Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

[Nicholas Cole <nicholas.cole@gmail.com>]

On Saturday, 15 March 2014, Jon Callas <jon@callas.org> wrote:

> On Mar 14, 2014, at 10:03 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net<javascript:;>>
> wrote:
>
> > i'm just imagining a troubling use case in terms of UI (maybe it isn't
> > an issue):
> >
> > Alice and Bob have keys; Alice decides she wants to frame Bob.  Alice
> > makes a ring signature with her key and with Bob's key at time T over a
> > document that is particularly terrible.  She then sets her computer's
> > clock back to time T-1 and expires or revokes her own key.
> >
> > Carol comes along and checks the signature on the terrible document.
> > her OpenPGP implementation says "this signature was made by either Alice
> > or Bob, but Alice's key was expired/revoked"
> >
> > If Carol is naive, the implication she might take away from such a UI is
> > that Alice couldn't have made the signature, therefore it must have been
> > Bob that said the terrible thing.
> >
> > I don't know how to clarify the UI to avoid giving that impression.
>
> I confess that I don't see it as an issue.
>
> There's part of me that wants to say ironically, "Well, I guess we
> shouldn't do it, then!" But I don't want to be dismissive of your point.
>
> But I would also say that a lot of what you're saying is just hard to do
> -- like revocation. Revocation doesn't work and *can't* work the way one
> might naively expect it. The situation you describe exists today in a
> slightly mutated form. Here's an example:
>
> Bob is a politician and wants to repudiate a previous position he used to
> have, so he sets his clock back, revokes his own key and then claims that
> all the signatures made after that date come from his computer having been
> hacked back in the day.


That is an interesting 'attack' on your own key. Never rely on the date of
a revocakation signature is obvious when you think about it.  It does make
you wonder if signature packets like this should have dates at all.  They
make everything much more complicated in some ways...


It's really the same problem, just with a one-person variety. It boils down
> to the fact that revocation doesn't really work, beyond trivial cases.
>
> Now on the other hand, ages ago, we discussed ring signatures, and a use
> case that I wanted to do was to make it so that whenever Alice sends Bob a
> signed email or other casual message, she would (could?) sign it with a
> ring signature of her key and Bob's. Bob knows that he didn't sign it so he
> knows that Alice did.
>
> Of course, it's one of those things that are cool, and yet it's hard to
> say what it actually does to improve anything.
>

It also breaks the metaphor of a 'signature' too: the signatures we
currently have work in a very similar way to the ideal real-world
signature. This type of signature doesn't: it is a signature only specific
people can verify, or rather, a signature that could have been made by any
one of a number of people. The problem might then become proving you were
*not* the person who made it, rather than the person who did, and proving a
negative is impossible. I think for that reason I'm not sure would welcome
it being added to gpg.  "Yes, that is a signature that I could have made,
but I didn't" is not an easy position...

N.