IETF Logo Mail Archive

Re: [openpgp] Fingerprint requirements for OpenPGP

Derek Atkins <derek@ihtfp.com> Wed, 13 April 2016 14:31 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EDE912D618 for <openpgp@ietfa.amsl.com>; Wed, 13 Apr 2016 07:31:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YYMF2l2NWzS3 for <openpgp@ietfa.amsl.com>; Wed, 13 Apr 2016 07:31:27 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50CBC12D71E for <openpgp@ietf.org>; Wed, 13 Apr 2016 07:31:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id EF176E2038; Wed, 13 Apr 2016 10:28:23 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 25547-07; Wed, 13 Apr 2016 10:28:08 -0400 (EDT)
Received: from securerf.ihtfp.org (tacc-24-54-172-229.smartcity.com [24.54.172.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id DE1EFE2036; Wed, 13 Apr 2016 10:27:44 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1460557672; bh=lT5MT2NAU6OTBn0KK5uSZqFVuzse/QAG3mS8c8HR1Gc=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=I+Wliq102AVCi4A+LmMsnbrj1Zdu72Ry3wDaccP0foxbHClq2Q2siAlyOc59sxDrD V9WmfTOb8p9QUGjq5GBVFlwKdOI8b2wPfYiEd8cq5YLC8JDpLNOSlXIwdI1cK+W4lT MaalQ5Qn/xqzX+m4J2t2QMFkMbZey+UkmlemaqmU=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.14.8/Submit) id u3DEUAsj026883; Wed, 13 Apr 2016 10:30:10 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
References: <87vb3nslqh.fsf@alice.fifthhorseman.net> <87potug3s5.fsf@wheatstone.g10code.de>
Date: Wed, 13 Apr 2016 10:30:05 -0400
In-Reply-To: <87potug3s5.fsf@wheatstone.g10code.de> (Werner Koch's message of "Tue, 12 Apr 2016 19:01:14 +0200")
Message-ID: <sjmfuup1t02.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/EEmbQIKgawPDXxzweq_VwkYtUPI>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] Fingerprint requirements for OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2016 14:31:30 -0000

Werner Koch <wk@gnupg.org> writes:

> On Tue, 12 Apr 2016 02:40, dkg@fifthhorseman.net said:
>
>> Note that a human is always in the loop in these transfers.  If no human
>> is in the loop, we do not need the fingerprint, and can (and probably
>> should) use some other technique.
>
> Given that the fingerprint is of constant size or at least has an upper
> limit, it has advantages in protocol design too.  I can see only two
> other options:
>
>  - Some newly made-up identifier.  This brings us back to
>    the X.509 mess of several ways to locate a key.
>
>  - Using the the full public key: This would be fine for ECC, is
>    troublesome for RSA, and for PQC it would be ridiculous large.
>
> Thus I think a binary fingerprint is even preferable with no humans in
> the loop.

Agreed.

>>  * it should be cheap to compute from a given key -- you shouldn't need
>>    a gig of RAM or a minute of CPU to calculate the fingerprints of any
>>    key.
>
> According to Peter, this means SHA-256.  There may be no proof-of-work
> to for creating a key and thus a structured fingerprint.  (Sometimes you
> have to create a lot of one-off keys.)
>
>>  * it should be strong enough that we do not believe anyone can create a
>>    key with a fingerprint that collides with another key's fingerprint
>
> As Vincent pointed out, we only need preimage resistance.
>
>> If not, what's missing?
>
> Whether to hash a
>
>   a) fixed string and a creation date,
>   b) fixed string and creation date and a hard expiration date,
>   c) fixed string,
>   d) nothing
>
> in addition to the algorithm parameters.  My conclusion from the
> discussions is that we should to decide between a) and c).  I don't
> really care given that using a creation date of 0 can be used when
> needed.

I still believe we should use b, with the knowledge that the hard
expiration is optional (could be 0).  This would protect against an
attack where you lose control of your secret material and the attacker
creates a new self-sig with a new expiration time.

> Salam-Shalom,
>
>    Werner

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

v2.35.0 | Report a Bug | By Email | System Status