.org; Tue, 20 Sep 2005 21:10:53 -0400 Date: Tue, 20 Sep 2005 21:10:53 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Interop grill-off Message-ID: <20050921011053.GA15822@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> <20050920151705.GA14884@jabberwocky.com> <20050920160452.GB16991@epointsystem.org> <20050920171247.GD14884@jabberwocky.com> <20050920235332.GB28452@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050920235332.GB28452@epointsystem.org> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Sep 21, 2005 at 01:53:39AM +0200, Daniel A. Nagy wrote: > > Doing otherwise would be an absurd thing to do - the signing > > equivalent of putting the main key ID into a PKESK packet when > > encrypting to a subkey. If you can point to a single implementation > > that does this wrong, I'll immediately concede the point. > > Of course, I can't. This is why I am saying that SKS has an important > interoperability problem. It EXPECTS the wrong behavior, while nobody > actually does it. While it is true that SKS doesn't do long keyid searches for subkeys, and I agree this is suboptimal behavior, understand that this is not connected to what clients put in the issuer key ID subpacket. There has never been a client that put anything other than the signing key ID in the subpacket, and the SKS behavior is not based on some misreading of that point in the draft. Even if SKS started supporting long subkey ID searches tomorrow, it would not resolve this problem, as GnuPG doesn't provide long key IDs when speaking to any HKP-ish keyserver because there are still old PKS servers out that that just won't die. I believe PGP does the same thing. If you want long key ID searches, you need to use LDAP. Note that even those PKS servers that don't blow up completely on long key ID searches don't really do them either: they just pretend to, and ignore the upper 32 bits - try searching for 0x99242560 and 0x1111111199242560. PKS doesn't do subkey searches at all. I'm all for getting these problems fixed, but we stand a better chance of doing by working the actual problem. By all means, add some clarifying text to the text for the issuer key ID subpacket, but understand that won't change the keyserver situation. It's just two different problems. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KNrgfM012580; Tue, 20 Sep 2005 16:53:42 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KNrgM3012579; Tue, 20 Sep 2005 16:53:42 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KNrfJG012572 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 16:53:41 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 7791C2B4794; Wed, 21 Sep 2005 01:53:39 +0200 (CEST) Date: Wed, 21 Sep 2005 01:53:39 +0200 To: ietf-openpgp@imc.org Subject: Re: Interop grill-off Message-ID: <20050920235332.GB28452@epointsystem.org> References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> <20050920151705.GA14884@jabberwocky.com> <20050920160452.GB16991@epointsystem.org> <20050920171247.GD14884@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050920171247.GD14884@jabberwocky.com> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 20, 2005 at 01:12:47PM -0400, David Shaw wrote: > > No, it isn't. This becomes a major interoperability issue, when you use > > signature subkeys. It's not quite clear from RFC2440 wether the 8-byte > > signatory field sould point to the main key or the subkey, but in several > > implementations it points to the subkey, which actually made the signature > > (and this is the right behavior, IMHO). > > I don't know of *any* implementations that set the issuer subpacket to > anything other than the key that made the signature, as specified in > the RFC. You mean the actual subkey, right? Where is it specified in the RFC? The formulation "the key that made the signature" is a bit ambiguous, IMHO, but, of course, the sensible thing to do is obvious. > Doing otherwise would be an absurd thing to do - the signing > equivalent of putting the main key ID into a PKESK packet when > encrypting to a subkey. If you can point to a single implementation > that does this wrong, I'll immediately concede the point. Of course, I can't. This is why I am saying that SKS has an important interoperability problem. It EXPECTS the wrong behavior, while nobody actually does it. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KNlVIg012102; Tue, 20 Sep 2005 16:47:31 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KNlVB8012101; Tue, 20 Sep 2005 16:47:31 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KNlTV5012095 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 16:47:30 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id CDED12B4794; Wed, 21 Sep 2005 01:47:28 +0200 (CEST) Date: Wed, 21 Sep 2005 01:47:28 +0200 To: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys Message-ID: <20050920234728.GA28452@epointsystem.org> References: <20050920180219.74FE257EF5@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050920180219.74FE257EF5@finney.org> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 20, 2005 at 11:02:19AM -0700, "Hal Finney" wrote: > I'm not sure how other systems that implement DSS handle the issue of > validating public parameter certificates. It could be that OpenPGP is > the main user of DSA/DSS and nobody else worries about it. I know I've > seen X.509 certificate specs for DSS keys and they don't have the extra > information necessary (although strangely, X.509 Diffie-Hellman keys do > have it!). I guess they just assume that checks for legal DSS public > parameters are outside the scope of their spec. I know about one other major implementation of DSS, which is java.security by Sun Microsystems. Their key generation method uses pre-calculated moduli for the common key sizes, but one can turn that feature off and have the key generated from scratch (which takes a lot longer, of course). The certificates of the pre-calculated moduli are in a comment of the source code, which you may obtain from Sun upon request (they are very forthcoming about that, becasue they understand that openness is the basis of trust in crypto matters). -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KI8Wxp081482; Tue, 20 Sep 2005 11:08:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KI8Veb081480; Tue, 20 Sep 2005 11:08:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc12.comcast.net (rwcrmhc14.comcast.net [216.148.227.89]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KI8VP7081473 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 11:08:31 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (rwcrmhc14) with ESMTP id <2005092018082601400ohnkge>; Tue, 20 Sep 2005 18:08:26 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8KI8Q0m016079 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 14:08:26 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8KI8NoD015312 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 14:08:23 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8KI8Npr015311 for ietf-openpgp@imc.org; Tue, 20 Sep 2005 14:08:23 -0400 Date: Tue, 20 Sep 2005 14:08:23 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Information and meta-information Message-ID: <20050920180823.GB15299@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20050831152646.GB31148@epointsystem.org> <8BADBD06-012A-44B0-A9A7-6BDAE8ED8E37@hhhh.org> <20050907233120.GA31910@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050907233120.GA31910@epointsystem.org> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, Sep 08, 2005 at 01:31:25AM +0200, Daniel A. Nagy wrote: > > On Wed, Sep 07, 2005 at 03:56:58PM -0700, Wim Lewis wrote: > > > The existing 'b', 't', etc. tags could then be defined as shorthands > > for particular MIME headers (content-type and charset). > > I disagree, because these tags convey a slightly different (lower-level) > meaning than the mime headers. Also, the above suggestion would be a > security hazard, since the literal packet's tag is not hashed and can be > therefore altered in a signed message, without breaking the signature. > PGP/MIME headers, on the other hand, are included in the hashed material, so > they are part of the signed message. > > > >I would suggest the following modification of RFC2440bis-14: > > > > Do you mean removing the 't' and 'u' tags? Or supplementing them with > > 'm'? > > Supplementing with 'm', of course. Removing 't' and 'b' tags (what's 'u'?) > would break almost everything. 't' = unspecified charset 'u' = utf-8 charset David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KI6xE9081386; Tue, 20 Sep 2005 11:06:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KI6xpD081385; Tue, 20 Sep 2005 11:06:59 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc12.comcast.net (rwcrmhc13.comcast.net [216.148.227.118]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KI6wVk081375 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 11:06:59 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (rwcrmhc13) with ESMTP id <200509201806530150043lfde>; Tue, 20 Sep 2005 18:06:53 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8KI6r0m016062 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 14:06:53 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8KI6pCt015306 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 14:06:51 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8KI6p7F015305 for ietf-openpgp@imc.org; Tue, 20 Sep 2005 14:06:51 -0400 Date: Tue, 20 Sep 2005 14:06:51 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Interop grill-off Message-ID: <20050920180651.GA15299@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20050920173337.96E1A57EF5@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050920173337.96E1A57EF5@finney.org> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 20, 2005 at 10:33:37AM -0700, "Hal Finney" wrote: > Perhaps we should clarify the language in the RFC to eliminate any > such ambiguity. 5.2.3.5, the Issuer subpacket, just says: > > The OpenPGP key ID of the key issuing the signature. > > We could add "If the signature is issued by a subkey then the key ID of > this subkey is used here instead of the key ID of the primary key." > > We do have similar language in 5.2 for PKESKs: > > - An eight-octet number that gives the key ID of the public key > that the session key is encrypted to. If the session key is > encrypted to a subkey then the key ID of this subkey is used > here instead of the key ID of the primary key. I think that is reasonable, but it would need to be mentioned in several places (in bis-14): 5.2.2 (V3 signatures), 5.2.3.5 (issuer subpacket), and 5.4 (Onepass signature packet). Perhaps something could be said in 3.3 (Key IDs) that covers them all? David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KI2Wnw081103; Tue, 20 Sep 2005 11:02:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KI2W2g081102; Tue, 20 Sep 2005 11:02:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KI2VeJ081095 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 11:02:31 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id 74FE257EF5; Tue, 20 Sep 2005 11:02:19 -0700 (PDT) To: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys Message-Id: <20050920180219.74FE257EF5@finney.org> Date: Tue, 20 Sep 2005 11:02:19 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> There are a few differences between the OpenPGP requirements for DSA keys and those in the DSS spec. Usually, OpenPGP implementations do not use pre-calculated moduli for DSA keys. Likewise, OpenPGP does not require that DSA keys be generated by the method described in the DSS standard. This is the reason why we generally call them DSA keys and not DSS keys in the spec. Nevertheless we do follow the FIPS-186 recommendations for modulus sizes, as their advice is good. There are a few issues here. Pre-calculated moduli do have some advantages. Generating the modulus is the slow part of DSA keygen. With a pre-calculated modulus, all that is necessary to generate a key is to pick a random value x and do one exponentiation to generate y = g^x mod p. This can also save space in key distribution; if there is a widely shared modulus then only the y value has to be distributed for each key. There are a few disadvantages though. There are theoretical attacks where the body that generates the pre-calculated modulus can use "trapdoor" primes which allow faster calculation of discrete log. Anyone who generated a key using that shared modulus would be at risk of having his private key broken by the body which created that modulus. In order to protect users against this possibility, DSS specifies that the public parameters (p, q, g) be generated using a randomization technique which essentially eliminates the possibility of a trapdoor. But it also requires that a sort of "certificate" of the parameter generation be created and distributed, and that end users verify that certificate to make sure that the public parameters have no trapdoors. This is pretty complicated, and furthermore the general paranoia among much of OpenPGP's audience is likely to make them mistrust even shared parameters that are accompanied by such certificates. As a result OpenPGP has not pursued this approach. There are no OpenPGP data structures to share DSS public parameter certificates and nothing in the spec about creating DSS keys in the standard way, or sharing and verifying such certificates. So OpenPGP generally envisions DSA keys being generated with fresh public parameters for each key. Not only is this more secure and simpler, but it allows for the fast generation method I described in my mail yesterday, which uses sieving. Generating DSS moduli per FIPS-186 is relatively slow, and extending that method to larger prime sizes may become prohibitively slow. (Of course, if the FIPS-186 method is used with shared moduli, then keygen becomes very faster as I noted above, just a single exponentiation to calculate y.) I'm not sure how other systems that implement DSS handle the issue of validating public parameter certificates. It could be that OpenPGP is the main user of DSA/DSS and nobody else worries about it. I know I've seen X.509 certificate specs for DSS keys and they don't have the extra information necessary (although strangely, X.509 Diffie-Hellman keys do have it!). I guess they just assume that checks for legal DSS public parameters are outside the scope of their spec. Hal Finney Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KHdpGC078424; Tue, 20 Sep 2005 10:39:51 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KHdpJ7078423; Tue, 20 Sep 2005 10:39:51 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KHdpMo078417 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 10:39:51 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id 33F0957EF5; Tue, 20 Sep 2005 10:39:39 -0700 (PDT) To: ietf-openpgp@imc.org Subject: Line spacing in normative references Message-Id: <20050920173939.33F0957EF5@finney.org> Date: Tue, 20 Sep 2005 10:39:39 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> A minor point, I notice that the spacing is inconsistent in the normative references. Some are separated by blank lines and some are not. It would look nicer to be consistent here. I don't know if some macro is misfiring or if we could clean it up and make it look better. Hal Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KHXpgC077944; Tue, 20 Sep 2005 10:33:51 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KHXpt8077943; Tue, 20 Sep 2005 10:33:51 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KHXog8077935 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 10:33:50 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id 96E1A57EF5; Tue, 20 Sep 2005 10:33:37 -0700 (PDT) To: ietf-openpgp@imc.org Subject: Re: Interop grill-off Message-Id: <20050920173337.96E1A57EF5@finney.org> Date: Tue, 20 Sep 2005 10:33:37 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> David Shaw writes: > I don't know of *any* implementations that set the issuer subpacket to > anything other than the key that made the signature, as specified in > the RFC. Doing otherwise would be an absurd thing to do - the signing > equivalent of putting the main key ID into a PKESK packet when > encrypting to a subkey. If you can point to a single implementation > that does this wrong, I'll immediately concede the point. Perhaps we should clarify the language in the RFC to eliminate any such ambiguity. 5.2.3.5, the Issuer subpacket, just says: The OpenPGP key ID of the key issuing the signature. We could add "If the signature is issued by a subkey then the key ID of this subkey is used here instead of the key ID of the primary key." We do have similar language in 5.2 for PKESKs: - An eight-octet number that gives the key ID of the public key that the session key is encrypted to. If the session key is encrypted to a subkey then the key ID of this subkey is used here instead of the key ID of the primary key. This would make sure there is no ambiguity about which key ID to use. Hal Finney Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KHUu4T077688; Tue, 20 Sep 2005 10:30:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KHUuxq077687; Tue, 20 Sep 2005 10:30:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KHUtH5077681 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 10:30:55 -0700 (PDT) (envelope-from ben@algroup.co.uk) Received: from [193.133.15.219] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 2289733C1B; Tue, 20 Sep 2005 18:30:54 +0100 (BST) Message-ID: <4330474D.6050800@algroup.co.uk> Date: Tue, 20 Sep 2005 18:30:53 +0100 From: Ben Laurie <ben@algroup.co.uk> User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Daniel A. Nagy" <nagydani@epointsystem.org> CC: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys References: <20050918001303.96B4F57EF5@finney.org> <20050918123430.GB6483@epointsystem.org> In-Reply-To: <20050918123430.GB6483@epointsystem.org> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Daniel A. Nagy wrote: > It's important to keep in mind that DSS-style signatures are twice the hash > size. This is one of their nicest features; they do not grow with the > modulus. A signature of a 3072/256 key will be 512 bits (plus overhead). > > As for generating long modulae, it's not that big a problem, altough it has > to be noted that generating a modulus for DSA takes more than just > generating a prime that big; DSA moduli p are such that p-1 is divisible by > some large (hash-sized) q. The generation of such moduli takes substantially > longer than generating primes. For 3072/256 on a 500MHz intel, it would take > approx. three minutes, provided that the random stream is available without > waiting. > > On the other hand, the overwhelming majority of DSS implementations use > pre-calculated moduli, as there are no security hazards associated with > using a common modulus for DSS. When keys need to be generated frequently, > a pre-calculated modulus is the way to go. If one just needs to generate a > personal signature key for the next five years, one can wait three minutes, > in case they want to show off a self-generated modulus. Good point. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KHCt60075515; Tue, 20 Sep 2005 10:12:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KHCtUa075514; Tue, 20 Sep 2005 10:12:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc12.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KHCtA9075504 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 10:12:55 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (rwcrmhc13) with ESMTP id <200509201712490150044buue>; Tue, 20 Sep 2005 17:12:49 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8KHCn0m015844 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 13:12:49 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8KHClQH015190 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 13:12:47 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8KHCl3c015189 for ietf-openpgp@imc.org; Tue, 20 Sep 2005 13:12:47 -0400 Date: Tue, 20 Sep 2005 13:12:47 -0400 From: David Shaw <dshaw@jabberwocky.com> To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Interop grill-off Message-ID: <20050920171247.GD14884@jabberwocky.com> Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org> References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> <20050920151705.GA14884@jabberwocky.com> <20050920160452.GB16991@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050920160452.GB16991@epointsystem.org> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 20, 2005 at 06:04:57PM +0200, Daniel A. Nagy wrote: > > On Tue, Sep 20, 2005 at 11:17:05AM -0400, David Shaw wrote: > > > > 3. Some keyservers do not return matching keys, if searched by the long > > > (16 byte) key ID of a subkey. SKS is guilty of this. > > > > Isn't this a just SKS feature request? Nothing in the draft says > > anything about how keyservers work, or even that a UI must allow > > particular ways to search. > > No, it isn't. This becomes a major interoperability issue, when you use > signature subkeys. It's not quite clear from RFC2440 wether the 8-byte > signatory field sould point to the main key or the subkey, but in several > implementations it points to the subkey, which actually made the signature > (and this is the right behavior, IMHO). I don't know of *any* implementations that set the issuer subpacket to anything other than the key that made the signature, as specified in the RFC. Doing otherwise would be an absurd thing to do - the signing equivalent of putting the main key ID into a PKESK packet when encrypting to a subkey. If you can point to a single implementation that does this wrong, I'll immediately concede the point. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KGGYwN068600; Tue, 20 Sep 2005 09:16:34 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KGGYr9068599; Tue, 20 Sep 2005 09:16:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KGGXkc068590 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 09:16:33 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1EHkta-00029z-Kd for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 18:23:02 +0200 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1EHklM-0001lA-On; Tue, 20 Sep 2005 18:14:32 +0200 To: nagydani@epointsystem.org (Daniel A. Nagy) Cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Interop grill-off References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> <87r7bk17ub.fsf@wheatstone.g10code.de> <20050920084757.GB24261@epointsystem.org> <87mzm8xem8.fsf@wheatstone.g10code.de> <20050920155001.GA16991@epointsystem.org> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Tue, 20 Sep 2005 18:14:32 +0200 In-Reply-To: <20050920155001.GA16991@epointsystem.org> (Daniel A. Nagy's message of "Tue, 20 Sep 2005 17:50:02 +0200") Message-ID: <87vf0vra1j.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, 20 Sep 2005 17:50:02 +0200, Daniel A Nagy said: >> > more than one ESK? Does it try all of them with all the private keys, or >> >> --try-all-secrets applies only to PKESK to assume wildcard key IDs. > Right, but what if there are more of these (multiple recipients)? Yes, it tries all of them with all available secret keys. Salam-Shalom, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KG54GR067845; Tue, 20 Sep 2005 09:05:04 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KG54PW067844; Tue, 20 Sep 2005 09:05:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KG53rr067837 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 09:05:04 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 8AC422B480E; Tue, 20 Sep 2005 18:04:57 +0200 (CEST) Date: Tue, 20 Sep 2005 18:04:57 +0200 To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Interop grill-off Message-ID: <20050920160452.GB16991@epointsystem.org> References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> <20050920151705.GA14884@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050920151705.GA14884@jabberwocky.com> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 20, 2005 at 11:17:05AM -0400, David Shaw wrote: > > 3. Some keyservers do not return matching keys, if searched by the long > > (16 byte) key ID of a subkey. SKS is guilty of this. > > Isn't this a just SKS feature request? Nothing in the draft says > anything about how keyservers work, or even that a UI must allow > particular ways to search. No, it isn't. This becomes a major interoperability issue, when you use signature subkeys. It's not quite clear from RFC2440 wether the 8-byte signatory field sould point to the main key or the subkey, but in several implementations it points to the subkey, which actually made the signature (and this is the right behavior, IMHO). In this case, databases of keys, be it local keyrings or remote keyservers MUST be indexed by subkey IDs as well, otherwise such signatures cannot be verified. For example, this SKS deficienci breaks interoperability (namely yautotmatic key retrieval) with GnuPG (and very possibly PGP), if signature subkeys are used. Signature subkeys have many uses, and although they are less popular than encryption subkeys (because of the default settings of pgp and gpg) their use is an important security measure allowing for changing the regularly used signing key without losing all certificatitons on the main key. They are also useful if the same user wishes to make signatures from different computers without risking too much. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KFo4EY066371; Tue, 20 Sep 2005 08:50:04 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KFo4YO066370; Tue, 20 Sep 2005 08:50:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KFo3Aj066361 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 08:50:03 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 6A7A52B47EA; Tue, 20 Sep 2005 17:50:02 +0200 (CEST) Date: Tue, 20 Sep 2005 17:50:02 +0200 To: Werner Koch <wk@gnupg.org>, OpenPGP <ietf-openpgp@imc.org> Subject: Re: Interop grill-off Message-ID: <20050920155001.GA16991@epointsystem.org> References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> <87r7bk17ub.fsf@wheatstone.g10code.de> <20050920084757.GB24261@epointsystem.org> <87mzm8xem8.fsf@wheatstone.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87mzm8xem8.fsf@wheatstone.g10code.de> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 20, 2005 at 11:39:11AM +0200, Werner Koch wrote: > On Tue, 20 Sep 2005 10:47:57 +0200, Daniel A Nagy said: > > > By the way, what does gpg do given the --try-all-secrets option, if there's > > more than one ESK? Does it try all of them with all the private keys, or > > --try-all-secrets applies only to PKESK to assume wildcard key IDs. Right, but what if there are more of these (multiple recipients)? -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KFHD6d062083; Tue, 20 Sep 2005 08:17:13 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KFHDDS062082; Tue, 20 Sep 2005 08:17:13 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc12.comcast.net (rwcrmhc13.comcast.net [216.148.227.118]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KFHDp1062060 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 08:17:13 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (rwcrmhc13) with ESMTP id <2005092015170701500459u4e>; Tue, 20 Sep 2005 15:17:07 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8KFH60m015463 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 11:17:06 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8KFH5sU015061 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 11:17:05 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8KFH5dP015060 for ietf-openpgp@imc.org; Tue, 20 Sep 2005 11:17:05 -0400 Date: Tue, 20 Sep 2005 11:17:05 -0400 From: David Shaw <dshaw@jabberwocky.com> To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Interop grill-off Message-ID: <20050920151705.GA14884@jabberwocky.com> Mail-Followup-To: OpenPGP <ietf-openpgp@imc.org> References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050920065346.GA21364@epointsystem.org> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 20, 2005 at 08:53:46AM +0200, Daniel A. Nagy wrote: > 2. Some keyservers omit canonization before hashing the key packet. If the > key packet is shorter than 256 bytes (typically the case for 1024-bit RSA > keys) and uses the shortest possible packet header with a one-byte length, > the fingerprint and the key IDs are mis-calculated. PKS is guilty of this. This is a good one. I've seen this mistake made more than once, and not just in PKS. Incidentally, that bug in PKS was fixed quite a while ago. PKS had many problems, including miscalculating v4 RSA fingerprints, mangling keys with more than one subkey, discarding attribute ID packets, etc. Most of the worst have been fixed, but the point may be moot as so far as I know, PKS is not being developed any longer. > 3. Some keyservers do not return matching keys, if searched by the long > (16 byte) key ID of a subkey. SKS is guilty of this. Isn't this a just SKS feature request? Nothing in the draft says anything about how keyservers work, or even that a UI must allow particular ways to search. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KETTod055721; Tue, 20 Sep 2005 07:29:29 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8KETTcc055720; Tue, 20 Sep 2005 07:29:29 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8KETSsM055712 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 07:29:28 -0700 (PDT) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 00EB15A79D; Tue, 20 Sep 2005 15:29:26 +0100 (BST) Message-ID: <43301CEC.2070500@systemics.com> Date: Tue, 20 Sep 2005 15:30:04 +0100 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050831) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Werner Koch <wk@gnupg.org> Cc: Ben Laurie <ben@algroup.co.uk>, Hal Finney <hal@finney.org>, ietf-openpgp@imc.org Subject: Re: Bigger DSA keys References: <20050916224113.6004C57EF5@finney.org> <432CAAC9.2050305@systemics.com> <432D4F13.6080703@algroup.co.uk> <432D712D.4060502@systemics.com> <871x3l790m.fsf@wheatstone.g10code.de> In-Reply-To: <871x3l790m.fsf@wheatstone.g10code.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Werner Koch wrote: > DSA 100 times sign verify > ----------------------------- > DSA 1024/160 910ms 430ms > DSA 2048/224 1560ms 1890ms > DSA 3072/256 3610ms 4380ms > > (The numbers for sign are not very reliable because it employs the > RNG and I could not adjust for it) > > 3072 takes more more than double the time of 2048 which is not too > bad. Compared to 1024 this is a real slowdown and would make key > signature verification a very time consuming operation. On slow > machines (embedded devices, older hardware) this would be very > annoying. Ah, ok, so this last point about slow / small hardware platforms makes sense. So we might be tempted to suggest that implementations SHOULD verify any of the three lengths, and let them choose which length to deliver for signing beyond the MUST of 1024/160. (Which is after all a minor side discussion in Hal's thread of whether to wait or not.) iang Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K9fX1N026576; Tue, 20 Sep 2005 02:41:33 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K9fXZx026575; Tue, 20 Sep 2005 02:41:33 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K9fWqP026564 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 02:41:32 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1EHejJ-0000Cl-OM for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 11:48:01 +0200 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1EHeal-0001JM-4Y; Tue, 20 Sep 2005 11:39:11 +0200 To: nagydani@epointsystem.org (Daniel A. Nagy) Cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Interop grill-off References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> <87r7bk17ub.fsf@wheatstone.g10code.de> <20050920084757.GB24261@epointsystem.org> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Tue, 20 Sep 2005 11:39:11 +0200 In-Reply-To: <20050920084757.GB24261@epointsystem.org> (Daniel A. Nagy's message of "Tue, 20 Sep 2005 10:47:57 +0200") Message-ID: <87mzm8xem8.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, 20 Sep 2005 10:47:57 +0200, Daniel A Nagy said: > By the way, what does gpg do given the --try-all-secrets option, if there's > more than one ESK? Does it try all of them with all the private keys, or --try-all-secrets applies only to PKESK to assume wildcard key IDs. Shalom-Salam, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K9aYSX025852; Tue, 20 Sep 2005 02:36:34 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K9aYwN025851; Tue, 20 Sep 2005 02:36:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K9aXss025843 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 02:36:33 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1EHeeV-0000Bs-0x for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 11:43:03 +0200 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1EHeW0-0001In-J1; Tue, 20 Sep 2005 11:34:16 +0200 To: nagydani@epointsystem.org (Daniel A. Nagy) Cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Bigger DSA keys References: <20050920014429.2762157EF5@finney.org> <20050920083438.GA2105@bitchcake.off.net> <20050920085432.GC24261@epointsystem.org> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Tue, 20 Sep 2005 11:34:16 +0200 In-Reply-To: <20050920085432.GC24261@epointsystem.org> (Daniel A. Nagy's message of "Tue, 20 Sep 2005 10:54:32 +0200") Message-ID: <87r7bkxeuf.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, 20 Sep 2005 10:54:32 +0200, Daniel A Nagy said: > DSS explicitly specifies how to generate primes for DSA keys. It can be > easily generalized for larger keys and other hash functions, and its > reasonable to assume that the new DSS will do that. FWIW, the Lim & Lee algorithm is newer than DSS. It was published in Crypto 97 whereas FIPS 186 was published in 1994. Salam-Shalom, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K9BY9p023014; Tue, 20 Sep 2005 02:11:34 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K9BYYA023013; Tue, 20 Sep 2005 02:11:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K9BXOQ022998 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 02:11:33 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1EHeGI-0008SP-T1 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 11:18:02 +0200 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1EHe5l-0001GH-KY; Tue, 20 Sep 2005 11:07:09 +0200 To: nagydani@epointsystem.org (Daniel A. Nagy) Cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Interop grill-off References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> <87r7bk17ub.fsf@wheatstone.g10code.de> <20050920083955.GA24261@epointsystem.org> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Tue, 20 Sep 2005 11:07:09 +0200 In-Reply-To: <20050920083955.GA24261@epointsystem.org> (Daniel A. Nagy's message of "Tue, 20 Sep 2005 10:39:56 +0200") Message-ID: <87aci8151e.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, 20 Sep 2005 10:39:56 +0200, Daniel A Nagy said: > I would suggest a completely different approach: try extracting a key from > each ESK (be it password-derived, password-encrypted or > asymmetcially encrypted), and use the one which inspires most confidence: Makes sense. We have not seen many pubkey/symkey encrypted messages in the wild thus the way we handle them is straightforward. Need to look at it closer. Thanks, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K8sYFe021341; Tue, 20 Sep 2005 01:54:34 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K8sYJx021340; Tue, 20 Sep 2005 01:54:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K8sX5j021333 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 01:54:33 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 85CF82B47E4; Tue, 20 Sep 2005 10:54:32 +0200 (CEST) Date: Tue, 20 Sep 2005 10:54:32 +0200 To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Bigger DSA keys Message-ID: <20050920085432.GC24261@epointsystem.org> References: <20050920014429.2762157EF5@finney.org> <20050920083438.GA2105@bitchcake.off.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050920083438.GA2105@bitchcake.off.net> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 20, 2005 at 04:34:38AM -0400, Adam Back wrote: > Could one not use the Lim Lee safe prime generation method for DSA? > > It has significant speed advantages. > > Adam DSS explicitly specifies how to generate primes for DSA keys. It can be easily generalized for larger keys and other hash functions, and its reasonable to assume that the new DSS will do that. My estimates were based on that specification. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K8lxXC020408; Tue, 20 Sep 2005 01:47:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K8lx6X020407; Tue, 20 Sep 2005 01:47:59 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K8lwr4020399 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 01:47:59 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id D1D9D2B47E3; Tue, 20 Sep 2005 10:47:57 +0200 (CEST) Date: Tue, 20 Sep 2005 10:47:57 +0200 To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Interop grill-off Message-ID: <20050920084757.GB24261@epointsystem.org> References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> <87r7bk17ub.fsf@wheatstone.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87r7bk17ub.fsf@wheatstone.g10code.de> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 20, 2005 at 10:06:36AM +0200, Werner Koch wrote: > Due to gpg's streaming based design ... By the way, what does gpg do given the --try-all-secrets option, if there's more than one ESK? Does it try all of them with all the private keys, or just the first one? -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K8dw0t019308; Tue, 20 Sep 2005 01:39:58 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K8dwh8019307; Tue, 20 Sep 2005 01:39:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K8dvF4019300 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 01:39:57 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 4D1242B4794; Tue, 20 Sep 2005 10:39:56 +0200 (CEST) Date: Tue, 20 Sep 2005 10:39:56 +0200 To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Interop grill-off Message-ID: <20050920083955.GA24261@epointsystem.org> References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> <87r7bk17ub.fsf@wheatstone.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87r7bk17ub.fsf@wheatstone.g10code.de> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, Sep 20, 2005 at 10:06:36AM +0200, Werner Koch wrote: > On Tue, 20 Sep 2005 08:53:46 +0200, Daniel A Nagy said: > > > 4. Some implementations give up before trying all possible ways of > > decrypting a message. For example, GnuPG gives up if it encounters a > > passphrase-derived symmetric key specifier and the entered passphrase is > > wrong, even if it is followed by an asymmetrically encrypted symmetric key > > for which it does have access to the corresponding private decryption key. > > There are actually two problems: > > There is no way to cancel the input of a passphrase when using the > CLI, so that gpg can continue with other keys. When using the > gpg-agent, this is possible but a bug inhibited this - I just fixed > that one. I never thought of this as a problem, but maybe you're right. > The other problem is that we can't reliable decide whether the > passphrase is correct. The only way to do this is by looking at the > algorithm byte to check whether this gives a valid algorithm. This is > far form being reliable. Due to gpg's streaming based design with only > a very limited look-ahead we can't do a test decryption and roll back > if it does not work out. I would suggest a completely different approach: try extracting a key from each ESK (be it password-derived, password-encrypted or asymmetcially encrypted), and use the one which inspires most confidence: An asymmetrically decrypted key has an approx. 1 in 17 million chance of being incorrect, symmetrically encrypted keys have a roughly 1 in 20 chance of being incorrect, while there's absolutely no indication wheter a passphrase-derived secret key is correct or not. Thus, deriving a decryption key from a passphrase and then merrily proceeding to the decryption of the encrypted content is incorrect. A correct implementation should try to extract a key from each ESK, and in case of success (asymmetric decryption with leading 0 and correct checksum, symmetric encryption with valid algorithm id or any passphrase-derived key) replacing the tentative decryption key, if the new key inspires more confidence than the previous tentative key. Eventually, the last tentative key should be used for decryption. > A way to check early that the decryption worked would be needed to > solve the problem - I am not sure whether this is really needed given > the security implications of such a check. Yes, that's somewhat hazardous, indeed (although only in non-interactive applications). But it's not necessary, as explained above. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K8YpAC018753; Tue, 20 Sep 2005 01:34:51 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K8YpXw018750; Tue, 20 Sep 2005 01:34:51 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.off.net (off.net [66.96.28.3]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K8YoAg018743 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 01:34:50 -0700 (PDT) (envelope-from adam@mail.off.net) Received: by mail.off.net (Postfix, from userid 948) id 27EFD7704B2; Tue, 20 Sep 2005 04:34:41 -0400 (EDT) Received: by bitchcake.off.net (hashcash-sendmail, from uid 948); Tue, 20 Sep 2005 04:34:39 -0400 Date: Tue, 20 Sep 2005 04:34:38 -0400 From: Adam Back <adam@cypherspace.org> To: Hal Finney <hal@finney.org> Cc: ietf-openpgp@imc.org, Adam Back <adam@cypherspace.org> Subject: Re: Bigger DSA keys Message-ID: <20050920083438.GA2105@bitchcake.off.net> References: <20050920014429.2762157EF5@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050920014429.2762157EF5@finney.org> User-Agent: Mutt/1.4.1i X-Hashcash: 1:20:050920:hal@finney.org::g1dJ0NQDtfHJjJ2E:jdO X-Hashcash: 1:20:050920:ietf-openpgp@imc.org::4zHziochWPpcMseH:QL+ X-Hashcash: 1:20:050920:adam@cypherspace.org::EvGICYX2COSvdnlE:9nEa Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Could one not use the Lim Lee safe prime generation method for DSA? It has significant speed advantages. Adam On Mon, Sep 19, 2005 at 06:44:29PM -0700, "Hal Finney" wrote: > As far as the issue of generating large DSA keys, a good algorithm to > use is the following. First generate an appropriately sized subgroup > prime q (160, 224, or 256 bits respectively). Then search for a prime > modulus p of the required size (1024, 2048 or 3072 bits) such that p is > one more than a multiple of q. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K8BgJo015860; Tue, 20 Sep 2005 01:11:42 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K8BgwU015859; Tue, 20 Sep 2005 01:11:42 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K8BXp2015847 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 01:11:36 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1EHdKE-00087C-F9 for <ietf-openpgp@imc.org>; Tue, 20 Sep 2005 10:18:02 +0200 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1EHd9A-0001CI-Ch; Tue, 20 Sep 2005 10:06:36 +0200 To: nagydani@epointsystem.org (Daniel A. Nagy) Cc: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Interop grill-off References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> <20050920065346.GA21364@epointsystem.org> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Tue, 20 Sep 2005 10:06:36 +0200 In-Reply-To: <20050920065346.GA21364@epointsystem.org> (Daniel A. Nagy's message of "Tue, 20 Sep 2005 08:53:46 +0200") Message-ID: <87r7bk17ub.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Tue, 20 Sep 2005 08:53:46 +0200, Daniel A Nagy said: > 4. Some implementations give up before trying all possible ways of > decrypting a message. For example, GnuPG gives up if it encounters a > passphrase-derived symmetric key specifier and the entered passphrase is > wrong, even if it is followed by an asymmetrically encrypted symmetric key > for which it does have access to the corresponding private decryption key. There are actually two problems: There is no way to cancel the input of a passphrase when using the CLI, so that gpg can continue with other keys. When using the gpg-agent, this is possible but a bug inhibited this - I just fixed that one. The other problem is that we can't reliable decide whether the passphrase is correct. The only way to do this is by looking at the algorithm byte to check whether this gives a valid algorithm. This is far form being reliable. Due to gpg's streaming based design with only a very limited look-ahead we can't do a test decryption and roll back if it does not work out. A way to check early that the decryption worked would be needed to solve the problem - I am not sure whether this is really needed given the security implications of such a check. Salam-Shalom, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K6rmRk006714; Mon, 19 Sep 2005 23:53:48 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K6rmoK006713; Mon, 19 Sep 2005 23:53:48 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K6rlx3006704 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 23:53:47 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 8F2D02B47EE; Tue, 20 Sep 2005 08:53:46 +0200 (CEST) Date: Tue, 20 Sep 2005 08:53:46 +0200 To: OpenPGP <ietf-openpgp@imc.org> Subject: Re: Interop grill-off Message-ID: <20050920065346.GA21364@epointsystem.org> References: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Mon, Sep 19, 2005 at 02:05:19PM -0700, Jon Callas wrote: > I think it would be good for us to have some sort of interoperability > test and event. Putting on my PGP Corporation hat, I'm happy to > sponsor it. However, it doesn't *have* to be a physical event. Does > anyone else think it would be a good idea? Does anyone want to help > put it on, come up with test cases, that sort of thing? How about simply posting test cases with descriptions here, and testing on various OpenPGP implementations, also posting the results to the mailing list. Then you (or someone else) could post a summary here and/or to some webpage. I'm also wondering what are you more after: unusual data conforming to RFC2400 (or RFC2440bis) or slight (but logical) deviations, extensions? I guess, many of us have already identified interoperability problems. Would it make sense to collect them first, before going into testing questionable cases? Here's my list of problematic cases that I have encountered: (offenders: HushMail, PKS, SKS, GnuPG) 1. HushMail's idea of signed and encrypted messages is encrypting a clearsigned message as canonical text, including the message boundary and the armored signature. Other applications usually don't verify the signature, though, of course, it's easy to do "by hand" (by running a second pass). In the other direction, it's worse: HushMail decrypts the properly signed and encrypted message, but keeps silent about the one-pass signature within the encrypted payload; the message is identified as encrypted but not signed. 2. Some keyservers omit canonization before hashing the key packet. If the key packet is shorter than 256 bytes (typically the case for 1024-bit RSA keys) and uses the shortest possible packet header with a one-byte length, the fingerprint and the key IDs are mis-calculated. PKS is guilty of this. 3. Some keyservers do not return matching keys, if searched by the long (16 byte) key ID of a subkey. SKS is guilty of this. 4. Some implementations give up before trying all possible ways of decrypting a message. For example, GnuPG gives up if it encounters a passphrase-derived symmetric key specifier and the entered passphrase is wrong, even if it is followed by an asymmetrically encrypted symmetric key for which it does have access to the corresponding private decryption key. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K5Wcte097177; Mon, 19 Sep 2005 22:32:38 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K5WcRp097176; Mon, 19 Sep 2005 22:32:38 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K5Wbeb097169 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 22:32:38 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 68D102B47DD; Tue, 20 Sep 2005 07:32:31 +0200 (CEST) Date: Tue, 20 Sep 2005 07:32:31 +0200 To: ietf-openpgp@imc.org Subject: Problems with v4 key packet format Message-ID: <20050920053207.GA5245@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> In order to design a successor to v4 key packet format, it is important to first identify its shortcomings. Here's a list of my problems with it: 1. No cryptographic binding between the encrypted private key material and the public key material. This results in a serious security issue, by allowing an attacker to replace the public material thus compromising the private material with the first use in the signature. There are various stop-gap measures to deal with this attack, but the only sure protetction would be some MDC binding together the private and the public key material. 2. No explicit count of MPIs constituting the key material (both public and private). This information can only be inferred from the algorithm specifier, meaning that any implementation that wants to perform key management must have some rudimentary knowledge about all public key algorithms. This, in turn, hampers forward-compatibility. 3. Key fingerprint depends on data unrelated to the actual key (namely: creation date). This prevents solutions when signature keys are generated on the fly (e.g. directly from a passphrase), as the key creation (or, in this case, key registration) date is not available at the time of signing, thus making it impossible to put am unambiguous reference to the public key into the signature. 4. More generally, creation time does not belong to the key packet. Because it is just an attribute of the key as any other, thus belonging to certificatiton signature sub-packets, rather than the key packet. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K1ijx0076488; Mon, 19 Sep 2005 18:44:45 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K1ijaY076487; Mon, 19 Sep 2005 18:44:45 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K1ii71076478 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 18:44:44 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id 2762157EF5; Mon, 19 Sep 2005 18:44:29 -0700 (PDT) To: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys Message-Id: <20050920014429.2762157EF5@finney.org> Date: Mon, 19 Sep 2005 18:44:29 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> As far as the issue of generating large DSA keys, a good algorithm to use is the following. First generate an appropriately sized subgroup prime q (160, 224, or 256 bits respectively). Then search for a prime modulus p of the required size (1024, 2048 or 3072 bits) such that p is one more than a multiple of q. The trick is to make that second search fast. Typically a fast prime search is done in two phases: first sieving out multiples of small primes to identify prime candidates, then a slower probabilistic primality test to find a good prime. The key for DSA keys is that sieving can still be used even when looking for primes which are of the form qk+1. Usually when sieving is done, the method already takes into consideration that the prime must be odd. So it already adjusts for the fact that the number is of the form 2k+1. The same basic approach works for primes of the form qk+1 as well. Since q is relatively prime to all of the primes being sieved by, for a prime "j" we will eliminate every jth item. The only question is where is the starting point for eliminating such items in the sieve. This comes down to computing q mod j. Doing this one extra step for each prime j being sieved by, allows the basic sieve concept to still be used. This method allows DSA primes to be found about as quickly as ordinary primes of the same size. The extra time to find the q prime is small, and the sieve can run about as fast. So generating such large primes is not particularly costly or difficult. In contrast, finding "strong" primes p such that (p-1)/2 is also prime does tend to be slow. I think there is a trick to do it using a double sieve but it is still much slower than finding regular primes. DSA primes do not suffer from this deficiency. Hal Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K0UfPI069344; Mon, 19 Sep 2005 17:30:41 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8K0Uf3W069343; Mon, 19 Sep 2005 17:30:41 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8K0Uf9R069337 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 17:30:41 -0700 (PDT) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6) for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 17:30:40 -0700 Received: from [172.16.1.2] ([72.254.169.116]) by keys.merrymeet.com (PGP Universal service); Mon, 19 Sep 2005 17:30:40 -0700 X-PGP-Universal: processed; by keys.merrymeet.com on Mon, 19 Sep 2005 17:30:40 -0700 Mime-Version: 1.0 (Apple Message framework v734) Content-Transfer-Encoding: 7bit Message-Id: <1B9BCC4C-4753-43B3-A94C-08E6FC8C706C@callas.org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: OpenPGP <ietf-openpgp@imc.org> From: Jon Callas <jon@callas.org> Subject: Interop grill-off Date: Mon, 19 Sep 2005 14:05:19 -0700 X-Mailer: Apple Mail (2.734) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I think it would be good for us to have some sort of interoperability test and event. Putting on my PGP Corporation hat, I'm happy to sponsor it. However, it doesn't *have* to be a physical event. Does anyone else think it would be a good idea? Does anyone want to help put it on, come up with test cases, that sort of thing? Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JHxx0N037066; Mon, 19 Sep 2005 10:59:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8JHxxa5037065; Mon, 19 Sep 2005 10:59:59 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JHxwsm037059 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 10:59:58 -0700 (PDT) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.6); Mon, 19 Sep 2005 10:59:57 -0700 Received: from [10.240.12.188] ([208.54.15.1]) by keys.merrymeet.com (PGP Universal service); Mon, 19 Sep 2005 10:59:57 -0700 X-PGP-Universal: processed; by keys.merrymeet.com on Mon, 19 Sep 2005 10:59:57 -0700 In-Reply-To: <20050916224113.6004C57EF5@finney.org> References: <20050916224113.6004C57EF5@finney.org> Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <3253EF24-1377-43A1-A348-9AB7872A5658@callas.org> Cc: ietf-openpgp@imc.org Content-Transfer-Encoding: 7bit From: Jon Callas <jon@callas.org> Subject: Re: Bigger DSA keys Date: Mon, 19 Sep 2005 10:59:54 -0700 To: Hal Finney <hal@finney.org> X-Mailer: Apple Mail (2.734) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 16 Sep 2005, at 3:41 PM, Hal Finney wrote: > > I have it on good authority that NIST will be announcing larger size > DSS keys soon. According to my source, the date will be by the end > of October. > We've been waiting for this for years. I think it's important enough to warrant a change in last call for. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JHbM59035140; Mon, 19 Sep 2005 10:37:22 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8JHbMTY035139; Mon, 19 Sep 2005 10:37:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JHbL0u035131 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 10:37:21 -0700 (PDT) (envelope-from nagydani@epointsystem.org) From: nagydani@epointsystem.org Received: by mail.epointsystem.org (Postfix, from userid 1001) id 3FD952B480E; Mon, 19 Sep 2005 19:37:18 +0200 (CEST) Date: Mon, 19 Sep 2005 19:34:20 +0200 To: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys Message-ID: <20050919173420.GA26064@epointsystem.org> References: <20050916224113.6004C57EF5@finney.org> <20050919130136.GF9545@jabberwocky.com> <8764sx3ylw.fsf@wheatstone.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8764sx3ylw.fsf@wheatstone.g10code.de> User-Agent: Mutt/1.5.6+20040907i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Mon, Sep 19, 2005 at 04:45:31PM +0200, Werner Koch wrote: > > On Mon, 19 Sep 2005 09:01:37 -0400, David Shaw said: > > > So at least from the graceful failure perspective in GnuPG, it doesn't > > really matter much which way we go. I prefer the first option (using > > the current algorithm number) since it seems cleanest in both code and > > However this does also means that another hash algorithm needs to be a > MUST algorithm - unless we limit the MUST support for DSA to 1024 bits > keys. > > The need for another algorithm makes a big difference for emdedded > applications. Ofen the threat model does not require > high budget spook proof algorithms. I fully agree with that. I would limit the MUST support to plain old SHA1 and 1024bit DSA for the time being. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JHZL7X035009; Mon, 19 Sep 2005 10:35:21 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8JHZLbQ035008; Mon, 19 Sep 2005 10:35:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JHZJjP035001 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 10:35:20 -0700 (PDT) (envelope-from nagydani@epointsystem.org) From: nagydani@epointsystem.org Received: by mail.epointsystem.org (Postfix, from userid 1001) id 513052B4810; Mon, 19 Sep 2005 19:35:18 +0200 (CEST) Date: Mon, 19 Sep 2005 19:34:20 +0200 To: Werner Koch <wk@gnupg.org> Subject: Re: Bigger DSA keys Message-ID: <20050919173420.GA26064@epointsystem.org> References: <20050916224113.6004C57EF5@finney.org> <20050919130136.GF9545@jabberwocky.com> <8764sx3ylw.fsf@wheatstone.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8764sx3ylw.fsf@wheatstone.g10code.de> User-Agent: Mutt/1.5.6+20040907i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Mon, Sep 19, 2005 at 04:45:31PM +0200, Werner Koch wrote: > > On Mon, 19 Sep 2005 09:01:37 -0400, David Shaw said: > > > So at least from the graceful failure perspective in GnuPG, it doesn't > > really matter much which way we go. I prefer the first option (using > > the current algorithm number) since it seems cleanest in both code and > > However this does also means that another hash algorithm needs to be a > MUST algorithm - unless we limit the MUST support for DSA to 1024 bits > keys. > > The need for another algorithm makes a big difference for emdedded > applications. Ofen the threat model does not require > high budget spook proof algorithms. I fully agree with that. I would limit the MUST support to plain old SHA1 and 1024bit DSA for the time being. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JF8IFj019207; Mon, 19 Sep 2005 08:08:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8JF8Ixt019206; Mon, 19 Sep 2005 08:08:18 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JF8HKf019195 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 08:08:18 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (sccrmhc13) with ESMTP id <2005091915080801300ab7qke>; Mon, 19 Sep 2005 15:08:12 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8JF8D0m010531 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 11:08:13 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8JF87vT012077 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 11:08:07 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8JF87VV012076 for ietf-openpgp@imc.org; Mon, 19 Sep 2005 11:08:07 -0400 Date: Mon, 19 Sep 2005 11:08:07 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys Message-ID: <20050919150807.GC12013@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20050916224113.6004C57EF5@finney.org> <20050919130136.GF9545@jabberwocky.com> <8764sx3ylw.fsf@wheatstone.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8764sx3ylw.fsf@wheatstone.g10code.de> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Mon, Sep 19, 2005 at 04:45:31PM +0200, Werner Koch wrote: > > On Mon, 19 Sep 2005 09:01:37 -0400, David Shaw said: > > > So at least from the graceful failure perspective in GnuPG, it doesn't > > really matter much which way we go. I prefer the first option (using > > the current algorithm number) since it seems cleanest in both code and > > However this does also means that another hash algorithm needs to be a > MUST algorithm - unless we limit the MUST support for DSA to 1024 bits > keys. Yes. I'm not against limiting the MUST support to 1024/160 DSA. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JEpW9r017208; Mon, 19 Sep 2005 07:51:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8JEpWTZ017207; Mon, 19 Sep 2005 07:51:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JEpVXl017199 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 07:51:32 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1EHN5l-0003Hw-32 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 16:58:01 +0200 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1EHMtf-0005cI-Im for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 16:45:31 +0200 To: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys References: <20050916224113.6004C57EF5@finney.org> <20050919130136.GF9545@jabberwocky.com> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Mon, 19 Sep 2005 16:45:31 +0200 In-Reply-To: <20050919130136.GF9545@jabberwocky.com> (David Shaw's message of "Mon, 19 Sep 2005 09:01:37 -0400") Message-ID: <8764sx3ylw.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Mon, 19 Sep 2005 09:01:37 -0400, David Shaw said: > So at least from the graceful failure perspective in GnuPG, it doesn't > really matter much which way we go. I prefer the first option (using > the current algorithm number) since it seems cleanest in both code and However this does also means that another hash algorithm needs to be a MUST algorithm - unless we limit the MUST support for DSA to 1024 bits keys. The need for another algorithm makes a big difference for emdedded applications. Ofen the threat model does not require high budget spook proof algorithms. Shalom-Salam, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JD1i44008974; Mon, 19 Sep 2005 06:01:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8JD1ii7008973; Mon, 19 Sep 2005 06:01:44 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8JD1irS008956 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 06:01:44 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.hsd1.ma.comcast.net ([24.60.132.70]) by comcast.net (sccrmhc12) with ESMTP id <2005091913013801200qnirre>; Mon, 19 Sep 2005 13:01:38 +0000 Received: from grover.jabberwocky.com (grover.jabberwocky.com [172.24.84.28]) by walrus.hsd1.ma.comcast.net (8.12.8/8.12.8) with ESMTP id j8JD1g0m009958 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 09:01:42 -0400 Received: from grover.jabberwocky.com (grover.jabberwocky.com [127.0.0.1]) by grover.jabberwocky.com (8.13.1/8.13.1) with ESMTP id j8JD1bFw011779 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 09:01:37 -0400 Received: (from dshaw@localhost) by grover.jabberwocky.com (8.13.1/8.13.1/Submit) id j8JD1bJ3011778 for ietf-openpgp@imc.org; Mon, 19 Sep 2005 09:01:37 -0400 Date: Mon, 19 Sep 2005 09:01:37 -0400 From: David Shaw <dshaw@jabberwocky.com> To: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys Message-ID: <20050919130136.GF9545@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20050916224113.6004C57EF5@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050916224113.6004C57EF5@finney.org> OpenPGP: id=99242560; url=http://www.jabberwocky.com/david/keys.asc User-Agent: Mutt/1.5.8i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Fri, Sep 16, 2005 at 03:41:13PM -0700, "Hal Finney" wrote: > One issue is how best to incorporate these new key sizes. As I see it, > there are three alternatives. > > 1. Just use the new sizes with the existing DSA keys. Instead of only > 512-1024 bits, let DSA keys also be 2048 and 3072 bits, and enforce the > proper hash algorithms in software. > > 2. Use a new algorithm ID for the new DSA keys, which would be only > for 2048 and 3072 bits. The old algorithm ID would continue to be > used for old DSA keys. > > 3. Use a new key packet version number for the new DSA keys, V5. > Perhaps V5 keys could use a SHA-256 based fingerprint. This would > represent a clean break from the old way. > > The first alternative would involve the least change to the spec, just > changes to the information about how to sign and verify with DSA keys. > The second alternative would require adding much the same material > but with the handling of the new algorithm ID called out separately. > It would probably duplicate some of the information on old-style DSA keys. > > The third alternative is the most ambitious and is not feasible for > RFC2440bis IMO. We could still go to a V5 key packet at some point in > the future anyway, and perhaps do other improvements at that time. I am a big fan of V5 keys (see http://www.imc.org/ietf-openpgp/mail-archive/msg09274.html), and I love the clean break, but I feel that if the new DSA was tied to V5 then discussions and design for a good V5 key format would delay availability of the new DSA in the field for an excessively long amount of time. People have been asking for a better DSA for a long time now, so it seems a shame to delay it further. I'm all for planning V5 of course, just not tied to the new DSA. > Between the first two, I would propose to decide largely on the basis of > backwards compatibility. Obviously signatures made with new-style DSA > keys will not be verifiable in old code. The question is how gracefully > existing implementations will fail when presented with such keys and > signatures, in either the first or second form. Testing on current > implementations could provide guidance as to which way of making the > change will cause the least trouble. Presuming that the size of q will change from 160 to 224 or 256 in the new key, importing a DSA key to GnuPG with the current algorithm number and a q that is not 160 bits or importing a new-style DSA key with a new algorithm number fails more or less gracefully in either case. So at least from the graceful failure perspective in GnuPG, it doesn't really matter much which way we go. I prefer the first option (using the current algorithm number) since it seems cleanest in both code and standard. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8J8aYDC009527; Mon, 19 Sep 2005 01:36:34 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8J8aYgh009526; Mon, 19 Sep 2005 01:36:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8J8aW20009471 for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 01:36:32 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1EHHEq-0001XX-ST for <ietf-openpgp@imc.org>; Mon, 19 Sep 2005 10:43:00 +0200 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1EHH4b-00055q-IL; Mon, 19 Sep 2005 10:32:25 +0200 To: Ian G <iang@systemics.com> Cc: Ben Laurie <ben@algroup.co.uk>, Hal Finney <hal@finney.org>, ietf-openpgp@imc.org Subject: Re: Bigger DSA keys References: <20050916224113.6004C57EF5@finney.org> <432CAAC9.2050305@systemics.com> <432D4F13.6080703@algroup.co.uk> <432D712D.4060502@systemics.com> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Mon, 19 Sep 2005 10:32:25 +0200 In-Reply-To: <432D712D.4060502@systemics.com> (Ian G.'s message of "Sun, 18 Sep 2005 14:52:45 +0100") Message-ID: <871x3l790m.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Sun, 18 Sep 2005 14:52:45 +0100, Ian G said: >> How about because generating 2048 bit primes already takes long >> enough, and 3072 takes ages? > Numbers? A quick test shows about 4 seconds for 2048 bit and 21 seconds for 3072. However this includes the time required to gather enough randomness; further tests took much longer very likely due to a lack of entropy in the machine. Most applications don't need to generate keys very ofthen, thus this should not be a problem. OTOH, verification is used very often. Here are number from Libgcrypt: DSA 100 times sign verify ----------------------------- DSA 1024/160 910ms 430ms DSA 2048/224 1560ms 1890ms DSA 3072/256 3610ms 4380ms (The numbers for sign are not very reliable because it employs the RNG and I could not adjust for it) 3072 takes more more than double the time of 2048 which is not too bad. Compared to 1024 this is a real slowdown and would make key signature verification a very time consuming operation. On slow machines (embedded devices, older hardware) this would be very annoying. Shalom-Salam, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8IClk7h099402; Sun, 18 Sep 2005 05:47:46 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8IClkXF099401; Sun, 18 Sep 2005 05:47:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8IClj9b099395 for <ietf-openpgp@imc.org>; Sun, 18 Sep 2005 05:47:46 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 57D8B2B47D5; Sun, 18 Sep 2005 14:47:38 +0200 (CEST) Date: Sun, 18 Sep 2005 14:47:38 +0200 To: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys Message-ID: <20050918124733.GC6483@epointsystem.org> References: <20050916224113.6004C57EF5@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050916224113.6004C57EF5@finney.org> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Fri, Sep 16, 2005 at 03:41:13PM -0700, "Hal Finney" wrote: > The new DSS keys will, according to what I have heard, be for two sizes: > 2048 and 3072 bits, and will use SHA-224 and SHA-256 respectively. > (SHA-224 is not presently an OpenPGP algorithm; it is basically a > truncated version of SHA-256 with a different internal initial value). > This will allow for larger keys and use a different hash than SHA-1. For this reason, I'd agree with Ian and just ignore the 2048/224 key specification. Too much trouble for no gain. > 1. Just use the new sizes with the existing DSA keys. Instead of only > 512-1024 bits, let DSA keys also be 2048 and 3072 bits, and enforce the > proper hash algorithms in software. I like this solution. If old implementations do not do very silly things when encountering such signatures (e.g. claiming them to be bad signatures as opposed to unverifiable), it is the cleanest way to go about it. > 2. Use a new algorithm ID for the new DSA keys, which would be only > for 2048 and 3072 bits. The old algorithm ID would continue to be > used for old DSA keys. This approach would eat up the algorithm identifier space and provide very little advantage. It is reasonable to expect new DSS key specifications every decade, if NIST continues its current practices. > 3. Use a new key packet version number for the new DSA keys, V5. > Perhaps V5 keys could use a SHA-256 based fingerprint. This would > represent a clean break from the old way. Let's wait with that. There are several problems with the v4 key formats and using SHA-256 for fingerprinting is not necessarily a good idea, given that its design is quickly becoming obsolete. > Between the first two, I would propose to decide largely on the basis of > backwards compatibility. Obviously signatures made with new-style DSA > keys will not be verifiable in old code. The question is how gracefully > existing implementations will fail when presented with such keys and > signatures, in either the first or second form. Testing on current > implementations could provide guidance as to which way of making the > change will cause the least trouble. That's a very reasonable suggestion. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8ICYgqv098612; Sun, 18 Sep 2005 05:34:42 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8ICYgGf098611; Sun, 18 Sep 2005 05:34:42 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8ICYfci098604 for <ietf-openpgp@imc.org>; Sun, 18 Sep 2005 05:34:41 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 127E82B4812; Sun, 18 Sep 2005 14:34:40 +0200 (CEST) Date: Sun, 18 Sep 2005 14:34:39 +0200 To: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys Message-ID: <20050918123430.GB6483@epointsystem.org> References: <20050918001303.96B4F57EF5@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050918001303.96B4F57EF5@finney.org> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> It's important to keep in mind that DSS-style signatures are twice the hash size. This is one of their nicest features; they do not grow with the modulus. A signature of a 3072/256 key will be 512 bits (plus overhead). As for generating long modulae, it's not that big a problem, altough it has to be noted that generating a modulus for DSA takes more than just generating a prime that big; DSA moduli p are such that p-1 is divisible by some large (hash-sized) q. The generation of such moduli takes substantially longer than generating primes. For 3072/256 on a 500MHz intel, it would take approx. three minutes, provided that the random stream is available without waiting. On the other hand, the overwhelming majority of DSS implementations use pre-calculated moduli, as there are no security hazards associated with using a common modulus for DSS. When keys need to be generated frequently, a pre-calculated modulus is the way to go. If one just needs to generate a personal signature key for the next five years, one can wait three minutes, in case they want to show off a self-generated modulus. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8ICAbK5097176; Sun, 18 Sep 2005 05:10:37 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8ICAbLd097175; Sun, 18 Sep 2005 05:10:37 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8ICAXw0097165 for <ietf-openpgp@imc.org>; Sun, 18 Sep 2005 05:10:35 -0700 (PDT) (envelope-from ben@algroup.co.uk) Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 2D08933C1A; Sun, 18 Sep 2005 13:10:28 +0100 (BST) Message-ID: <432D5936.5020701@algroup.co.uk> Date: Sun, 18 Sep 2005 13:10:30 +0100 From: Ben Laurie <ben@algroup.co.uk> User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ian G <iang@systemics.com> CC: Hal Finney <hal@finney.org>, ietf-openpgp@imc.org Subject: Re: Bigger DSA keys References: <20050916224113.6004C57EF5@finney.org> <432CAAC9.2050305@systemics.com> <432D4F13.6080703@algroup.co.uk> <432D712D.4060502@systemics.com> In-Reply-To: <432D712D.4060502@systemics.com> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Ian G wrote: > Ben Laurie wrote: > >> Ian G wrote: >> >>> Hal Finney wrote: >>> >>>> The new DSS keys will, according to what I have heard, be for two >>>> sizes: >>>> 2048 and 3072 bits, and will use SHA-224 and SHA-256 respectively. >>>> (SHA-224 is not presently an OpenPGP algorithm; it is basically a >>>> truncated version of SHA-256 with a different internal initial value). >>>> This will allow for larger keys and use a different hash than SHA-1. >>> >>> >>> >>> (assuming we do it,) I would suggest we ditch the 2048/224 >>> and just implement the 3072/256. >>> >>> (We could add the other one as a MAY ... but I can't see >>> the point of it. Sure NIST may split hairs on it, but >>> let's save ourselves the doco and the discussion and >>> just do the better one.) >> >> >> >> How about because generating 2048 bit primes already takes long >> enough, and 3072 takes ages? > > > Numbers? I was going to provide them, but accurate numbers for DSA is difficult, because it requires modifying the core code in OpenSSL (or some other DSA generator), and I couldn't be bothered. One can get a feel for it with: time openssl gendh <number of bits> which takes a long time. Long enough that I didn't wait for it to finish before hitting send. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8IBsf5Z096360; Sun, 18 Sep 2005 04:54:41 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8IBsfD8096359; Sun, 18 Sep 2005 04:54:41 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8IBseow096352 for <ietf-openpgp@imc.org>; Sun, 18 Sep 2005 04:54:40 -0700 (PDT) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id F2400417BB; Sun, 18 Sep 2005 12:54:29 +0100 (BST) Message-ID: <432D712D.4060502@systemics.com> Date: Sun, 18 Sep 2005 14:52:45 +0100 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050831) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ben Laurie <ben@algroup.co.uk> Cc: Hal Finney <hal@finney.org>, ietf-openpgp@imc.org Subject: Re: Bigger DSA keys References: <20050916224113.6004C57EF5@finney.org> <432CAAC9.2050305@systemics.com> <432D4F13.6080703@algroup.co.uk> In-Reply-To: <432D4F13.6080703@algroup.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Ben Laurie wrote: > Ian G wrote: > >> Hal Finney wrote: >> >>> The new DSS keys will, according to what I have heard, be for two sizes: >>> 2048 and 3072 bits, and will use SHA-224 and SHA-256 respectively. >>> (SHA-224 is not presently an OpenPGP algorithm; it is basically a >>> truncated version of SHA-256 with a different internal initial value). >>> This will allow for larger keys and use a different hash than SHA-1. >> >> >> (assuming we do it,) I would suggest we ditch the 2048/224 >> and just implement the 3072/256. >> >> (We could add the other one as a MAY ... but I can't see >> the point of it. Sure NIST may split hairs on it, but >> let's save ourselves the doco and the discussion and >> just do the better one.) > > > How about because generating 2048 bit primes already takes long enough, > and 3072 takes ages? Numbers? iang Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8IBRNYt094610; Sun, 18 Sep 2005 04:27:23 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8IBRNTa094609; Sun, 18 Sep 2005 04:27:23 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.links.org (mail.links.org [217.155.92.109]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8IBRIuw094600 for <ietf-openpgp@imc.org>; Sun, 18 Sep 2005 04:27:21 -0700 (PDT) (envelope-from ben@algroup.co.uk) Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id 49B8933C1A; Sun, 18 Sep 2005 12:27:13 +0100 (BST) Message-ID: <432D4F13.6080703@algroup.co.uk> Date: Sun, 18 Sep 2005 12:27:15 +0100 From: Ben Laurie <ben@algroup.co.uk> User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ian G <iang@systemics.com> CC: Hal Finney <hal@finney.org>, ietf-openpgp@imc.org Subject: Re: Bigger DSA keys References: <20050916224113.6004C57EF5@finney.org> <432CAAC9.2050305@systemics.com> In-Reply-To: <432CAAC9.2050305@systemics.com> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Ian G wrote: > Hal Finney wrote: >> The new DSS keys will, according to what I have heard, be for two sizes: >> 2048 and 3072 bits, and will use SHA-224 and SHA-256 respectively. >> (SHA-224 is not presently an OpenPGP algorithm; it is basically a >> truncated version of SHA-256 with a different internal initial value). >> This will allow for larger keys and use a different hash than SHA-1. > > (assuming we do it,) I would suggest we ditch the 2048/224 > and just implement the 3072/256. > > (We could add the other one as a MAY ... but I can't see > the point of it. Sure NIST may split hairs on it, but > let's save ourselves the doco and the discussion and > just do the better one.) How about because generating 2048 bit primes already takes long enough, and 3072 takes ages? -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8I0DSDm042721; Sat, 17 Sep 2005 17:13:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8I0DSwB042720; Sat, 17 Sep 2005 17:13:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8I0DR9C042713 for <ietf-openpgp@imc.org>; Sat, 17 Sep 2005 17:13:27 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id 96B4F57EF5; Sat, 17 Sep 2005 17:13:03 -0700 (PDT) To: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys Message-Id: <20050918001303.96B4F57EF5@finney.org> Date: Sat, 17 Sep 2005 17:13:03 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Ian Grigg writes: > (assuming we do it,) I would suggest we ditch the 2048/224 > and just implement the 3072/256. > > (We could add the other one as a MAY ... but I can't see > the point of it. Sure NIST may split hairs on it, but > let's save ourselves the doco and the discussion and > just do the better one.) > ... > I don't think it is that easy. SHAs are under a cloud, > and until we get some more definitive info on the new > hardware factoring, even the numbers suggested above > won't satisfy all the extremists. Consider that the > extreme community considers 4096 to be a minimum, and > all the news is supporting them at the moment; also, > NIST's hash work has been controversial (SHA0, SHA2 > being just an "extension" ...), I'd like to see what > the crypto community comes up with in hash research as > that feeds into DSS. I'm not sure why there is not a plan for larger key sizes. A possible clue is in this NIST document, "Recommendation for Key Management", http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf . Table 2 on page 63 shows the following correspondences between hash size and modulus size: 160/1024; 224/2048; 256/3072; 384/7680; and 512/15360. This fits what we know, with SHA-1 and a 1024 bit modulus as the traditional DSS; SHA-224 and a 2048 bit modulus, and SHA-256 and a 3072 bit modulus in this new DSS that I have been told about. It implies that the natural next size would be SHA-384 and a 7680 bit modulus. But that modulus is too big for most people's convenience. You might say, just use SHA-384 and a 4096 bit modulus, but that is not such a nice fit. The hash is a lot stronger than the modulus and so it is not well balanced. Perhaps such esthetic considerations motivated NIST's decision. Hal Finney Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8HLm4hH030086; Sat, 17 Sep 2005 14:48:04 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8HLm4Zu030085; Sat, 17 Sep 2005 14:48:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8HLm3Qi030076 for <ietf-openpgp@imc.org>; Sat, 17 Sep 2005 14:48:03 -0700 (PDT) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id E0FD9415F0; Sat, 17 Sep 2005 22:48:01 +0100 (BST) Message-ID: <432CAAC9.2050305@systemics.com> Date: Sun, 18 Sep 2005 00:46:17 +0100 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050831) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hal Finney <hal@finney.org> Cc: ietf-openpgp@imc.org Subject: Re: Bigger DSA keys References: <20050916224113.6004C57EF5@finney.org> In-Reply-To: <20050916224113.6004C57EF5@finney.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hal Finney wrote: > The new DSS keys will, according to what I have heard, be for two sizes: > 2048 and 3072 bits, and will use SHA-224 and SHA-256 respectively. > (SHA-224 is not presently an OpenPGP algorithm; it is basically a > truncated version of SHA-256 with a different internal initial value). > This will allow for larger keys and use a different hash than SHA-1. (assuming we do it,) I would suggest we ditch the 2048/224 and just implement the 3072/256. (We could add the other one as a MAY ... but I can't see the point of it. Sure NIST may split hairs on it, but let's save ourselves the doco and the discussion and just do the better one.) > If this report is correct, it would be good to see these new key sizes > in RFC2440bis. Otherwise the DSS support in the spec will be essentially > "dead on arrival". Rather than publishing a spec with a major class > of keys that has no future utility, I think it makes sense to wait six > weeks and see if we can incorporate the new information, making the > spec much more robust and long-lasting. I don't think it is that easy. SHAs are under a cloud, and until we get some more definitive info on the new hardware factoring, even the numbers suggested above won't satisfy all the extremists. Consider that the extreme community considers 4096 to be a minimum, and all the news is supporting them at the moment; also, NIST's hash work has been controversial (SHA0, SHA2 being just an "extension" ...), I'd like to see what the crypto community comes up with in hash research as that feeds into DSS. Which rambling means to say that even after the October date, I suspect it will be all too easy to say "let's wait a bit more..." > For those who say we have waited too long already, I will just note that > the weeks and months drift by without much reason for delay but without > much progress either. Now that there is a good reason to hold off a > bit more, I would hate to see us suddenly rush to close the door. > > One issue is how best to incorporate these new key sizes. As I see it, > there are three alternatives. > > 1. Just use the new sizes with the existing DSA keys. Instead of only > 512-1024 bits, let DSA keys also be 2048 and 3072 bits, and enforce the > proper hash algorithms in software. > > 2. Use a new algorithm ID for the new DSA keys, which would be only > for 2048 and 3072 bits. The old algorithm ID would continue to be > used for old DSA keys. I think I'd lean towards this one. This would allow us to deprecate DSA-old just as soon as we can. > 3. Use a new key packet version number for the new DSA keys, V5. > Perhaps V5 keys could use a SHA-256 based fingerprint. This would > represent a clean break from the old way. I'd go against this (for the same reason you outline below). > The first alternative would involve the least change to the spec, just > changes to the information about how to sign and verify with DSA keys. > The second alternative would require adding much the same material > but with the handling of the new algorithm ID called out separately. > It would probably duplicate some of the information on old-style DSA keys. Ah, good point. But unless by some miracle all the implementations can handle #1 without blowing up, then I can't see how we'd countenance an incompatible change? > The third alternative is the most ambitious and is not feasible for > RFC2440bis IMO. We could still go to a V5 key packet at some point in > the future anyway, and perhaps do other improvements at that time. Right. > Between the first two, I would propose to decide largely on the basis of > backwards compatibility. Obviously signatures made with new-style DSA > keys will not be verifiable in old code. The question is how gracefully > existing implementations will fail when presented with such keys and > signatures, in either the first or second form. Testing on current > implementations could provide guidance as to which way of making the > change will cause the least trouble. Certainly interesting times for DSS fans. I use it in a lot of my stuff and have pretty much made up my mind to move to RSA when and as I can. Mostly this is because NIST have moved too little, too late on this one, and the numbers above are already looking like we'll be into a change again in about 2-3 years when the new Hash research settles into a new generation of algorithms. iang Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8GMffid002923; Fri, 16 Sep 2005 15:41:41 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8GMff3k002922; Fri, 16 Sep 2005 15:41:41 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8GMfeFh002916 for <ietf-openpgp@imc.org>; Fri, 16 Sep 2005 15:41:40 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id 6004C57EF5; Fri, 16 Sep 2005 15:41:13 -0700 (PDT) To: ietf-openpgp@imc.org Subject: Bigger DSA keys Message-Id: <20050916224113.6004C57EF5@finney.org> Date: Fri, 16 Sep 2005 15:41:13 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> I have it on good authority that NIST will be announcing larger size DSS keys soon. According to my source, the date will be by the end of October. Currently, DSS keys have two problems. First, they can be no bigger than 1024 bits. Recent results show that keys of this size can no longer be considered safe from large scale attackers. See for example http://lists.virus.org/cryptography-0509/msg00080.html (although this is for RSA keys, DSS keys of a similar size are not thought to be too much more difficult). Second, DSS keys are locked into using SHA-1, for which attacks have been published. The new DSS keys will, according to what I have heard, be for two sizes: 2048 and 3072 bits, and will use SHA-224 and SHA-256 respectively. (SHA-224 is not presently an OpenPGP algorithm; it is basically a truncated version of SHA-256 with a different internal initial value). This will allow for larger keys and use a different hash than SHA-1. If this report is correct, it would be good to see these new key sizes in RFC2440bis. Otherwise the DSS support in the spec will be essentially "dead on arrival". Rather than publishing a spec with a major class of keys that has no future utility, I think it makes sense to wait six weeks and see if we can incorporate the new information, making the spec much more robust and long-lasting. For those who say we have waited too long already, I will just note that the weeks and months drift by without much reason for delay but without much progress either. Now that there is a good reason to hold off a bit more, I would hate to see us suddenly rush to close the door. One issue is how best to incorporate these new key sizes. As I see it, there are three alternatives. 1. Just use the new sizes with the existing DSA keys. Instead of only 512-1024 bits, let DSA keys also be 2048 and 3072 bits, and enforce the proper hash algorithms in software. 2. Use a new algorithm ID for the new DSA keys, which would be only for 2048 and 3072 bits. The old algorithm ID would continue to be used for old DSA keys. 3. Use a new key packet version number for the new DSA keys, V5. Perhaps V5 keys could use a SHA-256 based fingerprint. This would represent a clean break from the old way. The first alternative would involve the least change to the spec, just changes to the information about how to sign and verify with DSA keys. The second alternative would require adding much the same material but with the handling of the new algorithm ID called out separately. It would probably duplicate some of the information on old-style DSA keys. The third alternative is the most ambitious and is not feasible for RFC2440bis IMO. We could still go to a V5 key packet at some point in the future anyway, and perhaps do other improvements at that time. Between the first two, I would propose to decide largely on the basis of backwards compatibility. Obviously signatures made with new-style DSA keys will not be verifiable in old code. The question is how gracefully existing implementations will fail when presented with such keys and signatures, in either the first or second form. Testing on current implementations could provide guidance as to which way of making the change will cause the least trouble. Hal Finney Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8G2Xu0Z061491; Thu, 15 Sep 2005 19:33:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8G2Xumx061490; Thu, 15 Sep 2005 19:33:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8G2XtLO061482 for <ietf-openpgp@imc.org>; Thu, 15 Sep 2005 19:33:55 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id 40C3657EF5; Thu, 15 Sep 2005 19:33:25 -0700 (PDT) To: ietf-openpgp@imc.org Subject: Re: Any SHA-1 dependencies? Message-Id: <20050916023325.40C3657EF5@finney.org> Date: Thu, 15 Sep 2005 19:33:25 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Daniel Nagy writes: > Basically, what you are proposing is a sort of universal hash function, > where the hash algorithm identifier is followed by the hash computed using > that particular algorithm. > > This is potentially very dangerous, as it does not follow several > assumptions about a good hash function. Namely the hash value is not > unique and parts of the hash function are not uniformly strong. I agree that is one way to look at it. In a hypothetical future key fingerprint system, there would be multiple kinds: a SHA-1 fingerprint, a SHA256 fingerprint, a RIPEMD160 fingerprint, and so on. So it is non-unique. The idea is that if SHA-1 or some other hash became broken, the other kinds of fingerprints could be used, without revising the spec. Of course an attacker could replace a fingerprint with one based on an old, weak hash, but it would ultimately be up to the verifier to decide which hashes he would trust. In the event of a break, switching over to a new hash would be a potentially costly operation but it would not require issuing a new spec. I'm not sure what dangers you see over a system which would require changing both implementations and specifications. > On the other hand, there is a fair chance that SHA1 (and even MD5, though > its 128 bit length is a problem by itself) might be fixed. The known > collision attacks are based on collisions in the compression function > and it seems that in both cases the set of "problematic" blocks is actually > very sparse and easily detectable. This allows for several security > improvements: first, (and it has already been done, AFAIK) one can > immediately detect a data stream as one that is likely to be an > attempted attack on the hash function, second, one might create a "fixed" > compression function that does something different for problematic blocks, > thus yielding a hash function that gives the same output as SHA1 for the > vast majority of inputs, while being resistant against SHA1 collisions. > > The detection result is very likely to be presented at Eurocrypt2006, and > there's a chance that the fix will be presented too. I will look forward to seeing that. I wonder if it might be discussed at the NIST Halloween "hash bash", it sounds like it would be of great interest there. Without knowing the details it is hard to comment, but in general I would worry that any detection system might be "brittle" and possibly small changes to the attack method might bypass the detector while still producing collisions (perhaps somewhat more expensively). For example the Wang attacks always use the same initial differential, but there is no reason they could not work with slightly different differentials, I think. She chose the best one but I gather that there are others that weren't too bad. A detection system tuned too closely to known attacks might miss these alternatives. > The sparsity of problematic blocks also implies (although this is not > strictly within the scope of the discussion) that key-id binding signatures > might collide only on the key part (*), which is not dangerous. If the above > mentioned sanity check is performed, it removes even the non-dangerous key > collision as a possibility. I also remember Eli Biham last year at Crypto demonstrating very textual looking collisions on truncated SHA-1. His collisions were composed of ascii characters and even English words. Granted, truncation makes a world of difference in the ease of the attack but I wonder if we can be sure that the full SHA-1 attacks can never be improved in this way. > Also remember, that collisions are of concern only if the data is to be signed by > someone different from its author. There are protocol-level safeguards > against this possibility, though employing these would require a major > overhaul of OpenPGP, which in the light of the above is not warranted (yet). > Someday, however, we might very well be forced to introduce version 5 > signatures for certification and other notarial purposes. It is better to > postpone that as long as possible, because important discoveries with > immediate consequencnes on design and standardization decisions might lay ahead. Yes, there have been strong debates in online forums for example about changing signature procedures so that the signer prepends a block of data of his choice to the message to be signed, in case the message is prepared by someone else. There seems to be no consensus on whether this is on balance a good idea or not. > So, I would recommend sticking to SHA1 for the time being, as there is no > hash function with a better design at this point. Alternatives that belong > to the same MD4 family of hash functions (e.g. the now-fashionable > RIPEMD-160) have not been attacked only because SHA1 was a more rewarding > target. I didn't recommend stopping using SHA-1. In fact my only actual recommendation was to include SHA256 as another MUST hash, in case SHA-1 gets broken more badly (and in the hope that SHA256 will be OK). > Now, moving to 256-bit hash functions in order to have a built-in "safety > factor" keeping the hash-function safe even if it's partially broken, seems > to be inconsistent with market-economies. In our case it is particularly > relevant, because the standard we are designing is not enforced, leaving the > choice to the user. In general, though, it is risky to use non-MUST hashes in your signatures, for interoperability reasons. Of course we have only limited leverage over this via the spec, and as you note the market may force implementations to move to SHA256 regardless of whether it is MUST or not. [Skipping on a bit] > Back on topic, this is why I would advise against moving to 256-bit hashes > based on the MD4 design. Yes, it would add some security against hypotetical > ultra-motivated adversaries flush with resources, but you are interested in > these not because they are actually threats but because you are catering to > paranoid customers. Those would sneer at a partially broken SHA256 just as > they sneer at a partially broken SHA1. So, you will have to switch again > very soon, without gaining anything from the previous switch. It's not > rational behavior, especially in standardization. So, are you predicting that SHA256 will have at least theoretical breaks of its own? The people I have talked to seem quite non-committal about this prospect. No one can rule it out but most people say it should be stronger than SHA-1 and more resistant to this kind of attack. > Thus, my recommendation would be to postpone the discussion until more is > known, to avoid swift moves and stick to SHA1 for the time being. Maybe a > footnote would be warranted to explain why it's still safe to do things the > way we do them. Again, the only thing I recommended was to add SHA256 as a MUST. The only MUST-implement hash we have now is SHA-1. What do you think of that change? > Now, I have a separate set of grievances about the v4 private key packet format > and the way v4 key fingerprints are being calculated, but that has very > little to do with the recent developments around our once-favorite hash > function. In a separate post, I will explain why I would like to introduce a > new version of key packets (both public and private), and once we embark on > designing new packet formats, we can address the use of hash functions in > that context as well, but again, it's a separate topic. I have another change to suggest as well, which will also go into a future message. Thanks for your comments, they are very interesting and helpful. Hal Finney Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8G1QSqT055353; Thu, 15 Sep 2005 18:26:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8G1QSxD055352; Thu, 15 Sep 2005 18:26:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org ([195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8G1QQgG055345 for <ietf-openpgp@imc.org>; Thu, 15 Sep 2005 18:26:27 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id 8BD122B47A9; Fri, 16 Sep 2005 03:26:25 +0200 (CEST) Date: Fri, 16 Sep 2005 03:26:25 +0200 To: ietf-openpgp@imc.org Subject: Re: Any SHA-1 dependencies? Message-ID: <20050916012625.GB2627@epointsystem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Hal, Basically, what you are proposing is a sort of universal hash function, where the hash algorithm identifier is followed by the hash computed using that particular algorithm. This is potentially very dangerous, as it does not follow several assumptions about a good hash function. Namely the hash value is not unique and parts of the hash function are not uniformly strong. On the other hand, there is a fair chance that SHA1 (and even MD5, though its 128 bit length is a problem by itself) might be fixed. The known collision attacks are based on collisions in the compression function and it seems that in both cases the set of "problematic" blocks is actually very sparse and easily detectable. This allows for several security improvements: first, (and it has already been done, AFAIK) one can immediately detect a data stream as one that is likely to be an attempted attack on the hash function, second, one might create a "fixed" compression function that does something different for problematic blocks, thus yielding a hash function that gives the same output as SHA1 for the vast majority of inputs, while being resistant against SHA1 collisions. The detection result is very likely to be presented at Eurocrypt2006, and there's a chance that the fix will be presented too. The sparsity of problematic blocks also implies (although this is not strictly within the scope of the discussion) that key-id binding signatures might collide only on the key part (*), which is not dangerous. If the above mentioned sanity check is performed, it removes even the non-dangerous key collision as a possibility. Also remember, that collisions are of concern only if the data is to be signed by someone different from its author. There are protocol-level safeguards against this possibility, though employing these would require a major overhaul of OpenPGP, which in the light of the above is not warranted (yet). Someday, however, we might very well be forced to introduce version 5 signatures for certification and other notarial purposes. It is better to postpone that as long as possible, because important discoveries with immediate consequencnes on design and standardization decisions might lay ahead. So, I would recommend sticking to SHA1 for the time being, as there is no hash function with a better design at this point. Alternatives that belong to the same MD4 family of hash functions (e.g. the now-fashionable RIPEMD-160) have not been attacked only because SHA1 was a more rewarding target. Now, moving to 256-bit hash functions in order to have a built-in "safety factor" keeping the hash-function safe even if it's partially broken, seems to be inconsistent with market-economies. In our case it is particularly relevant, because the standard we are designing is not enforced, leaving the choice to the user. The thing is that partially broken security products are a tough sell even if the remaining part is still secure enough. It is pretty clear from your post that you _are_ concerned about this. Let me digress a bit: In the USSR, it was okay to slash development costs by building in safety factors, so that even if the hash function or the block cipher turned out to be weaker than the designers originally thought, they would be still secure enough. Hence the 256-bit key length of the standard soviet block cipher (GOST 28147-89) which also doubles as the compression function of their standard hash function (standardized later as GOST 34.11-94). For government use (**) and for use in a planned economy this was the most rational way of designing the system: quick, cheap and a little dirty. In market economies, this approach won't fly, because as soon as your product is discredited by being partially broken, you will have to switch anyway, so cheap development with safety factors won't save you money in the long run. Hence, it's not a rational approach to cryptographic algorithm design and indeed, we don't see it in successful products in the free market. It is important to emphasize that it is not because your customers are somehow dumber in a market economy but because in addition to your development costs, they also have to bear the cost of choosing the right product for themselves (this cost does not occur in planned economies -- in certain cases, it can be a significant saving), and they are rational about minimizing it by not touching anything that has been discredited in any way -- they simply cannot afford to behave otherwise (in most cases). Back on topic, this is why I would advise against moving to 256-bit hashes based on the MD4 design. Yes, it would add some security against hypotetical ultra-motivated adversaries flush with resources, but you are interested in these not because they are actually threats but because you are catering to paranoid customers. Those would sneer at a partially broken SHA256 just as they sneer at a partially broken SHA1. So, you will have to switch again very soon, without gaining anything from the previous switch. It's not rational behavior, especially in standardization. Thus, my recommendation would be to postpone the discussion until more is known, to avoid swift moves and stick to SHA1 for the time being. Maybe a footnote would be warranted to explain why it's still safe to do things the way we do them. Now, I have a separate set of grievances about the v4 private key packet format and the way v4 key fingerprints are being calculated, but that has very little to do with the recent developments around our once-favorite hash function. In a separate post, I will explain why I would like to introduce a new version of key packets (both public and private), and once we embark on designing new packet formats, we can address the use of hash functions in that context as well, but again, it's a separate topic. (*) It is impossible to trick someone into binding a sane-looking unseen UID to a given public key by presenting him with another sane-looking UID that would collide with the unseen one for signature. (**) There is evidence suggesting that the mentioned algorithms were in government use long before having been released to the public as industry standards. Probably since the early eighties or even earlier. Bests, -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8FMxUBu044206; Thu, 15 Sep 2005 15:59:30 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8FMxUWe044205; Thu, 15 Sep 2005 15:59:30 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8FMxTRV044198 for <ietf-openpgp@imc.org>; Thu, 15 Sep 2005 15:59:29 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id 25EC357EF5; Thu, 15 Sep 2005 15:58:58 -0700 (PDT) To: ietf-openpgp@imc.org Subject: Any SHA-1 dependencies? Message-Id: <20050915225858.25EC357EF5@finney.org> Date: Thu, 15 Sep 2005 15:58:58 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> There are a few places in the OpenPGP spec where we hard-code the use of the SHA-1 hash. Given the recent attacks on this hash, we should look and see if there will be any security weaknesses if it should turn out that SHA-1 is broken and it becomes easier to generate collisions. This is actually a pretty complicated issue and it becomes something of a "can of worms" situation, ie. there are many complexities and subtleties that arise in the analysis. Here are some: - We don't know how badly SHA-1 might be broken. Current attacks can theoretically generate limited sorts of collisions in (at last report) about 2^64 work. Perhaps this work level will be lowered. Perhaps the limitations on collisions may be reduced. Perhaps even more powerful attacks such as preimage attacks (to find data that matches the hash of a given value) will become possible. - Any hash algorithm might in principle be broken eventually. A spec like OpenPGP can at best allow a choice of hash algorithms. However even then it will be necessary for communicators to decide which hash algorithms they trust. If someone loses confidence in a hash algorithm while others are still using it, interoperability is lost. My approach to these problems is to assume that SHA-1 will be broken to the extent that collisions can be found with moderate effort, even collisions with particular structures. However, preimages will not be possible. I think this is a conservative assumption given what is known about the new attacks. As far as the second issue, I will outline places where we hard-code SHA-1, and we should think about what would be involved in trying to allow for different hash algorithms to be used in place. Here then are the places we hard-code SHA-1 and the security implications. 5.5.3 Secret Key Packet Formats This has the option of using a 20-byte SHA-1 hash as a checksum of the secret key material. This should be safe. 5.13. Sym. Encrypted Integrity Protected Data Packet (Tag 18) This uses the SHA-1 hash of the message as a checksum for integrity. This should be safe. 9.4. Hash Algorithms SHA-1 is the only MUST implement hash algorithm. I would recommend that we include at least SHA-256 as a MUST implement algorithm, for future security. 11.2. Key IDs and Fingerprints A V4 key fingerprint is the SHA-1 hash of the key material. If SHA-1 is broken then it will be possible to create two keys which have the same fingerprint. Any places in the spec where fingerprints are used as pointers to keys, it will be possible for the key creator to substitute another key he created. Likewise, the V4 key ID is a substring of the fingerprint so the same considerations arise. (However, with respect to key IDs it is an old problem, since 64 bit key IDs can be made to collide with only 2^32 work, a very tractable amount.) Places where fingerprints are used: 5.2.3.15. Revocation key The revocation key (designated revoker) is specified via key fingerprint. This should be safe since the key holder is trusted to perform this service, so if he created a key collision he would only be able to transfer this power among keys he controlled. It is not an OpenPGP issue, but PGP uses signature subpacket 10 as an additional decryption key indicator, and this is also done via a key fingerprint. Similar considerations apply as for the designated revoker. With regard to key IDs, these are used in the following places: 5.1. Public-Key Encrypted Session Key Packets (Tag 1) The key ID indicates which key can decrypt the message. Ability to create keys with colliding key IDs should not cause security problems. 5.2.2. Version 3 Signature Packet Format The key ID of the signing key is stored in the V3 signature packet. Ability to create keys with colliding key IDs should not cause security problems. 5.2.3.5. Issuer This is the V4 key ID. Same situation as for V3. In fact we usually put this signature packet in the unhashed region. 5.4. One-Pass Signature Packets (Tag 4) Same situation as above. Summary None of the hard-coded uses of SHA-1 in the OpenPGP spec appear to introduce security problems, even if creating SHA-1 collisions becomes easy. This analysis does not cover the case of finding pre-images. The one change we might consider is to expand the set of MUST algorithms beyond SHA-1 since the community is shifting away from that hash. In the longer term it would be desirable to consider parameterizing the few places where SHA-1 is hard-coded, to take a hash algorithm specifier. This will allow us to avoid even the appearance of weakness which may be of concern to potential users, as SHA-1 becomes deprecated in a wide range of products and protocols in future years. Hal Finney Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8EB6Me3027453; Wed, 14 Sep 2005 04:06:22 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8EB6Mxp027452; Wed, 14 Sep 2005 04:06:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8EB6L1S027445 for <ietf-openpgp@imc.org>; Wed, 14 Sep 2005 04:06:22 -0700 (PDT) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 1745D41599 for <ietf-openpgp@imc.org>; Wed, 14 Sep 2005 12:06:20 +0100 (BST) Message-ID: <4328050F.3020309@systemics.com> Date: Wed, 14 Sep 2005 12:10:07 +0100 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050831) X-Accept-Language: en-us, en MIME-Version: 1.0 To: OpenPGP <ietf-openpgp@imc.org> Subject: Armouring - silly fix Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> If we haven't entered last call. In Section 6.6 it says "is indented by two spaces" but looks like three to me :-) I would suggest it say "is indented by several spaces". ============8<============================8<================ 6.6. Example of an ASCII Armored Message -----BEGIN PGP MESSAGE----- Version: OpenPrivacy 0.99 yDgBO22WxBHv7O8X7O/jygAEzol56iUKiXmV+XmpCtmpqQUKiQrFqclFqUDBovzS vBSFjNSiVHsuAA== =njUN -----END PGP MESSAGE----- Callas, et al. Expires Jan 08, 2006 [Page 53] ^LINTERNET-DRAFT OpenPGP Message Format Jul 08, 2005 Note that this example is indented by two spaces. ============8<============================8<================ iang Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j87NVaKQ022524; Wed, 7 Sep 2005 16:31:36 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j87NVaVI022523; Wed, 7 Sep 2005 16:31:36 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.epointsystem.org (120.156-228-195.hosting.adatpark.hu [195.228.156.120]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j87NVY4s022516 for <ietf-openpgp@imc.org>; Wed, 7 Sep 2005 16:31:35 -0700 (PDT) (envelope-from nagydani@epointsystem.org) Received: by mail.epointsystem.org (Postfix, from userid 1001) id C452A2B47BE; Thu, 8 Sep 2005 01:31:25 +0200 (CEST) Date: Thu, 8 Sep 2005 01:31:25 +0200 To: ietf-openpgp@imc.org Subject: Re: Information and meta-information Message-ID: <20050907233120.GA31910@epointsystem.org> References: <20050831152646.GB31148@epointsystem.org> <8BADBD06-012A-44B0-A9A7-6BDAE8ED8E37@hhhh.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8BADBD06-012A-44B0-A9A7-6BDAE8ED8E37@hhhh.org> User-Agent: Mutt/1.5.6+20040907i From: nagydani@epointsystem.org (Daniel A. Nagy) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Wed, Sep 07, 2005 at 03:56:58PM -0700, Wim Lewis wrote: > The existing 'b', 't', etc. tags could then be defined as shorthands > for particular MIME headers (content-type and charset). I disagree, because these tags convey a slightly different (lower-level) meaning than the mime headers. Also, the above suggestion would be a security hazard, since the literal packet's tag is not hashed and can be therefore altered in a signed message, without breaking the signature. PGP/MIME headers, on the other hand, are included in the hashed material, so they are part of the signed message. > >I would suggest the following modification of RFC2440bis-14: > > Do you mean removing the 't' and 'u' tags? Or supplementing them with > 'm'? Supplementing with 'm', of course. Removing 't' and 'b' tags (what's 'u'?) would break almost everything. -- Daniel Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j87Mv4eG019720; Wed, 7 Sep 2005 15:57:04 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j87Mv4uB019719; Wed, 7 Sep 2005 15:57:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from machop.omnigroup.com (omnigroup.com [198.151.161.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j87Mv315019712 for <ietf-openpgp@imc.org>; Wed, 7 Sep 2005 15:57:03 -0700 (PDT) (envelope-from wiml@hhhh.org) Received: from [198.151.161.70] (slowpoke.omnigroup.com [198.151.161.70]) by machop.omnigroup.com (Postfix) with ESMTP id 1945B3C19CEE; Wed, 7 Sep 2005 15:56:59 -0700 (PDT) In-Reply-To: <20050831152646.GB31148@epointsystem.org> References: <20050831152646.GB31148@epointsystem.org> Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <8BADBD06-012A-44B0-A9A7-6BDAE8ED8E37@hhhh.org> Cc: "Daniel A. Nagy" <nagydani@epointsystem.org> Content-Transfer-Encoding: 7bit From: Wim Lewis <wiml@hhhh.org> Subject: Re: Information and meta-information Date: Wed, 7 Sep 2005 15:56:58 -0700 To: ietf-openpgp@imc.org X-Mailer: Apple Mail (2.734) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On 31 Aug, 2005, at 8:26 AM, Daniel A. Nagy wrote: > There is no distinction between PGP/MIME data and regular RFC2440 > data, > although all it would take is a flag in the Literal packet. This > way, if I > saved the PGP MESSAGE from an application/pgp-encrypted MIME chunk > (which is > doable even with MUAs ignorant of PGP/MIME), I could still decrypt > it into a > usable file (e.g. a jpeg image). I have had exactly the same thought (down to the choice of an 'm' in that field to indicate MIME data). This seems like a good idea in general. It would be useful outside of PGP/MIME as well: if metadata such as datatype or character encoding needs to be associated with the PGP-protected data, it seems reasonable to piggyback on MIME, just as (e.g.) HTTP does. The existing 'b', 't', etc. tags could then be defined as shorthands for particular MIME headers (content-type and charset). > I would suggest the following modification of RFC2440bis-14: Do you mean removing the 't' and 'u' tags? Or supplementing them with 'm'? Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j83F6Mh6089203; Sat, 3 Sep 2005 08:06:22 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j83F6MuE089202; Sat, 3 Sep 2005 08:06:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j83F6L9h089192 for <ietf-openpgp@imc.org>; Sat, 3 Sep 2005 08:06:21 -0700 (PDT) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id 405B34142E; Sat, 3 Sep 2005 16:06:20 +0100 (BST) Message-ID: <4319BCD4.60902@systemics.com> Date: Sat, 03 Sep 2005 16:10:12 +0100 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050831) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Derek Atkins <derek@ihtfp.com> Cc: ietf-openpgp@imc.org Subject: Re: IETF-63 Proceedings Submission References: <sjm3bonjv78.fsf@cliodev.pgp.com> <431891A7.3060101@systemics.com> <sjmy86ei72e.fsf@cliodev.pgp.com> In-Reply-To: <sjmy86ei72e.fsf@cliodev.pgp.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Derek Atkins wrote: > Of course this didn't make it into the minutes; this messages > happened well after the IETF met in August. The minutes are a > status report of the IETF meeting; It does not take into account > messages that have been processed *since* the IETF. Apologies - I was confused and didn't realise this related to a meeting back then. iang Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j83E1WNW083671; Sat, 3 Sep 2005 07:01:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j83E1WCu083670; Sat, 3 Sep 2005 07:01:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from cliodev.pgp.com (me@CLIODEV.IHTFP.ORG [204.107.200.20]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j83E1UrJ083658 for <ietf-openpgp@imc.org>; Sat, 3 Sep 2005 07:01:31 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from cliodev.pgp.com (cliodev.pgp.com [127.0.0.1]) by cliodev.pgp.com (8.13.1/8.13.1) with ESMTP id j83E1T2O012901; Sat, 3 Sep 2005 10:01:29 -0400 Received: (from warlord@localhost) by cliodev.pgp.com (8.13.1/8.13.1/Submit) id j83E1Tcs012898; Sat, 3 Sep 2005 10:01:29 -0400 X-Authentication-Warning: cliodev.pgp.com: warlord set sender to warlord@MIT.EDU using -f From: Derek Atkins <derek@ihtfp.com> To: Ian G <iang@systemics.com> Cc: ietf-openpgp@imc.org Subject: Re: IETF-63 Proceedings Submission References: <sjm3bonjv78.fsf@cliodev.pgp.com> <431891A7.3060101@systemics.com> Date: Sat, 03 Sep 2005 10:01:29 -0400 In-Reply-To: <431891A7.3060101@systemics.com> (Ian G.'s message of "Fri, 02 Sep 2005 18:53:43 +0100") Message-ID: <sjmy86ei72e.fsf@cliodev.pgp.com> User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Of course this didn't make it into the minutes; this messages happened well after the IETF met in August. The minutes are a status report of the IETF meeting; It does not take into account messages that have been processed *since* the IETF. -derek And no, we're not in final call, yet. I need to catch up and make sure we've handled all the open issues. I'll see if I can get to that this week. Ian G <iang@systemics.com> writes: > Derek Atkins wrote: >> - If you want changes in wording - need to be compatable and suggest text. >> - Only open issue is David Shaw's BNF request for literal+literal. No reason not to include David Shaw's request, but not in draft 14. Should go into 15 > > I guess the below didn't make it then. Oh well. > > > > -------- Original Message -------- > Subject: Re: Signature types > Date: Sat, 27 Aug 2005 10:25:07 +0100 > From: Ian G <iang@systemics.com> > Organization: http://financialcryptography.com/ > To: ietf-openpgp@imc.org > References: <20050827075018.GA17967@epointsystem.org> > > > Daniel A. Nagy wrote: >> ... [some stuff] > > On that section, but not on Daniel's question, it occurs to > me that the caveat found half way down ("Please note that > the vagueness...") could be usefully expanded to cover all > of 5.2.1. > > Something like: > > 5.2.1. Signature Types > > There are a number of possible meanings for a signature. > By convention, OpenPGP suggests meanings by the following > signature type octets in any given signature. > > Please note that the vagueness of these signature claims > is not a flaw, but a feature of the system. Cryptographic > signing technology alone cannot make these claims true, > and a relying party would need to examine the intentions > of any signer, and the wider context of the system and > environment in order to assess any claims. OpenPGP places > final authority and responsibility on the receiver of any > signature. > > 0x01:... > > Which then allows a simplification of the post-0x13 comment: > > 0x13:... > > Please note that one authority's casual certification > might be more rigorous than some other authority's > positive certification. These classifications allow a > certification authority to issue fine-grained claims. > > Most OpenPGP implementations make their "key signatures" as 0x10 > certifications. Some implementations can issue 0x11-0x13 > certifications, but few differentiate between the types. > > > As an alternate, such general commentary could append to the > end of the section - but in legal terms, if it is a warning > as to limitations, it should be at the front. Given the > somewhat poisoned waters of digital signatures, I'd prefer > to see the disclaims before any claims. > > iang > > PS: are we in final call already? > > > > -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j82HnsGF040692; Fri, 2 Sep 2005 10:49:54 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j82Hns7a040691; Fri, 2 Sep 2005 10:49:54 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mailgate.enhyper.net ([80.168.109.121]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j82HnrPw040684 for <ietf-openpgp@imc.org>; Fri, 2 Sep 2005 10:49:53 -0700 (PDT) (envelope-from iang@systemics.com) Received: from [IPv6:::1] (localhost [127.0.0.1]) by mailgate.enhyper.net (Postfix) with ESMTP id E346C5D137; Fri, 2 Sep 2005 18:49:51 +0100 (BST) Message-ID: <431891A7.3060101@systemics.com> Date: Fri, 02 Sep 2005 18:53:43 +0100 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050831) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Derek Atkins <derek@ihtfp.com> Cc: ietf-openpgp@imc.org Subject: Re: IETF-63 Proceedings Submission References: <sjm3bonjv78.fsf@cliodev.pgp.com> In-Reply-To: <sjm3bonjv78.fsf@cliodev.pgp.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Derek Atkins wrote: > - If you want changes in wording - need to be compatable and suggest text. > - Only open issue is David Shaw's BNF request for literal+literal. No reason not to include David Shaw's request, but not in draft 14. Should go into 15 I guess the below didn't make it then. Oh well. -------- Original Message -------- Subject: Re: Signature types Date: Sat, 27 Aug 2005 10:25:07 +0100 From: Ian G <iang@systemics.com> Organization: http://financialcryptography.com/ To: ietf-openpgp@imc.org References: <20050827075018.GA17967@epointsystem.org> Daniel A. Nagy wrote: > ... [some stuff] On that section, but not on Daniel's question, it occurs to me that the caveat found half way down ("Please note that the vagueness...") could be usefully expanded to cover all of 5.2.1. Something like: 5.2.1. Signature Types There are a number of possible meanings for a signature. By convention, OpenPGP suggests meanings by the following signature type octets in any given signature. Please note that the vagueness of these signature claims is not a flaw, but a feature of the system. Cryptographic signing technology alone cannot make these claims true, and a relying party would need to examine the intentions of any signer, and the wider context of the system and environment in order to assess any claims. OpenPGP places final authority and responsibility on the receiver of any signature. 0x01:... Which then allows a simplification of the post-0x13 comment: 0x13:... Please note that one authority's casual certification might be more rigorous than some other authority's positive certification. These classifications allow a certification authority to issue fine-grained claims. Most OpenPGP implementations make their "key signatures" as 0x10 certifications. Some implementations can issue 0x11-0x13 certifications, but few differentiate between the types. As an alternate, such general commentary could append to the end of the section - but in legal terms, if it is a warning as to limitations, it should be at the front. Given the somewhat poisoned waters of digital signatures, I'd prefer to see the disclaims before any claims. iang PS: are we in final call already? Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j82GMmR0030768; Fri, 2 Sep 2005 09:22:48 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j82GMmRi030767; Fri, 2 Sep 2005 09:22:48 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from cliodev.pgp.com (me@CLIODEV.IHTFP.ORG [204.107.200.20]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j82GMlxl030760 for <ietf-openpgp@imc.org>; Fri, 2 Sep 2005 09:22:47 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from cliodev.pgp.com (cliodev.pgp.com [127.0.0.1]) by cliodev.pgp.com (8.13.1/8.13.1) with ESMTP id j82GMfVW011099; Fri, 2 Sep 2005 12:22:41 -0400 Received: (from warlord@localhost) by cliodev.pgp.com (8.13.1/8.13.1/Submit) id j82GMZta011096; Fri, 2 Sep 2005 12:22:35 -0400 X-Authentication-Warning: cliodev.pgp.com: warlord set sender to warlord@MIT.EDU using -f From: Derek Atkins <derek@ihtfp.com> To: proceedings@ietf.org Cc: ietf-openpgp@imc.org Subject: IETF-63 Proceedings Submission Date: Fri, 02 Sep 2005 12:22:35 -0400 Message-ID: <sjm3bonjv78.fsf@cliodev.pgp.com> User-Agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> --=-=-= Minutes of OpenPGP Meeting at IETF-63 -derek --=-=-= Content-Disposition: attachment; filename=Minutes-63.txt Content-Description: OpenPGP Minutes AGENDA -- -- Introduction and Agenda Bashing No changes -- 2440 bis status - In "pentultimate last call" for some time (over a year) - now only doing tweaks to the document. - If you want changes in wording - need to be compatable and suggest text. - Only open issue is David Shaw's BNF request for literal+literal. No reason not to include David Shaw's request, but not in draft 14. Should go into 15 - Run last call and finish this document - Use difference documents for new work - downside is that not everything will be in a small number of documents. Good news is that will have a fixed definitive document -- 2440 next steps - Go to Last call. finish by end of August - Try for a bake off? try for Draft Standard. (early in '06) - update milestones - proposal given. - Draft standard would be tried for 6 months after IESG approval. - New Life - New documents not hit 2440bis. - -- Proposed Milestones Aug 05 WGLC for 2440bis Sep 05 Submit 2440bis to IESG as Proposed Standard Nov 05 Finish Interop Test Plan Jan 06 Begin 2440bis Interop Testing Mar 06 Request DRAFT Status for 2440bis - No Objections --- Message Header - draft-josefsson-openpgp-mailnews-header-01.txt - standardize some X- headers for PGP. - Lookup URL and key id of a sender - simplified original by dropping some unnecessary data. - key id - longer fingerprint - url to key - What is the problem to be solved? - Not completely clear - invent header that could be used programatically to lookup key and keyid of sender - Manual cut & paste? - request for additinoal current usage of old headers for inclusion in the doument. - Open Issuses: - Add token to state strong preference for reciving PGP and potentially the PGP format to be sent. - IETF process restricted to MIME? - place same info into a packet? - Keyserver field? - unsure of what this would be really for. Next expansion of the idea. - BNF problems on the draft need corrections. Open MIKE JON - Supports idea of draft - supports "supports token" - PGP has a similar item already used. used with different values for different reading devices. - Wants support to plain inline text - kill mime and only use plain text as a personal preference. - response - Need additional proposals to solve some of the problems? JON - display problems not format issues - Don't ban text only w/o mime wrappers. 8-bit character set problems with servers - Vigourous dispute on issues with character sets. Thomas Roessler - two formats - with and w/o tag - please elimiate the untagged version. ??? - Please add finger print header - used for validation. - possible support already? JON - KeyID is a trucated fingerprint - allow for longer id to get fuller fingerprint w/o much additional parsing. - -00 to -01 allowed for longer KeyID from a fixed length. --- Open Discussion - Meeting closed. --=-=-= -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available --=-=-=-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8271LwO062931; Fri, 2 Sep 2005 00:01:21 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j8271LG8062930; Fri, 2 Sep 2005 00:01:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j8271JqI062922 for <ietf-openpgp@imc.org>; Fri, 2 Sep 2005 00:01:20 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1EB5eO-0006Wj-BI for <ietf-openpgp@imc.org>; Fri, 02 Sep 2005 09:07:48 +0200 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1EB5Wq-0004WP-4H; Fri, 02 Sep 2005 09:00:00 +0200 To: Karl Kashofer <karl.kashofer@gmx.at> Cc: ietf-openpgp@imc.org Subject: Re: Encrypt subject References: <20050831224025.BBED557EF5@finney.org> <4316D4CC.8080501@gmx.at> <877je0oq4r.fsf@wheatstone.g10code.de> <43175586.3040100@gmx.at> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Fri, 02 Sep 2005 09:00:00 +0200 In-Reply-To: <43175586.3040100@gmx.at> (Karl Kashofer's message of "Thu, 01 Sep 2005 20:24:54 +0100") Message-ID: <87ek88kl8v.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, 01 Sep 2005 20:24:54 +0100, Karl Kashofer said: > I see what you mean, but from a practical point of view, how much PGP > encrypted spam have you gotten lately ? I was not talking about spam but on how to prioritize/ignore regular mail. Salam-Shalom, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j81JPXq9065753; Thu, 1 Sep 2005 12:25:33 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j81JPX3D065752; Thu, 1 Sep 2005 12:25:33 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.gmx.net (pop.gmx.de [213.165.64.20]) by above.proper.com (8.12.11/8.12.9) with SMTP id j81JPWTv065732 for <ietf-openpgp@imc.org>; Thu, 1 Sep 2005 12:25:32 -0700 (PDT) (envelope-from karl.kashofer@gmx.at) Received: (qmail invoked by alias); 01 Sep 2005 19:25:25 -0000 Received: from unknown (EHLO [10.0.0.50]) [81.189.102.241] by mail.gmx.net (mp026) with SMTP; 01 Sep 2005 21:25:25 +0200 X-Authenticated: #7548666 Received: from 127.0.0.1 (AVG SMTP 7.0.344 [267.10.16]); Thu, 01 Sep 2005 20:24:54 +0100 Message-ID: <43175586.3040100@gmx.at> Date: Thu, 01 Sep 2005 20:24:54 +0100 From: Karl Kashofer <karl.kashofer@gmx.at> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 CC: ietf-openpgp@imc.org Subject: Re: Encrypt subject References: <20050831224025.BBED557EF5@finney.org> <4316D4CC.8080501@gmx.at> <877je0oq4r.fsf@wheatstone.g10code.de> In-Reply-To: <877je0oq4r.fsf@wheatstone.g10code.de> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi ! > What I mean is that a subject you need to decrypt first is not very > usable for the purpose a subject line is commonly used, i.e. to > quickly decide what messages belong together and whether to read them. > > With a slow connection and POP3 and with IMAP in general many people > just look at the subject to decide whether to retrieve the entire > message. Requiring to decrypt it first make no sense then. I see what you mean, but from a practical point of view, how much PGP encrypted spam have you gotten lately ? I assume if its encrypted it might actually be worth reading ? > So, my suggestion is to use a non-sense subject line to merely help > visualizing a theread. Sure, but if enigmail were able to permanently decrypt messages this could still be accomplished once the message is decrypted. Problem seems to be that mozilla/thunderbird does atm not allow them to permanently modify the message, so it might take a while to implement that anyway. Thanks for your help, I will carry this to the enigmail mailing list, Cheers, Karl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDF1WFyD2v/adjdKMRAjh8AKDv4KMDbGWH12JSU2C3yJM7B7p8OgCfep+X gW6I3WSYKl7ejzqudPQUp5Q= =9fjR -----END PGP SIGNATURE----- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j81JEuGh064642; Thu, 1 Sep 2005 12:14:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j81JEuxf064641; Thu, 1 Sep 2005 12:14:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j81JEsLT064634 for <ietf-openpgp@imc.org>; Thu, 1 Sep 2005 12:14:55 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.50 #1 (Debian)) id 1EAuck-0002Td-FT for <ietf-openpgp@imc.org>; Thu, 01 Sep 2005 21:21:22 +0200 Received: from wk by localhost with local (Exim 4.34 #1 (Debian)) id 1EApQj-0003QO-MC; Thu, 01 Sep 2005 15:48:37 +0200 To: Karl Kashofer <karl.kashofer@gmx.at> Cc: ietf-openpgp@imc.org Subject: Re: Encrypt subject References: <20050831224025.BBED557EF5@finney.org> <4316D4CC.8080501@gmx.at> From: Werner Koch <wk@gnupg.org> Organisation: g10 Code GmbH OpenPGP: id=5B0358A2; url=finger:wk@g10code.com Date: Thu, 01 Sep 2005 15:48:36 +0200 In-Reply-To: <4316D4CC.8080501@gmx.at> (Karl Kashofer's message of "Thu, 01 Sep 2005 11:15:40 +0100") Message-ID: <877je0oq4r.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> On Thu, 01 Sep 2005 11:15:40 +0100, Karl Kashofer said: > Well the way Werner describes it, he just advises not to use a Subject. What I mean is that a subject you need to decrypt first is not very usable for the purpose a subject line is commonly used, i.e. to quickly decide what messages belong together and whether to read them. With a slow connection and POP3 and with IMAP in general many people just look at the subject to decide whether to retrieve the entire message. Requiring to decrypt it first make no sense then. So, my suggestion is to use a non-sense subject line to merely help visualizing a theread. > Could you by any means describe this in more detail ? Something like this: From: me@example.org To: you@example.com Subject: none Content-Type: multipart/encrypted; protocol=application/pgp-encrypted; boundary="xxxxxx" --xxxxxx Content-Type: application/pgp-encrypted Version: 1 --xxxxxx Content-Type: application/octet-stream & Content-Type: message/rfc822; boundary="yyyyy" & & & --yyyyyy & From: me@example.org & To: you@example.com & Subject: Don't tell anyone that PGP/MIME just works & Content-Type: text/plain & & Proposal on how to gain world domination of PGP/MIME & and to abolish any use of S/MIME. & & --yyyyyy-- --xxxxxx-- Where the lines marked by "&" are actually encrypted. Salam-Shalom, Werner Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j81I3AGR058080; Thu, 1 Sep 2005 11:03:10 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j81I3Att058079; Thu, 1 Sep 2005 11:03:10 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j81I37DQ058070 for <ietf-openpgp@imc.org>; Thu, 1 Sep 2005 11:03:09 -0700 (PDT) (envelope-from hal@finney.org) Received: by finney.org (Postfix, from userid 500) id D128B57EF5; Thu, 1 Sep 2005 10:13:22 -0700 (PDT) To: ietf-openpgp@imc.org, karl.kashofer@gmx.at Subject: Re: Encrypt subject Message-Id: <20050901171322.D128B57EF5@finney.org> Date: Thu, 1 Sep 2005 10:13:22 -0700 (PDT) From: hal@finney.org ("Hal Finney") Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> Karl Kashofer writes: > So this would adhere to the standards, and allow to embed headers inside > the PGP encryption block ? > > Could you by any means describe this in more detail ? > > I would try to bring it to the attention of enigmail developers, maybe > they are interested in it. Well, PGP/MIME is http://www.ietf.org/rfc/rfc3156.txt which is based on the MIME security extensions, http://www.ietf.org/rfc/rfc1847.txt . The message/rfc822 type for embedding mail with headers is described in http://www.ietf.org/rfc/rfc2046.txt section 5.2.1. The implementation concept would be that when you decrypt a PGP/MIME message and find that the inner type is message/rfc822, you would promote the relevant mail headers, particularly Subject, from the inner type to the outer message. This might also include source information ("From"), for example if the message were delivered via an anonymous remailer network. Maybe some other headers could also be usefully encrypted. Hal Finney Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j81AGAnv016214; Thu, 1 Sep 2005 03:16:10 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j81AGA4E016213; Thu, 1 Sep 2005 03:16:10 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.gmx.net (mail.gmx.de [213.165.64.20]) by above.proper.com (8.12.11/8.12.9) with SMTP id j81AG8Zc016154 for <ietf-openpgp@imc.org>; Thu, 1 Sep 2005 03:16:09 -0700 (PDT) (envelope-from karl.kashofer@gmx.at) Received: (qmail invoked by alias); 01 Sep 2005 10:16:02 -0000 Received: from unknown (EHLO hotmail.com) [81.189.102.241] by mail.gmx.net (mp029) with SMTP; 01 Sep 2005 12:16:02 +0200 X-Authenticated: #7548666 Received: from 127.0.0.1 (AVG SMTP 7.0.344 [267.10.16]); Thu, 01 Sep 2005 11:15:41 +0100 Message-ID: <4316D4CC.8080501@gmx.at> Date: Thu, 01 Sep 2005 11:15:40 +0100 From: Karl Kashofer <karl.kashofer@gmx.at> User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ietf-openpgp@imc.org Subject: Re: Encrypt subject References: <20050831224025.BBED557EF5@finney.org> In-Reply-To: <20050831224025.BBED557EF5@finney.org> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/> List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe> List-ID: <ietf-openpgp.imc.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi ! > The problem is that we do sort of have a solution to this already, which > Werner described: use PGP/MIME. MIME allows for embedding one email > message inside another, and the MIME security extensions, including > PGP/MIME, show how to encrypt such an embedded message. Well the way Werner describes it, he just advises not to use a Subject. >>Simply send your mail as an encrypted message/rfc2822 MIME message and >>put an innocent subject into the header. > The problem is that almost no mailers support this. Few enough even > support PGP/MIME, and then they would also have to be smart enough to > figure out what to do with an embedded email message. Replacing the > enclosing message's headers with those from the embedded message is not > an obvious thing to do. So this would adhere to the standards, and allow to embed headers inside the PGP encryption block ? Could you by any means describe this in more detail ? I would try to bring it to the attention of enigmail developers, maybe they are interested in it. They have Per-Recipient-Rules, so it would be possible to implement that, and then specify it in these rules, so its only used for recipients which are able to decrypt it. I do that with PGP/MIME to only use it for thunderbird recipients, works fine. I would really like to see this implemented, and I am sure it annoys a few other people as well. Cheers, Karl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDFtTMyD2v/adjdKMRAoCiAJ0butw/p1Nnefj7dOV0K/coITSRKgCg1M6r mFt5/JSKgtAVVezPYxIpPVE= =n0fX -----END PGP SIGNATURE-----
- Line spacing in normative references "Hal Finney"
- Re: Line spacing in normative references Jon Callas