IETF Logo Mail Archive

Re: [openpgp] Followup on fingerprints

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 July 2015 15:48 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69EDA1B2C80 for <openpgp@ietfa.amsl.com>; Thu, 30 Jul 2015 08:48:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VKV6bo5bEDJX for <openpgp@ietfa.amsl.com>; Thu, 30 Jul 2015 08:48:25 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 5DAEC1B2C62 for <openpgp@ietf.org>; Thu, 30 Jul 2015 08:48:18 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 17B53F984; Thu, 30 Jul 2015 11:48:16 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 2590E2022A; Thu, 30 Jul 2015 17:48:17 +0200 (CEST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Phillip Hallam-Baker <phill@hallambaker.com>
In-Reply-To: <CAMm+LwgKmcTes=V7uS3MjCQixWCo-i7PY=VE7eCHSqt3Ho3OSg@mail.gmail.com>
References: <CAMm+LwgTcn8CY+Zk-f9gzXQtMJezG97T+kx2=C7PR5g7zFer_A@mail.gmail.com> <87twsn2wcz.fsf@vigenere.g10code.de> <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com> <87zj2ecmv8.fsf@alice.fifthhorseman.net> <CAMm+LwgKmcTes=V7uS3MjCQixWCo-i7PY=VE7eCHSqt3Ho3OSg@mail.gmail.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Thu, 30 Jul 2015 11:48:17 -0400
Message-ID: <87a8udd4u6.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/_Y52sGPwBEVgkDPVuPwwgjhIh6Y>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 15:48:27 -0000

On Thu 2015-07-30 10:44:48 -0400, Phillip Hallam-Baker wrote:
> That does not mean we have to support those applications. But it does
> mean that we have to write a security consideration telling people we
> have (1) considered the issue and that (2) either it isn't a problem
> or you should do stuff that is going to be affected.

Completely agreed that the security considerations should make a point
of calling out what we think are legitimate and illegitimate uses of a
fingerprint.

> The concern here is that Mallet generates two keys that have the
> fingerprints
>
> Mxxxx-xxxxx-xxxxx-xxxxx-xxxx1 'M1' and .
> Mxxxx-xxxxx-xxxxx-xxxxx-xxxx2 'M2'
>
> Mallet joins an open source project which only takes the first 100 bits for
> the fingerprint. He uploads the key for M1 to a keyserver.
>
> He then commits a large number of malicious patches using M2 for
> authentication. These are all authenticated against his public key M2 when
> he does the commit but the repository uses the key sent in band and does
> not keep the key for later verification.
>
> At this point, any attempt to hold Mallet accountable is going to have to
> rely on a human examining the logs and working out that Mallet must have
> generated the malicious pair of keys. There is going to be no way to unwind
> the thing automatically.

In either scenario, the committed code is done by Mallet, who was
explicitly authorized by the system to commit code.  So the failure here
is one of auditing, right?

And i think the implementation recommendation that would solve the
auditing problem here is "do not store fingerprints when you could be
storing keys" -- right?

Are there any other attacks we should be aware of due to failures of
collision resistance in the fingerprint?

> The connection is that each blockchain output can be used as an axiom of
> trust.

I don't know what an "axiom of trust" is, or why i would believe that
anything coming out of the blockchain would be one.  The properties i
think you're asking for are those of a global, append-only log.  whether
that's implemented by a blockchain or not seems like an implementation
detail.

> Since the purpose of fingerprints is to represent roots of trust, this
> is a possible use case that the spec should be capable of
> accommodating without opening up the question of how precisely that
> would be achieved.

Sure, so i think we're saying that fingerprints should be well-defined
enough to be entered into a global append-only log.  Do we need more
than that?

>> > The other bit I left out is the idea of compression. The idea here being
>> > that the person generating the key looks for a fingerprint that has 0s for
>> > the first n bits. Then the fingerprint starts with a version number that
>> > says 'the first 32 bits are 0s' or whatever.
>>  [...]
>> > My preference is to just truncate and use the inferred length. That
>> allows
>> > us to minimize the amount of data we need to put in front of the user
>> > without compromising security.
>>
>> These two proposals seem incompatible to me.  If you give me a
>> fingerprint that is shorter than the expected length, and both
>> mechanisms are available, how am i supposed to know whether you've given
>> me a truncated fingerprint or a "compressed" fingerprint?
>
> Well, the fingerprint version tag would have to flag that encryption is
> being used. So instead of the fingerprint being Mxxxx-.... (SHA2-512) or
> Sxxxx-... (SHA3-512), it might be Xxxxx-...

By "encryption" do you mean truncation or "leading-zero compression"?
it seems like we're starting to come up with multidimensional
representations of fingerprint formats.  I'm already uneasy with the
idea of having multiple forms of fingerprint -- if i'm given form M on
my peer's business card, and then i'm shown a key by my software that
uses form S (or form XS or form XM or whatever) how am i supposed to
compare them?

>> Wouldn't the phone just store the key itself instead of the
>> fingerprint?  Why does the fingerprint matter in this scenario after
>> the initial introduction?
>
> OK, 'at least the 512 bit fingerprint'...
>
> Which you do probably depends on if you are using ECC or RSA. With RSA,
> those 2048 bit keys start to bulk up...
 [...]
> It might sound a bit extreme, but since I started in the business, machines
> have gotten roughly a million times faster and have a million times the
> memory. 30 keypairs instead of one does not seem like a big deal.

Following this logic, i think the answer is still that the endpoints
should store the keys that they think are currently valid and not the
fingerprints.  Fingerprints aren't for storage, they're either for
discovery or for verification.

          --dkg

v2.23.0 | Report a Bug | By Email