Re: [openpgp] New fingerprint: to v5 or not to v5

Werner Koch <wk@gnupg.org> Mon, 12 October 2015 14:11 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB241B32DF for <openpgp@ietfa.amsl.com>; Mon, 12 Oct 2015 07:11:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gU5YLmrHB7w1 for <openpgp@ietfa.amsl.com>; Mon, 12 Oct 2015 07:11:08 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FA581B32DD for <openpgp@ietf.org>; Mon, 12 Oct 2015 07:11:08 -0700 (PDT)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1Zldog-0000qX-2m for <openpgp@ietf.org>; Mon, 12 Oct 2015 16:11:06 +0200
Received: from wk by vigenere.g10code.de with local (Exim 4.84 #3 (Debian)) id 1Zldlg-0006Go-6r; Mon, 12 Oct 2015 16:08:00 +0200
From: Werner Koch <wk@gnupg.org>
To: Vincent Breitmoser <look@my.amazin.horse>
References: <878u84zy4r.fsf@vigenere.g10code.de> <87fv1xxe5w.fsf@alice.fifthhorseman.net> <87r3lgcup8.fsf@vigenere.g10code.de> <CACsn0c=-LKagSqTbgOV1W4Gu4u-f6vpVq82-nWSLGogjoeFKeg@mail.gmail.com> <CAMm+LwjeKDKnN2ZAisbKhWVS4kwCEm_VvcZ1MtftYzEJQpGdhg@mail.gmail.com> <87y4fi5wa9.fsf@vigenere.g10code.de> <9A043F3CF02CD34C8E74AC1594475C73F4B278ED@uxcn10-5.UoA.auckland.ac.nz> <8737xp5z45.fsf@vigenere.g10code.de> <56128637.6030504@iang.org> <87wpuvx4o1.fsf@alice.fifthhorseman.net> <9A043F3CF02CD34C8E74AC1594475C73F4B2EE19@uxcn10-5.UoA.auckland.ac.nz> <87d1wkjnp8.fsf@littlepip.fritz.box>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: id=F2AD85AC1E42B367; url=finger:wk@g10code.com
Mail-Followup-To: Vincent Breitmoser <look@my.amazin.horse>, "openpgp\@ietf.org" <openpgp@ietf.org>, Jon Callas <jon@callas.org>
Date: Mon, 12 Oct 2015 16:07:59 +0200
In-Reply-To: <87d1wkjnp8.fsf@littlepip.fritz.box> (Vincent Breitmoser's message of "Mon, 12 Oct 2015 14:06:27 +0200")
Message-ID: <87egh0w56o.fsf@vigenere.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/I5qoNuIsyAh2hsDwj7kgxs13_6U>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>, Jon Callas <jon@callas.org>
Subject: Re: [openpgp] New fingerprint: to v5 or not to v5
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2015 14:11:10 -0000

On Mon, 12 Oct 2015 14:06, look@my.amazin.horse said:
> The creation date in the fingerprint is used for two purposes I can
> think of:

and this one:

Thirdly, to figure out a suitable subkey for encryption.  For this case
I see no security problem to put the creation date into a key-binding
signature.  IT needs quite some code chnages though.

> Including the key material as the only dynamic part of the fingerprint
> is the most basic decision.  So the question becomes, do we have a good
> reason to include anything more?  For the creation date in particular,

I don't think so.  v3 keys didn't include the timestamp in the
fingerprint but had other problems.  Maybe this was just an
over-cautiousness from the PGP-5 architects.  Jon: Do you remember?

Assuming we leave the timestamp out of the fingerprint but still sign it
with the self- and key-binding signatures, how does it change the attack
model:

For a key without any third party key-signatures, the holder of the key
can change the creation date arbitrarily while keeping the same
fingerprint.  The immediate problem will be that keyservers and other
code may choke on the timestamp conflict because they may assume two
keys with the same fingerprint are identical.  Even today keys may not
be identical because there are different ways to encode the packet
length.  I doubt that this is or should be a problem which cannot be
fixed while adding v5 format.  The holder of the key can change the
expiration time of the key by adjusting the creation timestamp.  He is
also able to do this today by issuing a new self-signature.

If the key has a third party key-signature any change of the creation
time can be detected.  If key-signatures are part of the trust model
such a change will be detected.

I conclude that leaving out the timestamp from the fingerprint
computation is only a problem for "self-signed" keys where the trust
model is based solely on the fingerprint, and relies on the creation
date.  Not something I would worry about.

> Just for brainstorming, the other extreme would be allowing arbitrary
> properties (e.g. signature subpackets) to be included in the
> fingerprint, allowing an implementation to have properties which can

We had a similar discussion already related to a fixed expiration time.
Although this hard-wired expiration time was not considered to be part
of the fingerprint, no valid use-case for this irrevocable signature
attribute was shown.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.