Re: [openpgp] New fingerprint: to v5 or not to v5

ianG <iang@iang.org> Sat, 19 September 2015 15:19 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8167A1B5E7A for <openpgp@ietfa.amsl.com>; Sat, 19 Sep 2015 08:19:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTtgePKpfrNa for <openpgp@ietfa.amsl.com>; Sat, 19 Sep 2015 08:19:22 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FDA11B5E77 for <openpgp@ietf.org>; Sat, 19 Sep 2015 08:19:22 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by virulha.pair.com (Postfix) with ESMTPSA id 65E856D74A; Sat, 19 Sep 2015 11:19:20 -0400 (EDT)
To: openpgp@ietf.org
References: <878u84zy4r.fsf@vigenere.g10code.de>
From: ianG <iang@iang.org>
Message-ID: <55FD7CF0.8030200@iang.org>
Date: Sat, 19 Sep 2015 16:19:12 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <878u84zy4r.fsf@vigenere.g10code.de>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/Qo92wwKnhiR8gkydNziYyyCiq9k>
Subject: Re: [openpgp] New fingerprint: to v5 or not to v5
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2015 15:19:24 -0000

Hi Werner,


On 17/09/2015 19:41 pm, Werner Koch wrote:
> I'd like to get opinions on one specific aspect of a new fingerprint
> format in 4880bis.
>
> In the past we bound the fingerprint format to the key packet version:
> v3 keys used MD5 and v4 keys SHA-1 fingerprints.  This gained us the
> benefit of having a bijective connection between fingerprint and key.

I'm hugely on that side.  I'll always vote for that.  I even staked my 
rep on it :)

http://iang.org/ssl/h1_the_one_true_cipher_suite.html

Which came directly from the experience of hacking PGP & OpenPGP in 
Perl/Java as part of Cryptix.  The tears, the fears, the costs.

So:  the only choice for me is which hash you pick for v5.  If you want 
another one, start planning for v6.


> For X.509 and ssh (OpenSSH), there has always been an uncertainty which
> fingerprint to use because there is no well established standard for it.
> For a long time MD5 was used but then some users switched to SHA-1, and
> meanwhile SHA-256 is also seen more often.  These fingerprint formats
> can easily be distinguished by their length and thus the format itself
> is not a problem.  However, if you ask users to verify the fingerprint
> of a certificate and you given them SHA-1 but they have only access to
> the MD5 fingerprint things starts to get wrong.  Complicated (human)
> reasoning about the identity of a certificate needs to be done.
>
> With OpenPGP is is easier: The specs say that a key is described by one
> and only one fingerprint.  There is no way to assign a different
> fingerprint to the the same key.
>
> If we want to introduce a, say, SHA-256 fingerprint, the straightforward
> way is to define a v5 key packet format which will be identical to the
> v4 format with the exception of the packet version number (and maybe
> rules on what algorithms to use with a v5 key) [1].
>
> Such a v5 format also means that it is not possible to switch to the new
> fingerprint format for existing v4 keys.  The v4 keys would continue to
> use SHA-1 fingerprints.


Yes.

> Some people claim that a SHA-1 fingerprint might soon be problematic due
> to collision attacks.  If we assume that this is indeed the case, the
> question is whether switching to SHA-256 for the very same key does
> actually help: The mix of different fingerprints for the same key will
> lead to the same confusion we have seen with X.509 and ssh.  Further, if
> there is a need to switch to a stronger fingerprint format for the same
> key, should the user not also assume that the use of the key has already
> been compromised and it is time to create a new key?


The message is clear to me:  "Start upgrading to v5."

Put your energy in the future.  Put your users' energy into the future...


> Given that we are expecting to soon switch from RSA to ECC for improved
> security and that the current base of OpenPGP implementations supporting
> ECC is quite small, I would recommend not to allow a second fingerprint
> format for v4 keys but to bind a new fingerprint format to a v5 key
> packet version.
>
>
>
> Shalom-Salam,
>
>     Werner
>
>
> [1] I recently talked to the guy who asked a long time ago for a hard
> expiration time in a future key packet format.  He is not anymore
> interested in this and thus other technical changes to the key packet
> format a not needed.




iang, who not everyone agrees with...