Re: [openpgp] Fingerprint requirements for OpenPGP
Vincent Breitmoser <look@my.amazin.horse> Tue, 12 April 2016 08:34 UTC
Return-Path: <look@my.amazin.horse>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72A012E836 for <openpgp@ietfa.amsl.com>; Tue, 12 Apr 2016 01:34:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PjASIfJ2XTuO for <openpgp@ietfa.amsl.com>; Tue, 12 Apr 2016 01:34:14 -0700 (PDT)
Received: from mail.mugenguild.com (mugenguild.com [5.135.189.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7690D12E830 for <openpgp@ietf.org>; Tue, 12 Apr 2016 01:34:13 -0700 (PDT)
Received: from localhost (dhcp176-022.wlan.rz.tu-bs.de [134.169.176.22]) by mail.mugenguild.com (Postfix) with ESMTPSA id 29C655FAE3; Tue, 12 Apr 2016 10:34:12 +0200 (CEST)
Date: Tue, 12 Apr 2016 10:34:09 +0200
From: Vincent Breitmoser <look@my.amazin.horse>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Message-ID: <20160412083409.GA16775@littlepip.fritz.box>
References: <87vb3nslqh.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9"
Content-Disposition: inline
In-Reply-To: <87vb3nslqh.fsf@alice.fifthhorseman.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/WcpZhIsHhZk7PXD8BTZj2r0CJzE>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] Fingerprint requirements for OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2016 08:34:16 -0000
Daniel Kahn Gillmor(dkg@fifthhorseman.net)@Mon, Apr 11, 2016 at 08:40:22PM -0400: > * it should be as close as possible to the human attention span -- this > is Vincent's point, i think. Humans really can't reliably deal with > 512 bits of entropy when doing any kind of data entry or comparison. Yes. > * it should be cheap to compute from a given key -- you shouldn't need > a gig of RAM or a minute of CPU to calculate the fingerprints of any > key. Strictly speaking, we can be slightly less restrictive: It must be cheap to verify, given a fingerprint, that it's the correct one for a key. This distinction does not make a difference unless we store the fingerprints as part of the data format (which we probably shouldn't), so this is more of an academic point. > * it should be strong enough that we do not believe anyone can create a > key with a fingerprint that collides with another key's fingerprint Quite importantly, this should be "another *independent* key's fingerprint", i.e. the requirement is preimage resistance, not collision resistance. Creating two keys with colliding fingerprints is fine, at least noone could come up with a attack scenario where it mattered. - V
- [openpgp] Fingerprint requirements for OpenPGP Daniel Kahn Gillmor
- Re: [openpgp] Fingerprint requirements for OpenPGP Vincent Breitmoser
- Re: [openpgp] Fingerprint requirements for OpenPGP Joseph Lorenzo Hall
- Re: [openpgp] Fingerprint requirements for OpenPGP Vincent Breitmoser
- Re: [openpgp] Fingerprint requirements for OpenPGP Daniel Kahn Gillmor
- Re: [openpgp] Fingerprint requirements for OpenPGP Derek Atkins
- Re: [openpgp] Fingerprint requirements for OpenPGP Daniel Kahn Gillmor
- Re: [openpgp] Fingerprint requirements for OpenPGP Derek Atkins
- Re: [openpgp] Fingerprint requirements for OpenPGP Daniel Kahn Gillmor
- Re: [openpgp] Fingerprint requirements for OpenPGP Salz, Rich
- Re: [openpgp] Fingerprint requirements for OpenPGP Daniel Kahn Gillmor
- Re: [openpgp] Fingerprint requirements for OpenPGP Werner Koch
- Re: [openpgp] Fingerprint requirements for OpenPGP Werner Koch
- Re: [openpgp] Fingerprint requirements for OpenPGP KellerFuchs
- Re: [openpgp] Fingerprint requirements for OpenPGP Derek Atkins
- Re: [openpgp] Fingerprint requirements for OpenPGP Jon Callas
- [openpgp] proof-of-work fingerprints [was: Re: Fi… Daniel Kahn Gillmor
- Re: [openpgp] Fingerprint requirements for OpenPGP Daniel Kahn Gillmor
- Re: [openpgp] Fingerprint requirements for OpenPGP Werner Koch
- Re: [openpgp] Fingerprint requirements for OpenPGP Bill Frantz
- Re: [openpgp] Fingerprint requirements for OpenPGP Werner Koch
- Re: [openpgp] Fingerprint requirements for OpenPGP Derek Atkins
- Re: [openpgp] Fingerprint requirements for OpenPGP Derek Atkins
- Re: [openpgp] Fingerprint requirements for OpenPGP Derek Atkins
- Re: [openpgp] Fingerprint requirements for OpenPGP Derek Atkins
- Re: [openpgp] Fingerprint requirements for OpenPGP Joseph Lorenzo Hall
- Re: [openpgp] Fingerprint requirements for OpenPGP Werner Koch
- Re: [openpgp] Fingerprint requirements for OpenPGP Werner Koch
- Re: [openpgp] Fingerprint requirements for OpenPGP Vincent Breitmoser
- Re: [openpgp] Fingerprint requirements for OpenPGP Joseph Lorenzo Hall
- Re: [openpgp] Fingerprint requirements for OpenPGP Derek Atkins
- Re: [openpgp] Fingerprint requirements for OpenPGP Derek Atkins
- Re: [openpgp] Fingerprint requirements for OpenPGP Joseph Lorenzo Hall
- Re: [openpgp] Fingerprint requirements for OpenPGP Phillip Hallam-Baker
- Re: [openpgp] proof-of-work fingerprints [was: Re… Phillip Hallam-Baker
- Re: [openpgp] proof-of-work fingerprints [was: Re… Phillip Hallam-Baker