IETF Logo Mail Archive

Re: including the entire fingerprint of the issuer in an OpenPGP certification

Jon Callas <jon@callas.org> Tue, 18 January 2011 06:40 UTC

Received: from hoffman.proper.com (localhost [127.0.0.1]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p0I6eIvg019210 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Jan 2011 23:40:18 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by hoffman.proper.com (8.14.4/8.13.5/Submit) id p0I6eIYX019209; Mon, 17 Jan 2011 23:40:18 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: hoffman.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from merrymeet.com (thing2.merrymeet.com [173.164.244.100] (may be forged)) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p0I6eHiq019202 for <ietf-openpgp@imc.org>; Mon, 17 Jan 2011 23:40:18 -0700 (MST) (envelope-from jon@callas.org)
Received: from localhost (localhost [127.0.0.1]) by merrymeet.com (Postfix) with ESMTP id 9206C2E0B4 for <ietf-openpgp@imc.org>; Mon, 17 Jan 2011 22:40:26 -0800 (PST)
Received: from merrymeet.com ([127.0.0.1]) by localhost (host.domain.tld [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 16218-04 for <ietf-openpgp@imc.org>; Mon, 17 Jan 2011 22:40:21 -0800 (PST)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTPA id CDE672E02C for <ietf-openpgp@imc.org>; Mon, 17 Jan 2011 22:40:21 -0800 (PST)
Received: from [10.0.23.19] ([173.164.244.98]) by keys.merrymeet.com (PGP Universal service); Mon, 17 Jan 2011 22:40:07 -0800
X-PGP-Universal: processed; by keys.merrymeet.com on Mon, 17 Jan 2011 22:40:07 -0800
Subject: Re: including the entire fingerprint of the issuer in an OpenPGP certification
Mime-Version: 1.0 (Apple Message framework v1082)
From: Jon Callas <jon@callas.org>
In-Reply-To: <E1Pf1WI-0007aL-EN@login01.fos.auckland.ac.nz>
Date: Mon, 17 Jan 2011 22:40:05 -0800
Cc: OpenPGP Working Group <ietf-openpgp@imc.org>
Message-Id: <CFCF61BD-9281-4F09-AD31-C5AAC38315FE@callas.org>
References: <E1Pf1WI-0007aL-EN@login01.fos.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.1082)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: quoted-printable
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: Maia Mailguard
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hoffman.proper.com id p0I6eIiq019204
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jan 17, 2011, at 6:42 PM, Peter Gutmann wrote:

> 
> Jon Callas <jon@callas.org> writes:
> 
>> On the other hand, this has never been a problem. It's harder than you think, 
>> because you have to generate a new key each time, which takes a while on RSA.
> 
> Only if you want a secure key. For SSH fuzzy fingerprinting the limiting 
> factor is the hashing, not the rate at which you can crank out keys, as long 
> as you don't mind that the keys aren't very secure. OK, they're not secure at 
> all, but that doesn't matter since you're going for spoofing, not a secure 
> signature forgery.

Good point, you could generate a crap key. Nonetheless, for DSA it's just a number, and those are cheap.

Still, making things better with a full fingerprint is a great idea.

	Jon



-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.10.0 (Build 554)
Charset: us-ascii

wj8DBQFNNTXHsTedWZOD3gYRAheeAKCL1wAwD0FKBAR5JsZJQJff1x7LZQCg9MpM
gfLvp5yE3cfNqbdGyZvtIgc=
=Q7tP
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email