Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

On 03/14/2014 12:46 PM, Werner Koch wrote:
> You better need some setup from the other possible signers: They should
> be able to create ring signatures.  If you look at a ring signature and
> you can figure out that only key has been created with a software
> version capable of handling ring signatures it would be easy to single
> out who actually did the signature.  Unfortunately we can't completely
> hide all hints on the software version used.  For example analyzing
> signed mails from mailing list archives should allow to guess which
> software version is used.

I'm not sure i agree with this line of reasoning.  older keys can be
imported into newer software (i've done that multiple times).  if the
goal here is simply cryptographic non-repudiability, Alice's peer is
presumably trying to prove to a third-party judge that the peer didn't
make the signature, therefore Alice did.  But the peer cannot prove that
their key material has never been used with a different implementation
-- they can only assert that claim; but they could just as well assert
that they didn't make the signature in the first place.  Why should the
judge believe one claim over the other?

Put another way, i can produce a ring signature over a set of very
reasonable text that claims to be *from* a peer's public key and/or a
throwaway key, and introduce that as a piece of correspondence -- i
could even do this with the body of a message that the peer actually did
send to me, thereby "demonstrating" that the peer is capable of making
ring signatures.

it doesn't make sense to rely on non-cryptographic signals (e.g. typical
OpenPGP implemnetation version information, etc) to rule out possible
cryptographic signers.

	--dkg