Re: [openpgp] New fingerprint: to v5 or not to v5
ianG <iang@iang.org> Sat, 19 September 2015 15:19 UTC
Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8167A1B5E7A for <openpgp@ietfa.amsl.com>; Sat, 19 Sep 2015 08:19:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTtgePKpfrNa for <openpgp@ietfa.amsl.com>; Sat, 19 Sep 2015 08:19:22 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FDA11B5E77 for <openpgp@ietf.org>; Sat, 19 Sep 2015 08:19:22 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by virulha.pair.com (Postfix) with ESMTPSA id 65E856D74A; Sat, 19 Sep 2015 11:19:20 -0400 (EDT)
To: openpgp@ietf.org
References: <878u84zy4r.fsf@vigenere.g10code.de>
From: ianG <iang@iang.org>
Message-ID: <55FD7CF0.8030200@iang.org>
Date: Sat, 19 Sep 2015 16:19:12 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <878u84zy4r.fsf@vigenere.g10code.de>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/Qo92wwKnhiR8gkydNziYyyCiq9k>
Subject: Re: [openpgp] New fingerprint: to v5 or not to v5
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2015 15:19:24 -0000
Hi Werner, On 17/09/2015 19:41 pm, Werner Koch wrote: > I'd like to get opinions on one specific aspect of a new fingerprint > format in 4880bis. > > In the past we bound the fingerprint format to the key packet version: > v3 keys used MD5 and v4 keys SHA-1 fingerprints. This gained us the > benefit of having a bijective connection between fingerprint and key. I'm hugely on that side. I'll always vote for that. I even staked my rep on it :) http://iang.org/ssl/h1_the_one_true_cipher_suite.html Which came directly from the experience of hacking PGP & OpenPGP in Perl/Java as part of Cryptix. The tears, the fears, the costs. So: the only choice for me is which hash you pick for v5. If you want another one, start planning for v6. > For X.509 and ssh (OpenSSH), there has always been an uncertainty which > fingerprint to use because there is no well established standard for it. > For a long time MD5 was used but then some users switched to SHA-1, and > meanwhile SHA-256 is also seen more often. These fingerprint formats > can easily be distinguished by their length and thus the format itself > is not a problem. However, if you ask users to verify the fingerprint > of a certificate and you given them SHA-1 but they have only access to > the MD5 fingerprint things starts to get wrong. Complicated (human) > reasoning about the identity of a certificate needs to be done. > > With OpenPGP is is easier: The specs say that a key is described by one > and only one fingerprint. There is no way to assign a different > fingerprint to the the same key. > > If we want to introduce a, say, SHA-256 fingerprint, the straightforward > way is to define a v5 key packet format which will be identical to the > v4 format with the exception of the packet version number (and maybe > rules on what algorithms to use with a v5 key) [1]. > > Such a v5 format also means that it is not possible to switch to the new > fingerprint format for existing v4 keys. The v4 keys would continue to > use SHA-1 fingerprints. Yes. > Some people claim that a SHA-1 fingerprint might soon be problematic due > to collision attacks. If we assume that this is indeed the case, the > question is whether switching to SHA-256 for the very same key does > actually help: The mix of different fingerprints for the same key will > lead to the same confusion we have seen with X.509 and ssh. Further, if > there is a need to switch to a stronger fingerprint format for the same > key, should the user not also assume that the use of the key has already > been compromised and it is time to create a new key? The message is clear to me: "Start upgrading to v5." Put your energy in the future. Put your users' energy into the future... > Given that we are expecting to soon switch from RSA to ECC for improved > security and that the current base of OpenPGP implementations supporting > ECC is quite small, I would recommend not to allow a second fingerprint > format for v4 keys but to bind a new fingerprint format to a v5 key > packet version. > > > > Shalom-Salam, > > Werner > > > [1] I recently talked to the guy who asked a long time ago for a hard > expiration time in a future key packet format. He is not anymore > interested in this and thus other technical changes to the key packet > format a not needed. iang, who not everyone agrees with...
- [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 vedaal
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 Simon Josefsson
- Re: [openpgp] New fingerprint: to v5 or not to v5 Daniel Kahn Gillmor
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 Daniel A. Nagy
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: which hash algo (w… Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Watson Ladd
- Re: [openpgp] New fingerprint: to v5 or not to v5 Phillip Hallam-Baker
- Re: [openpgp] New fingerprint: which hash algo (w… Tom Ritter
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Mark D. Baushke
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: which hash algo (w… Simon Josefsson
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: which hash algo ianG
- Re: [openpgp] New fingerprint: which hash algo vedaal
- Re: [openpgp] New fingerprint: which hash algo Steve Pointer
- Re: [openpgp] New fingerprint: which hash algo Alessandro Barenghi
- Re: [openpgp] New fingerprint: which hash algo Robert J. Hansen
- Re: [openpgp] New fingerprint: to v5 or not to v5 Daniel Kahn Gillmor
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Jonathan McDowell
- Re: [openpgp] New fingerprint: to v5 or not to v5 Nicholas Cole
- Re: [openpgp] New fingerprint: to v5 or not to v5 Vincent Breitmoser
- Re: [openpgp] New fingerprint: which hash algo Daniel A. Nagy
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Watson Ladd
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: which hash algo Phillip Hallam-Baker
- Re: [openpgp] New fingerprint: which hash algo ianG
- Re: [openpgp] New fingerprint: which hash algo Daniel Kahn Gillmor
- Re: [openpgp] New fingerprint: which hash algo Phillip Hallam-Baker