IETF Logo Mail Archive

Re: [openpgp] Version 5 key and fingerprint proposal

Werner Koch <wk@gnupg.org> Tue, 14 March 2017 10:22 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C14B31293DC for <openpgp@ietfa.amsl.com>; Tue, 14 Mar 2017 03:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5GSjF3T1XMFy for <openpgp@ietfa.amsl.com>; Tue, 14 Mar 2017 03:22:18 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6B46127ABE for <openpgp@ietf.org>; Tue, 14 Mar 2017 03:22:18 -0700 (PDT)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.84_2 #1 (Debian)) id 1cnjap-00023J-W5 for <openpgp@ietf.org>; Tue, 14 Mar 2017 11:22:16 +0100
Received: from wk by wheatstone.g10code.de with local (Exim 4.84 #3 (Debian)) id 1cnjWh-0007V7-3p; Tue, 14 Mar 2017 11:17:59 +0100
From: Werner Koch <wk@gnupg.org>
To: Jon Callas <joncallas@icloud.com>
References: <87varlou5m.fsf@wheatstone.g10code.de> <20170307230605.GA2@hashbang.sh> <87efy8ntcx.fsf@wheatstone.g10code.de> <20170309174531.GB2@hashbang.sh> <20170309184745.GC2@hashbang.sh> <CABcZeBMhpXy-e9Mtp8LwfqfAVW_ks3JBw1H2N3H_0c4gpQBqpg@mail.gmail.com> <DAC23A62-14BF-4AAA-8E52-09029B279E8F@icloud.com> <87varhculg.fsf@wheatstone.g10code.de> <2BC88897-B957-4E4E-B109-DFF4EFA14B4D@icloud.com>
Organisation: The GnuPG Project
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: url=https://k.gnupg.net/80615870F5BAD690333686D0F2AD85AC1E42B367
Mail-Followup-To: Jon Callas <joncallas@icloud.com>, IETF OpenPGP <openpgp@ietf.org>
Date: Tue, 14 Mar 2017 11:17:48 +0100
In-Reply-To: <2BC88897-B957-4E4E-B109-DFF4EFA14B4D@icloud.com> (Jon Callas's message of "Fri, 10 Mar 2017 14:13:35 -0800")
Message-ID: <87mvco40xf.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=Indigo_Clinton_Dick_Cheney_subversive_S_Box_ASO_Operation_Iraqi=Free"; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/JQuSAqZnGGZvVMsKD-gHP3MOytg>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] Version 5 key and fingerprint proposal
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 10:22:20 -0000

On Fri, 10 Mar 2017 23:13, joncallas@icloud.com said:

> This is a different suggestion, one about SHA512/t, which has an
> output length of 't' bits. It's a cute little hack that NIST put on
> top of SHA-512 to get a variable-output hash function.

Thanks for the pointer.  However this changes the semantics:

With SHA512/t we need to settle for a certain truncation because the
fingerprint depends on T.  The proposal defines a 32 byte fingerprint
and only uses truncated versions for the two signature subpackets and
the ECDH magic string.  Thus when a SHA-256 truncated to 200 bits shows
weaknesses, we only need to change the signature subpackets to use the
full 256 bits to address this weakness.  The fingerprint however will
not change and there won't be a need to create new keys.

You are right that computing a fingerprint should not be a performance
problem.  Thus we could also use SHA-512 as fingerprint algorithm and
truncate it to 200 bits.  I am actually slightly in favor of using
SHA-512 (but not SHA-512/t).

What do others think:

 - Use SHA-256 and truncated to 200 bits
 - Use SHA-512 and truncated to 200 bits
 - Anything else


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

v2.23.0 | Report a Bug | By Email