IETF Logo Mail Archive

Re: [openpgp] Fingerprints

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 10 April 2015 15:36 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E264E1A1EF6 for <openpgp@ietfa.amsl.com>; Fri, 10 Apr 2015 08:36:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cjoiOQaJPP7k for <openpgp@ietfa.amsl.com>; Fri, 10 Apr 2015 08:36:18 -0700 (PDT)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2565C1A1BE3 for <openpgp@ietf.org>; Fri, 10 Apr 2015 08:36:18 -0700 (PDT)
Received: by lbcga7 with SMTP id ga7so16531306lbc.1 for <openpgp@ietf.org>; Fri, 10 Apr 2015 08:36:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=IpQ31NutVRG88kYBX9FTh+m81j2yiuCdR54m/AfySZI=; b=GDR+9rB6WavfP9x/Xv0HBD39aiMqu024lKpopoPJq9ZruxJ6J7hv2+P5R00UcCFasO IqOUN0ldhDEL00q61vpxf4Hz5kcfAW29REelG8mGmCZ2Fi/+nq2hzDfRnQRXXiW861Ox zR50r8z/tm0xENUAcN+Por/62dE1XYog0AQFVLWzdD33xABsn3BcVzwJr1uc6MSDI8KR FDEIGYcGs2v0Iag9dnecj0lPnIjbrMA3omBGdBYvy/BFC++rw6RmNX6H0shbWxz1OTNo k17akfzH4EsvtPAhDVBlPeTAbiaurWo2BO0Q5Mykaqbr/uH+bVsoXVH096mERQNwPJuB b1wg==
MIME-Version: 1.0
X-Received: by 10.112.13.7 with SMTP id d7mr1948139lbc.79.1428680176650; Fri, 10 Apr 2015 08:36:16 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.147.165 with HTTP; Fri, 10 Apr 2015 08:36:16 -0700 (PDT)
In-Reply-To: <sjmk2xkf2t8.fsf@securerf.ihtfp.org>
References: <CAMm+LwhbB+-MnGRBCvprgAGOuu+5CJ2rgod7EBGOQR5UNVrspQ@mail.gmail.com> <87y4m0ozlt.fsf@vigenere.g10code.de> <sjmk2xkf2t8.fsf@securerf.ihtfp.org>
Date: Fri, 10 Apr 2015 11:36:16 -0400
X-Google-Sender-Auth: 0pJJeZBUXs5BWkak1uvoRplEALQ
Message-ID: <CAMm+Lwgt+4HVxbQ+Nkt9q8chHuNabir9CKSP6JoGG0ReuLhG9g@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Derek Atkins <derek@ihtfp.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/JRIpdPeDmQoRRfHfn4A0f4WZTXc>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [openpgp] Fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 15:36:20 -0000

On Fri, Apr 10, 2015 at 10:58 AM, Derek Atkins <derek@ihtfp.com> wrote:
> Werner Koch <wk@gnupg.org> writes:
>
>> On Fri, 10 Apr 2015 15:23, phill@hallambaker.com said:
>>
>>> There is no need to have an algorithm field, a version field is
>>> sufficient because we should only be using one algorithm at a given
>>
>> Right.  However an algorithm field is as good as a version field because
>> they have the same purpose in this context.  An algorithm field saves us
>> a mapping to the actual algorithm.  Recall that OpenPGP uses an
>> one-octet indentifier and not an OID.
>
> I'm with Werner on this one.  There's not a significant difference
> between a version field and an algorithm field.  Either option adds a
> single byte to the data structure, but using a version field requires
> additional lookup map (from fingerprint version # to hash algorithm).
>
> Maybe that's useful to make sure an attacker doesn't use a "bad" hash
> algorithm for a fingerprint?  But I'd rather just use the hash algorithm
> directly.

Well if we are all going to use the same algorithm, having the leading byte
be 8 (SHA-2-256) or 10 (SHA-2-512) versus 0 hardly makes a difference.

In fact I could continue to use 0 for my OID based scheme and achieve
interop :)


The only downside of this approach is that divergence is easier.


> I presume here you are referring to the "printed" fingerprint, and not
> the "internal" fingerprint?  Internally we'd still use the full length,
> right?  Or would we need to somehow know when (and how) to truncate the
> hash?

We would need something to tell us how many bits we should require in
particular circumstances.

So for example, if I am wanting to send you an email, I should probably
require at least 100 bits. If I am deciding whether to accept a request to
connect to my home network from a set top box, 25 bits is probably
sufficient as only one device is likely to be making a request at a time and
a 1 in a million chance of being fooled is probably OK.


>>> I am also using SHA512 and truncating to 128 bits, then base 32
>>> encoding. The rationale for this is
>>
>> Because there are several versions of BASE-32 I suggest the use of
>> z-base-32 which is used by Tahoe-LAFS and ZRTP.  The truncation length of
>> the hash should be match a best match for the base 32 encoding.
>
> Similarly, I think we should be clear that we're talking about two
> different things here.  Internally (e.g. in a signature packet) it
> should be the binary result, not hex- or base-32 encoded.

Yes, definitely. Base32 is just for display.


>>> * Fingerprints are the root of trust, there is an outside chance that
>>> SHA-2-256 might be broken but breaking SHA-2-512 truncated to 256 bits
>>> is a lot harder because it has 80 rounds rather than 64.
>>
>> I think that should be discussed in the context of the new default hash
>> algorithm.
>>
>>
>>> The bit that will probably be controversial is how I am calculating
>>> them, over an X.509v3 KeyInfo block. There is method to the madness
>>
>> X.509 has no definition for a fingerprint but OpenPG already uses a well
>> defined method to compute the fingerprint.  You can't compare the two
>> protocols or define a unique fingerprint method.
>
> I think "how you take the fingerprint of an X509 key block" should be
> out of scope for the OpenPGP WG.  I think that you can (and should)
> write a separate document that does that.

As long as the identifier is reserved in the OpenPGP registry so there is
no risk of ambiguity, that is OK.

I think that where any draft is discussed is really an issue for the AD and
the WG chairs. It might well be simpler for me if it is outside the WG.


>>> If people really can't stomach ASN.1 code then we could do some other
>>> key format. But the problem then becomes having to specify how to
>>
>> We want to do an rfc4880bis and not an entire new protocol.  Thus any
>> ASN.1 encoding is not an option.
>
> Ditto.  If the goal here is to have the same key material result in the
> same fingerprint regardless of whether it's encoded in OpenPGP or X.509,
> I think the answer is going to be "X.509 people are going to need to
> convert their key material to OpenPGP packet format and feed into the
> hash algorithm".  I see no other way, and frankly any other way is
> madness (for the OpenPGP group).
>
> I'm sure Phill wont like that answer, but I think it's the right answer
> for this (potential) working group.

Phill cares more about the timing of a decision rather than what the
decision is.

v2.23.0 | Report a Bug | By Email