Re: [openpgp] Fingerprint schemes versus what to fingerprint
"Derek Atkins" <derek@ihtfp.com> Mon, 11 April 2016 16:21 UTC
Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1560612F0E1 for <openpgp@ietfa.amsl.com>; Mon, 11 Apr 2016 09:21:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2bYpoK1P6CN for <openpgp@ietfa.amsl.com>; Mon, 11 Apr 2016 09:21:47 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11E8212F0E0 for <openpgp@ietf.org>; Mon, 11 Apr 2016 09:21:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id CFBCDE2030; Mon, 11 Apr 2016 12:21:44 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 07058-05; Mon, 11 Apr 2016 12:21:39 -0400 (EDT)
Received: by mail2.ihtfp.org (Postfix, from userid 48) id D4616E2038; Mon, 11 Apr 2016 12:21:39 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1460391699; bh=eOmURMPpSkXkUiGC8VKo/zi/p6nzifHtX0hSwqn59uQ=; h=In-Reply-To:References:Date:Subject:From:To:Cc; b=JKaMLDQ9Q4xjMj+BxknvCXdTUHyU/XkLg8COufmbCpmMVmJ3G2AtM5I9f/VFb0b+O vGGRcFtbl8UME0HFNoEcyvz8PaM7p+2c/T8y3S00VDzNd5TBrJnWhbtOtdL73ZfMMu G+6mX9LQye2ZC8Lhy0GYHlEnxDq5ODHTMEMnpN90=
Received: from 24.54.172.229 (SquirrelMail authenticated user warlord) by mail2.ihtfp.org with HTTP; Mon, 11 Apr 2016 12:21:39 -0400
Message-ID: <9652a57c1e22f4ac3d417aebca44851c.squirrel@mail2.ihtfp.org>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4C56BF1@uxcn10-5.UoA.auckland.ac.nz>
References: <43986BDA-010F-4DBF-8989-53E71B74E66A@gmail.com> <20151110021943.GH3896@vauxhall.crustytoothpaste.net> <72665D15-F685-41F6-A477-8E65DBBC5A04@gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C42AC4@uxcn10-5.UoA.auckland.ac.nz>, <sjm1t6c40uy.fsf@securerf.ihtfp.org> <9A043F3CF02CD34C8E74AC1594475C73F4C56BF1@uxcn10-5.UoA.auckland.ac.nz>
Date: Mon, 11 Apr 2016 12:21:39 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/KcEFtOaRG6YjSIgGTs3ap0xj7tE>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>, Derek Atkins <derek@ihtfp.com>, Bryan Ford <brynosaurus@gmail.com>
Subject: Re: [openpgp] Fingerprint schemes versus what to fingerprint
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2016 16:21:48 -0000
Hi, On Mon, April 11, 2016 11:41 am, Peter Gutmann wrote: > Derek Atkins <derek@ihtfp.com> writes: > >>3) You have a smart card with raw key material and want to see which >> OpenPGP keys are there. > > That's PKCS #11, which means pretty much all crypto hardware that uses a > standardised interface. Are you expecting this would work in a vacuum? I.e., would you expect that you can take your OpenPGP smart card to a fresh system on which you've never used OpenPGP ever and be able to plug in that smart card and have it be able to sign a document? If the answer is "no", then you're fine. You can have private key lookup metadata on the OpenPGP system online that gives you the handle to the PKCS11 key. If the answer is "yes", then the follow up question is whether there are additional data available (e.g. storing associated public keys/certs) that you could use to provide the additional metadata. But I only see this being an issue where you want to make a signature (which needs to know your keyID) using a smartcard on a system that does not contain any additional metadata. Is this a real use case? >>*) Other use cases??? > > You have keys stored in a non-PGP format. It makes keys from anywhere > else > pretty much unusable for PGP because you can't look them up. It depends. If I've got an X509 cert I can convert that to an OpenPGP cert, and all the appropriate metadata is there. I admit I'm not familiar enough with PKCS12 to know what data is included there, or whether there is enough information in an X509 private key data file to stand on its own. >>It means that if someone reuses the key material then you cannot >>differentiate the original from the subsequent certificate. > > That assumes you re-use the same key over and over, rather than just > generating a fresh key when you need one. That's X.509 practice, not PGP. > > Peter. Yes, it does assume that. This goes back to my arguments that we should include expiration time in the key identifier/fingerprint so that there is a hard expiration. In order to change that you could copy the key material but it would necessarily be a new "key" (certificate) because changing the expiration would change the keyID/fingerprint. -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
- [openpgp] Keyholder-configurable fingerprint sche… Bryan Ford
- Re: [openpgp] Keyholder-configurable fingerprint … ianG
- Re: [openpgp] Keyholder-configurable fingerprint … ianG
- Re: [openpgp] Keyholder-configurable fingerprint … brian m. carlson
- [openpgp] Fingerprint schemes versus what to fing… Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Bill Frantz
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] Fingerprint schemes versus what to … Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Peter Gutmann
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Derek Atkins
- Re: [openpgp] [FORGED] RE: [FORGED] RE: Fingerpri… Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Mark D. Baushke
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Werner Koch