Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

Daniel Kahn Gillmor <> Fri, 14 March 2014 17:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CCB381A0191 for <>; Fri, 14 Mar 2014 10:26:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tmKrqHtE97SN for <>; Fri, 14 Mar 2014 10:26:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7B3E61A0198 for <>; Fri, 14 Mar 2014 10:26:52 -0700 (PDT)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id B425CF984; Fri, 14 Mar 2014 13:26:43 -0400 (EDT)
Message-ID: <>
Date: Fri, 14 Mar 2014 13:26:44 -0400
From: Daniel Kahn Gillmor <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: Werner Koch <>, Vincent Yu <>
References: <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="2cPNDb1PgMHlA81MHkx9hnhIwhKXO8V03"
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Mar 2014 17:26:56 -0000

On 03/14/2014 12:46 PM, Werner Koch wrote:
> You better need some setup from the other possible signers: They should
> be able to create ring signatures.  If you look at a ring signature and
> you can figure out that only key has been created with a software
> version capable of handling ring signatures it would be easy to single
> out who actually did the signature.  Unfortunately we can't completely
> hide all hints on the software version used.  For example analyzing
> signed mails from mailing list archives should allow to guess which
> software version is used.

I'm not sure i agree with this line of reasoning.  older keys can be
imported into newer software (i've done that multiple times).  if the
goal here is simply cryptographic non-repudiability, Alice's peer is
presumably trying to prove to a third-party judge that the peer didn't
make the signature, therefore Alice did.  But the peer cannot prove that
their key material has never been used with a different implementation
-- they can only assert that claim; but they could just as well assert
that they didn't make the signature in the first place.  Why should the
judge believe one claim over the other?

Put another way, i can produce a ring signature over a set of very
reasonable text that claims to be *from* a peer's public key and/or a
throwaway key, and introduce that as a piece of correspondence -- i
could even do this with the body of a message that the peer actually did
send to me, thereby "demonstrating" that the peer is capable of making
ring signatures.

it doesn't make sense to rely on non-cryptographic signals (e.g. typical
OpenPGP implemnetation version information, etc) to rule out possible
cryptographic signers.