Re: [openpgp] Fingerprint schemes versus what to fingerprint
"Derek Atkins" <derek@ihtfp.com> Mon, 11 April 2016 20:07 UTC
Return-Path: <derek@ihtfp.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 270C312EFC4 for <openpgp@ietfa.amsl.com>; Mon, 11 Apr 2016 13:07:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p3bdlfihqOmk for <openpgp@ietfa.amsl.com>; Mon, 11 Apr 2016 13:07:58 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEF0D12EFC8 for <openpgp@ietf.org>; Mon, 11 Apr 2016 13:07:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id C1ED9E2038; Mon, 11 Apr 2016 16:07:52 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 08611-06; Mon, 11 Apr 2016 16:07:47 -0400 (EDT)
Received: by mail2.ihtfp.org (Postfix, from userid 48) id B6D1CE2036; Mon, 11 Apr 2016 16:07:47 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1460405267; bh=1Xiq1qjvT/J2z2PQHimp5Cm1ATzflsYR/CGjlsBGK2k=; h=In-Reply-To:References:Date:Subject:From:To:Cc; b=UoB0jJqEadz9kTWwVHwieixwbLUHwGxEBqe2zRDmdmCDr4H8wCTqIqc6CWHynSwl8 vaprwG4RI+M7BUfT2C3PFBgXhykf+sGGkyI5j74+F18tuYJQVYRYUaOYoGpDiMLwoc SMtsAKnSyYESUvc6rtpIv4Tp/ChPXQ5Qi2BBC1pc=
Received: from 24.54.172.229 (SquirrelMail authenticated user warlord) by mail2.ihtfp.org with HTTP; Mon, 11 Apr 2016 16:07:47 -0400
Message-ID: <f74b8b4c8f03c3ca2d8ff206ff7f2586.squirrel@mail2.ihtfp.org>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4C57E39@uxcn10-5.UoA.auckland.ac.nz>
References: <43986BDA-010F-4DBF-8989-53E71B74E66A@gmail.com> <20151110021943.GH3896@vauxhall.crustytoothpaste.net> <72665D15-F685-41F6-A477-8E65DBBC5A04@gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4C42AC4@uxcn10-5.UoA.auckland.ac.nz>, <sjm1t6c40uy.fsf@securerf.ihtfp.org> <9A043F3CF02CD34C8E74AC1594475C73F4C56BF1@uxcn10-5.UoA.auckland.ac.nz>, <9652a57c1e22f4ac3d417aebca44851c.squirrel@mail2.ihtfp.org> <9A043F3CF02CD34C8E74AC1594475C73F4C57DA7@uxcn10-5.UoA.auckland.ac.nz>, <1025d76f337d2f2fe8a11d7626b11158.squirrel@mail2.ihtfp.org> <9A043F3CF02CD34C8E74AC1594475C73F4C57DFB@uxcn10-5.UoA.auckland.ac.nz>, <001f8b61900c9516081eed6ee177bde7.squirrel@mail2.ihtfp.org> <9A043F3CF02CD34C8E74AC1594475C73F4C57E39@uxcn10-5.UoA.auckland.ac.nz>
Date: Mon, 11 Apr 2016 16:07:47 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
User-Agent: SquirrelMail/1.4.22-14.fc20
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/MAs7Ad-7tPvRhdfQdTTJbuskkEo>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>, Bryan Ford <brynosaurus@gmail.com>
Subject: Re: [openpgp] Fingerprint schemes versus what to fingerprint
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2016 20:07:59 -0000
On Mon, April 11, 2016 4:00 pm, Peter Gutmann wrote: > Derek Atkins <derek@ihtfp.com> writes: >>On Mon, April 11, 2016 3:42 pm, Peter Gutmann wrote: >>> Derek Atkins <derek@ihtfp.com> writes: >>>>More specifically: when you have your card generate your key material, >>>> you >>>>pull off the public key and then generate your public key, compute your >>>>fingerprint data (including OpenPGP metadata), and also create secring >>>> data >>>>that contains whatever PKCS#11 reference data you need to re-access >>>> that key. >>>>Later when you use that card/key you know how to reference it. >>> >>> Where do you store all this stuff? PKCS #11 doesn't provide a means of >>> storing it, you can search by something like the public key or >>> issuerAndSerialNumber, but not by hash-of-the-public-key-and-nonce. >> >>Like I said, you put it into your secring.skr file. > > But you can't store a secring.skr file on a PKCS #11 device. Or are you > expecting the user to carry around a smart card and a separate USB key > with > all the stuff that can't be stored on the smart card, with an app that > knows > how to combine all the bits and pieces together to make use of it? Okay, now I feel like we're going around in circles. In my VERY FIRST message I asked whether you are expecting the user to make a signature on a system that has never used or seen their key material before? By your lack of answer to that very specific question I went ahead with a workable architecture where, yes, there are data files that need to be carried along with the smartcard. The smartcard is the "protected" data, but there are other data that need to be carried along, too. Maybe this isn't as "pure" as using PKCS#11 for X509. But it certainly is a workable (and working) solution. > Peter. -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant
- [openpgp] Keyholder-configurable fingerprint sche… Bryan Ford
- Re: [openpgp] Keyholder-configurable fingerprint … ianG
- Re: [openpgp] Keyholder-configurable fingerprint … ianG
- Re: [openpgp] Keyholder-configurable fingerprint … brian m. carlson
- [openpgp] Fingerprint schemes versus what to fing… Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] Fingerprint schemes versus what to … Bryan Ford
- Re: [openpgp] Fingerprint schemes versus what to … Bill Frantz
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] Fingerprint schemes versus what to … Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Peter Gutmann
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Derek Atkins
- Re: [openpgp] [FORGED] RE: [FORGED] RE: Fingerpri… Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Peter Gutmann
- Re: [openpgp] Fingerprint schemes versus what to … Derek Atkins
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Mark D. Baushke
- Re: [openpgp] Fingerprint schemes versus what to … Werner Koch
- Re: [openpgp] [FORGED] RE: Fingerprint schemes ve… Werner Koch