Re: [openpgp] Summary of WG status

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 18 August 2017 19:42 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29A5E1320BB for <openpgp@ietfa.amsl.com>; Fri, 18 Aug 2017 12:42:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qNAsdTZRmkl4 for <openpgp@ietfa.amsl.com>; Fri, 18 Aug 2017 12:42:27 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id 87ACC12426E for <openpgp@ietf.org>; Fri, 18 Aug 2017 12:42:27 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 312C0F99A; Fri, 18 Aug 2017 15:42:26 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 2DCDB215E8; Fri, 18 Aug 2017 15:42:16 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Vincent Breitmoser <look@my.amazin.horse>, "Robert J. Hansen" <rjh@sixdemonbag.org>
Cc: Stephen Paul Weber <singpolyma@singpolyma.net>, openpgp@ietf.org
In-Reply-To: <20170818165311.d2x344yp5x5ys553@calamity>
References: <20170712223852.zmnvw4iwvziqsynq@genre.crustytoothpaste.net> <20170810014751.erufvruh2lm5cdpe@genre.crustytoothpaste.net> <1b68dbbb-38ac-6370-fe20-76be795b2634@sixdemonbag.org> <20170811202924.yiwzjom3tag3ivkk@genre.crustytoothpaste.net> <a2f2973f-2b34-5e07-2651-a1910d992c6a@sixdemonbag.org> <sjmefsef9b6.fsf@securerf.ihtfp.org> <3bff215c-4de7-3994-8f78-5a06caa3fbfe@sixdemonbag.org> <20170815131326.wa5guttvgsp2la5g@calamity> <20170815164507.6111315.47595.68549@singpolyma.net> <8e062827-631e-24b0-3d19-40496c13f29c@sixdemonbag.org> <20170818165311.d2x344yp5x5ys553@calamity>
Date: Fri, 18 Aug 2017 15:42:12 -0400
Message-ID: <87efs8fysr.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/J7CrJS8e5U7trrleVyrT0NGZpoY>
Subject: Re: [openpgp] Summary of WG status
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 19:42:29 -0000

On Fri 2017-08-18 18:53:11 +0200, Vincent Breitmoser wrote:

> From discussions so far I seem to be alone in my doubts that
> increasing the bitsize of the fingerprint even further is a bad
> idea. Still, I'm gonna submit a nay to the record here.

<erstwhile chair hat off, mailing list participant hat only>

I've been looking at, and thinking about, fingerprints and other
identifiers a fair amount for the last several years.  I want to make a
couple observations:

 * most people don't see (or need to see) the fingerprint explicitly.
   for those people, this is a machine-readable value, and not something
   to expose.

 * for the minority who do actually want to "check fingerprints",
   fingerprint-matching need not be done by text string comparison
   today.  there are lots of other clever ways people can do this with
   modern machinery, and we don't need to specify those mechanisms here.

 * some cryptosystems already expose full sha256 values to users in
   marginal cases -- modern OpenSSH fingerprints are base64-encoded
   sha256sums, so there's precedent.

 * the difference in size (in terms of transit) between a 200-bit
   truncation and a full 256-bit SHA256 sum is 7 octets.

 * sha256 has had tons of cryptographic analysis.  Truncated sha256 has
   not had as much.  I don't think there's a risk here, but why deviate
   from what's been directly studied?

 * simplicity is good.

So in balance, i think i lean toward the full sha256.  I recognize that
the additional 7 octets is a downside in some extremely tight
circumstances.  But i think the balance comes out in favor of simplicity
and uniformity for implementations.

    --dkg