Re: [openpgp] Followup on fingerprints
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 July 2015 04:04 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F4961B2ACB for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 21:04:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDlgflSDVNFz for <openpgp@ietfa.amsl.com>; Wed, 29 Jul 2015 21:04:12 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id D3EC51B2AC4 for <openpgp@ietf.org>; Wed, 29 Jul 2015 21:04:12 -0700 (PDT)
Received: from fifthhorseman.net (ool-6c3a0662.static.optonline.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 2FACAF984 for <openpgp@ietf.org>; Thu, 30 Jul 2015 00:04:12 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 035DB202BD; Thu, 30 Jul 2015 06:04:11 +0200 (CEST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: IETF OpenPGP <openpgp@ietf.org>
In-Reply-To: <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com>
References: <CAMm+LwgTcn8CY+Zk-f9gzXQtMJezG97T+kx2=C7PR5g7zFer_A@mail.gmail.com> <87twsn2wcz.fsf@vigenere.g10code.de> <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Thu, 30 Jul 2015 00:04:11 -0400
Message-ID: <87zj2ecmv8.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/Lu_Lf9N6Sc8EyV6GPcz7a-In81w>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 04:04:14 -0000
On Wed 2015-07-29 10:31:22 -0400, Phillip Hallam-Baker wrote: > OK one thing from the meeting I forgot to mention, the security > considerations have to address the use of a birthday attack by someone > generating keys. I'll echo Vincent here and ask what specific attack you're concerned about. My current understanding of OpenPGP fingerprints is that we do not need collision resistance as a property of the fingerprint mechanism. We've discussed the possibility of birthday attacks against fingerprints by someone generating keys before, and i've yet to hear a concrete description of any attack that this permits. If there is such an attack, then we need to be really concerned about it now, since the current fingerprinting mechanism (SHA-1) is likely subject to a birthday attack by a motivated and well-financed attacker. > If we are doing ECC, it is quite practical for someone to generate 2^50 > keys and then pick the two that match in the first 100 bits. This can then > be used for attacks, particularly if the keys are not enrolled in some sort > of blockchain. if we want to discuss append-only logs of key material, i'd be happy to see that discussion happen formally in a separate thread, or over in the certificate transparency WG where that sort of thing is already under way. I think dragging blockchains into a discussion on OpenPGP fingerprint mechanisms is a distraction. > The other bit I left out is the idea of compression. The idea here being > that the person generating the key looks for a fingerprint that has 0s for > the first n bits. Then the fingerprint starts with a version number that > says 'the first 32 bits are 0s' or whatever. [...] > My preference is to just truncate and use the inferred length. That allows > us to minimize the amount of data we need to put in front of the user > without compromising security. These two proposals seem incompatible to me. If you give me a fingerprint that is shorter than the expected length, and both mechanisms are available, how am i supposed to know whether you've given me a truncated fingerprint or a "compressed" fingerprint? > Lets say that in 2020 Alice meets Bob and they exchange their fingerprints > via a 150 bit QR code. Alice's smartphone goes to the mesh and pulls the > corresponding profile which has Bob's key and full 512 bit fingerprint. The > phone then stores the big fingerprint for Bob in her contacts directory. Wouldn't the phone just store the key itself instead of the fingerprint? Why does the fingerprint matter in this scenario after the initial introduction? --dkg
- [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Wyllys Ingersoll
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Gregory Maxwell
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Gregory Maxwell
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Peter Pentchev
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Nicholas Cole
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Derek Atkins
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Nicholas Cole
- Re: [openpgp] Followup on fingerprints Werner Koch
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Followup on fingerprints Phillip Hallam-Baker
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Vincent Breitmoser
- Re: [openpgp] Followup on fingerprints Bill Frantz
- Re: [openpgp] Followup on fingerprints ianG
- Re: [openpgp] Followup on fingerprints Bill Frantz