Re: [openpgp] Non-SHA-1 fingerprints in signatures [was: Proposal for a separable ring signature scheme...]

Vincent Yu <v@v-yu.com> Fri, 14 March 2014 14:36 UTC

Return-Path: <v@v-yu.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAE8E1A014F for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 07:36:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYVJCnQoe59Q for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 07:36:35 -0700 (PDT)
Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.200]) by ietfa.amsl.com (Postfix) with ESMTP id D17D91A0154 for <openpgp@ietf.org>; Fri, 14 Mar 2014 07:36:35 -0700 (PDT)
Received: from smtp3.hushmail.com (localhost [127.0.0.1]) by smtp3.hushmail.com (Postfix) with SMTP id 317A1E0739 for <openpgp@ietf.org>; Fri, 14 Mar 2014 14:36:29 +0000 (UTC)
Received: from smtp.hushmail.com (w6.hushmail.com [65.39.178.92]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp3.hushmail.com (Postfix) with ESMTPS; Fri, 14 Mar 2014 14:36:27 +0000 (UTC)
Message-ID: <891a98dba0a4fc958cc40dcef9c83825@smtp.hushmail.com>
Date: Fri, 14 Mar 2014 10:36:23 -0400
From: Vincent Yu <v@v-yu.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Peter Pentchev <roam@ringlet.net>
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <23C2DE82-93B7-48A6-95A6-14B4F5DD1F42@callas.org> <3e9143bf60d2252a67149eb4b984bcdb@smtp.hushmail.com> <532268E5.8090001@fifthhorseman.net> <1e053aff143a868d303cb483949bcd31@smtp.hushmail.com> <20140314142447.GA6744@straylight.m.ringlet.net>
In-Reply-To: <20140314142447.GA6744@straylight.m.ringlet.net>
X-Enigmail-Version: 1.6
OpenPGP: id=d28d7c4078b3742a; url=https://v-yu.com/pubkeys/openpgp.asc
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="iBsSK7noad0TtiLeX39MKKnF5BNOicfxS"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/Xd9-urxZsfTP-q04NP01_lf3xu4
Cc: openpgp@ietf.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [openpgp] Non-SHA-1 fingerprints in signatures [was: Proposal for a separable ring signature scheme...]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2014 14:36:38 -0000

On 03/14/2014 10:24 AM, Peter Pentchev wrote:
> On Thu, Mar 13, 2014 at 10:39:31PM -0400, Vincent Yu wrote:
>> Thanks for the info. I will likely follow your suggestion and modify
>> my proposal to use V4 fingerprints rather than key IDs.
>
> Hm, how exactly would this deal with the existence of multiple signing
> subkeys, all associated with the same master public key?  Your current
> proposal explicitly allows for that, using the key IDs; I guess there
> might be a need to include *both* the fingerprint of the master key
> *and* some kind of identification of the subkey actually used for
> signing.

Isn't there a V4 fingerprint defined for every key, including for each 
subkey? I think it would be okay just to include the fingerprints of all 
possible signing keys, regardless of whether they are primary keys or 
subkeys.

If I've misunderstood something, please let me know.

Thanks,
Vincent