IETF Logo Mail Archive

Re: [openpgp] Should fingerprints be "key-canonical"?

Jon Callas <jon@callas.org> Thu, 07 April 2016 23:34 UTC

Return-Path: <jon@callas.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 102EC12D535 for <openpgp@ietfa.amsl.com>; Thu, 7 Apr 2016 16:34:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mwpqoXQ0KprC for <openpgp@ietfa.amsl.com>; Thu, 7 Apr 2016 16:34:00 -0700 (PDT)
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by ietfa.amsl.com (Postfix) with ESMTP id EE83F12D11E for <openpgp@ietf.org>; Thu, 7 Apr 2016 16:33:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id 7944D94545C3; Thu, 7 Apr 2016 16:33:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QCyuBArd1ppx; Thu, 7 Apr 2016 16:33:57 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id 02DF794545A3; Thu, 7 Apr 2016 16:33:56 -0700 (PDT)
Received: from [10.0.23.7] ([173.164.244.98]) by keys.merrymeet.com (PGP Universal service); Thu, 07 Apr 2016 16:33:57 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Thu, 07 Apr 2016 16:33:57 -0700
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <0DBED279-2F24-4330-90C9-F79FE4893657@gmail.com>
Date: Thu, 07 Apr 2016 16:33:56 -0700
Message-Id: <8F744860-B361-41C2-9AC1-954E42CAFEDF@callas.org>
References: <FF8FBD12-70BC-4417-ACFF-085F1044E536@gmail.com> <5CA36ED3-92DB-4E93-A685-89011D0E0B24@callas.org> <0DBED279-2F24-4330-90C9-F79FE4893657@gmail.com>
To: Bryan Ford <brynosaurus@gmail.com>
X-Mailer: Apple Mail (2.3124)
Content-Type: multipart/alternative; boundary="Apple-Mail=_D66F3244-0E29-47D4-9B97-A7EC7942E6D6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/Q-cWQOWfCD7piAfkk1H4YZA1heU>
Cc: openpgp@ietf.org, Jon Callas <jon@callas.org>
Subject: Re: [openpgp] Should fingerprints be "key-canonical"?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 23:34:02 -0000

>> If you do #1, then you make it so that you can't use the same key for multiple purposes. You can't for example use it for aliases and nyms. I think #1 is a bad idea because it tends to turn the fingerprint into a tracking identifier and I think that making your crypto be implicitly tracking-friendly is a bad idea.
> 
> That’s a really good point - I definitely agree with the desirability of making fingerprints less useful as tracking identifiers.  On the other hand, one might argue that there are other ways to address this, e.g., by just having separate keys (or subkeys?) representing nyms.  If you *really* want your nyms to be unlinkable to each other it doesn’t seem avoidable that they’ll need to be based on separate keys and not just different fingerprints for the same key.

Yes, because I can tell you that it's *really* useful to be able to reuse the key material from alice@example.com for (e.g.) jobs@example.com or security, or whatever. I've done it a lot over the years.

There's a related trick that people do in X.509 certs -- you keep a lifetime for your *key* that is longer than the lifetime of the certificate. There are a lot of reasons for it, and a lot of people do it, despite it making the PKIX purists hyperventilate. 

The trick of fingerprint = F(key, stuff) has a lot of uses. We can debate the F, and the stuff, but why toss the principle out? We don't want to make X.509 certs and S/MIME more useful.


> 
>> So let's talk about #2 and #3 as somewhere on a continuum of saying that the fingerprint is a computable database identifier that provides some onewayness from key to fingerprint.
>> 
>> The way OpenPGP presently does it is kinda meh. It achieves the goal that knowing a fingerprint can find a key, but is merely onto, not one-to-one. It is, however, the way that it is.
>> 
>> If you change it, you end up with unknown breakage. I also don't see a *goal*. What problem are you trying to solve? I recognize that creating a new fingerprint algorithm provides an opportunity, but I have to ask why.
>> 
>> If you specify extra data to be thrown in, it gives the future more places to attack fingerprints in clever ways. 
> 
> Agreed, and this consideration definitely seems to argue for a strict 1-to-1 fingerprint-to-key relationship.

So here's what I suggest -- either keep the way that at present the creation time serves as salt, or do something simple like add in an optional short buffer. Length of the hash is fine.

	Jon

v2.23.0 | Report a Bug | By Email