IETF Logo Mail Archive

Re: [openpgp] Should fingerprints be "key-canonical"?

KellerFuchs <KellerFuchs@hashbang.sh> Sat, 09 April 2016 23:04 UTC

Return-Path: <kellerfuchs@hashbang.sh>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63D2412D506 for <openpgp@ietfa.amsl.com>; Sat, 9 Apr 2016 16:04:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.897
X-Spam-Level:
X-Spam-Status: No, score=-2.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sG0YL2wkyxYW for <openpgp@ietfa.amsl.com>; Sat, 9 Apr 2016 16:04:08 -0700 (PDT)
Received: from mail.hashbang.sh (mail.hashbang.sh [104.236.230.244]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B47712D1E1 for <openpgp@ietf.org>; Sat, 9 Apr 2016 16:04:08 -0700 (PDT)
Received: from to1.hashbang.sh (to1.hashbang.sh [104.245.37.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hashbang.sh (Postfix) with ESMTPS id 4F8283849; Sat, 9 Apr 2016 23:04:07 +0000 (UTC)
Received: by to1.hashbang.sh (Postfix, from userid 3412) id 2E304E00BA; Sat, 9 Apr 2016 23:03:48 +0000 (UTC)
Date: Sat, 09 Apr 2016 23:03:48 +0000
From: KellerFuchs <KellerFuchs@hashbang.sh>
To: openpgp@ietf.org, jon@callas.org
Message-ID: <20160409230348.GB9034@hashbang.sh>
References: <FF8FBD12-70BC-4417-ACFF-085F1044E536@gmail.com> <5CA36ED3-92DB-4E93-A685-89011D0E0B24@callas.org> <0DBED279-2F24-4330-90C9-F79FE4893657@gmail.com> <8F744860-B361-41C2-9AC1-954E42CAFEDF@callas.org> <87fuuvo4l9.fsf@alice.fifthhorseman.net> <3E66B089-8D26-42EE-998D-5C2B6340131C@callas.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <3E66B089-8D26-42EE-998D-5C2B6340131C@callas.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/QrXS8cJ23CGTA1EsN8SJUxrUX3Y>
Subject: Re: [openpgp] Should fingerprints be "key-canonical"?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Apr 2016 23:04:09 -0000

I will avoid re-hashing points that dkg already made.

On Fri, Apr 08, 2016 at 09:07:33PM -0700, Jon Callas wrote:
> 
> > On Apr 8, 2016, at 8:15 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> > 
> > What is the utility here, specifically?
> > 
> > I appreciate making tracking/linkability harder as a goal, but i'm not
> > conivnced that this achieves that purpose.
> 
> PGP 3 and thus OpenPGP threw the creation time in there as a quickie salt. I didn't do it. I don't know the full reasons. 
> 
> I originally thought this was dumb. I got turned around, and believe that salting the hash is a good thing. I know that I have used this property so that I can re-use key material, but it's not the total reason.
> 
> I can think of a bunch of half-assed things someone can do with key-canonical fingerprints if they are, say, the NSA. Nothing that's an attack, but just stuff.

Given that the NSA can easily keep around a database of all public
  keys and fingerprints they have observed, I would like to know
  what is that hand-wavy “just stuff”.

Moreover, what would be the purpose of reusing the same key material?

> If anything, I think that salting the hash ought to be with more than the timestamp. But really, I'd keep the fingerprint computation the same, just with a more modern algorithm than SHA-1. The problem we're trying to solve is that SHA-1 is old. I like to change only one knob at a time.

Which purpose does the “salt” serve here?  It doesn't make it harder
  to find keys with a similar-looking fingerprint, at least...


> Most of all, I think that semantic properties like this shouldn't change without a reason. At present, there are uses, questionable as they are, for this, and why break it just because?
> 
> Right now, we know that for every fingerprint there is a key (modulo hash collisions), but a key can have many fingerprints. Why to we want to change it so that there's one-to-one correspondence between keys and fingerprints? This sounds to me like it's vaguely surveillance-friendly.

Again, please make this explicit.


Best,

  kf

v2.35.0 | Report a Bug | By Email | System Status