[openpgp] New fingerprint: to v5 or not to v5
Werner Koch <wk@gnupg.org> Thu, 17 September 2015 18:45 UTC
Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57A21B30F8 for <openpgp@ietfa.amsl.com>; Thu, 17 Sep 2015 11:45:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZMrkex0SJ0Jk for <openpgp@ietfa.amsl.com>; Thu, 17 Sep 2015 11:45:53 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 814001B30D8 for <openpgp@ietf.org>; Thu, 17 Sep 2015 11:45:53 -0700 (PDT)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1ZceBr-0005fG-PG for <openpgp@ietf.org>; Thu, 17 Sep 2015 20:45:51 +0200
Received: from wk by vigenere.g10code.de with local (Exim 4.84 #3 (Debian)) id 1Zce84-0006Gn-J9 for <openpgp@ietf.org>; Thu, 17 Sep 2015 20:41:56 +0200
From: Werner Koch <wk@gnupg.org>
To: IETF OpenPGP <openpgp@ietf.org>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: id=F2AD85AC1E42B367; url=finger:wk@g10code.com
Mail-Followup-To: IETF OpenPGP <openpgp@ietf.org>
Date: Thu, 17 Sep 2015 20:41:56 +0200
Message-ID: <878u84zy4r.fsf@vigenere.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/Zh1sqHZD8sVUfsW4OrMNx3dq4Ss>
Subject: [openpgp] New fingerprint: to v5 or not to v5
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 18:45:55 -0000
Hi! I'd like to get opinions on one specific aspect of a new fingerprint format in 4880bis. In the past we bound the fingerprint format to the key packet version: v3 keys used MD5 and v4 keys SHA-1 fingerprints. This gained us the benefit of having a bijective connection between fingerprint and key. For X.509 and ssh (OpenSSH), there has always been an uncertainty which fingerprint to use because there is no well established standard for it. For a long time MD5 was used but then some users switched to SHA-1, and meanwhile SHA-256 is also seen more often. These fingerprint formats can easily be distinguished by their length and thus the format itself is not a problem. However, if you ask users to verify the fingerprint of a certificate and you given them SHA-1 but they have only access to the MD5 fingerprint things starts to get wrong. Complicated (human) reasoning about the identity of a certificate needs to be done. With OpenPGP is is easier: The specs say that a key is described by one and only one fingerprint. There is no way to assign a different fingerprint to the the same key. If we want to introduce a, say, SHA-256 fingerprint, the straightforward way is to define a v5 key packet format which will be identical to the v4 format with the exception of the packet version number (and maybe rules on what algorithms to use with a v5 key) [1]. Such a v5 format also means that it is not possible to switch to the new fingerprint format for existing v4 keys. The v4 keys would continue to use SHA-1 fingerprints. Some people claim that a SHA-1 fingerprint might soon be problematic due to collision attacks. If we assume that this is indeed the case, the question is whether switching to SHA-256 for the very same key does actually help: The mix of different fingerprints for the same key will lead to the same confusion we have seen with X.509 and ssh. Further, if there is a need to switch to a stronger fingerprint format for the same key, should the user not also assume that the use of the key has already been compromised and it is time to create a new key? Given that we are expecting to soon switch from RSA to ECC for improved security and that the current base of OpenPGP implementations supporting ECC is quite small, I would recommend not to allow a second fingerprint format for v4 keys but to bind a new fingerprint format to a v5 key packet version. Shalom-Salam, Werner [1] I recently talked to the guy who asked a long time ago for a hard expiration time in a future key packet format. He is not anymore interested in this and thus other technical changes to the key packet format a not needed. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
- [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 vedaal
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 Simon Josefsson
- Re: [openpgp] New fingerprint: to v5 or not to v5 Daniel Kahn Gillmor
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 Daniel A. Nagy
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: which hash algo (w… Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Watson Ladd
- Re: [openpgp] New fingerprint: to v5 or not to v5 Phillip Hallam-Baker
- Re: [openpgp] New fingerprint: which hash algo (w… Tom Ritter
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Mark D. Baushke
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 ianG
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: which hash algo (w… Simon Josefsson
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: which hash algo ianG
- Re: [openpgp] New fingerprint: which hash algo vedaal
- Re: [openpgp] New fingerprint: which hash algo Steve Pointer
- Re: [openpgp] New fingerprint: which hash algo Alessandro Barenghi
- Re: [openpgp] New fingerprint: which hash algo Robert J. Hansen
- Re: [openpgp] New fingerprint: to v5 or not to v5 Daniel Kahn Gillmor
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Jonathan McDowell
- Re: [openpgp] New fingerprint: to v5 or not to v5 Nicholas Cole
- Re: [openpgp] New fingerprint: to v5 or not to v5 Vincent Breitmoser
- Re: [openpgp] New fingerprint: which hash algo Daniel A. Nagy
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: to v5 or not to v5 Peter Gutmann
- Re: [openpgp] New fingerprint: to v5 or not to v5 Watson Ladd
- Re: [openpgp] New fingerprint: to v5 or not to v5 Werner Koch
- Re: [openpgp] New fingerprint: which hash algo Phillip Hallam-Baker
- Re: [openpgp] New fingerprint: which hash algo ianG
- Re: [openpgp] New fingerprint: which hash algo Daniel Kahn Gillmor
- Re: [openpgp] New fingerprint: which hash algo Phillip Hallam-Baker