Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 14 March 2014 17:26 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCB381A0191 for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 10:26:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmKrqHtE97SN for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 10:26:53 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 7B3E61A0198 for <openpgp@ietf.org>; Fri, 14 Mar 2014 10:26:52 -0700 (PDT)
Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id B425CF984; Fri, 14 Mar 2014 13:26:43 -0400 (EDT)
Message-ID: <53233BD4.4020804@fifthhorseman.net>
Date: Fri, 14 Mar 2014 13:26:44 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: Werner Koch <wk@gnupg.org>, Vincent Yu <v@v-yu.com>
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <8761nh1549.fsf@vigenere.g10code.de> <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com> <87y50cybh3.fsf@vigenere.g10code.de>
In-Reply-To: <87y50cybh3.fsf@vigenere.g10code.de>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="2cPNDb1PgMHlA81MHkx9hnhIwhKXO8V03"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/BohTCiQ-2gyk1VxAkS0JAR5bgfc
Cc: openpgp@ietf.org
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2014 17:26:56 -0000

On 03/14/2014 12:46 PM, Werner Koch wrote:
> You better need some setup from the other possible signers: They should
> be able to create ring signatures.  If you look at a ring signature and
> you can figure out that only key has been created with a software
> version capable of handling ring signatures it would be easy to single
> out who actually did the signature.  Unfortunately we can't completely
> hide all hints on the software version used.  For example analyzing
> signed mails from mailing list archives should allow to guess which
> software version is used.

I'm not sure i agree with this line of reasoning.  older keys can be
imported into newer software (i've done that multiple times).  if the
goal here is simply cryptographic non-repudiability, Alice's peer is
presumably trying to prove to a third-party judge that the peer didn't
make the signature, therefore Alice did.  But the peer cannot prove that
their key material has never been used with a different implementation
-- they can only assert that claim; but they could just as well assert
that they didn't make the signature in the first place.  Why should the
judge believe one claim over the other?

Put another way, i can produce a ring signature over a set of very
reasonable text that claims to be *from* a peer's public key and/or a
throwaway key, and introduce that as a piece of correspondence -- i
could even do this with the body of a message that the peer actually did
send to me, thereby "demonstrating" that the peer is capable of making
ring signatures.

it doesn't make sense to rely on non-cryptographic signals (e.g. typical
OpenPGP implemnetation version information, etc) to rule out possible
cryptographic signers.

	--dkg