IETF Logo Mail Archive

Re: [openpgp] Fingerprints and their collisions resistance

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 05 January 2013 23:22 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FC3921F8445 for <openpgp@ietfa.amsl.com>; Sat, 5 Jan 2013 15:22:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsrmJzAht+W9 for <openpgp@ietfa.amsl.com>; Sat, 5 Jan 2013 15:22:12 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 8F1BE21F8444 for <openpgp@ietf.org>; Sat, 5 Jan 2013 15:22:12 -0800 (PST)
Received: from [192.168.42.104] (h-67-101-156-50.nycmny83.dynamic.covad.net [67.101.156.50]) by che.mayfirst.org (Postfix) with ESMTPSA id 3169FF970; Sat, 5 Jan 2013 18:22:09 -0500 (EST)
Message-ID: <50E8B59C.4010807@fifthhorseman.net>
Date: Sat, 05 Jan 2013 18:22:04 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Icedove/17.0
MIME-Version: 1.0
To: Werner Koch <wk@gnupg.org>
References: <50E530D6.6020609@brainhub.org> <50E5494E.6090905@iang.org> <50E60748.3040103@brainhub.org> <50E60F7A.8000001@fifthhorseman.net> <50E61BF7.4020905@brainhub.org> <50E88141.1030907@iang.org> <87vcbb9qpu.fsf@vigenere.g10code.de>
In-Reply-To: <87vcbb9qpu.fsf@vigenere.g10code.de>
X-Enigmail-Version: 1.5
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="----enig2OBKWOHLBFKMLBHWAKMSN"
Cc: openpgp@ietf.org, ianG <iang@iang.org>
Subject: Re: [openpgp] Fingerprints and their collisions resistance
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Jan 2013 23:22:13 -0000

On 01/05/2013 06:04 PM, Werner Koch wrote:
> On Sat,  5 Jan 2013 20:38, iang@iang.org said:
> 
>> Fingerprints aren't really for the wire, and if you use them for the
>> wire, you're exercising your right to develop your own security model
>> and threat model.  For my money - don't do that.
> 
> The fingerprint is used for an revocation key (5.2.3.15).  However, your
> policy may simply disallow the use of a revocation key if this is a
> threat to you.

iirc, there was a rough consensus within this working group that this
was probably a mistake in RFC 4880, and any future revision of the draft
should place the full key material into the revocation key subpacket
instead of the key's fingerprint.

	--dkg

v2.23.0 | Report a Bug | By Email