IETF Logo Mail Archive

Re: [openpgp] Fingerprint requirements for OpenPGP

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 14 April 2016 19:29 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AA6712DA49 for <openpgp@ietfa.amsl.com>; Thu, 14 Apr 2016 12:29:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OE1U0wy0ffZ5 for <openpgp@ietfa.amsl.com>; Thu, 14 Apr 2016 12:29:56 -0700 (PDT)
Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com [IPv6:2607:f8b0:400e:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B2C312D6B9 for <openpgp@ietf.org>; Thu, 14 Apr 2016 12:29:56 -0700 (PDT)
Received: by mail-pa0-x235.google.com with SMTP id fs9so28789168pac.2 for <openpgp@ietf.org>; Thu, 14 Apr 2016 12:29:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:message-id:in-reply-to:references:subject :mime-version; bh=agHlianYXDAIB2Euqd2Poko4PnX6gvfyYiR1Yk5iWo8=; b=fuhzt4ubak5nfrqJLJRxri4HqSHRi8bxxWOIS/TDewqrDrzygzPc7+GtqfWRTs7mEY 15IpJyhG6IPaeOIn4qM+udcWHsgvczg7FxJtRFevIWC4Cj7LNNF4ayeEbn6eFuFveJh0 dO2yudCZrW+Ve/1oO4wNLHja2hdrwiTBQ0x3Q28XwmWZJEkZHcp3MEGLV6V6/Ca/xl3E Q+Ndl5BwTs7Ai8BeFXmrVfuYu8q2QJ1Jzt7PCqnURFvHCyjNuOjhgYGY8NM2gooXtjqa vhZMDd/b7xQwSA6pbg58RJZvSDjc7T+IQ4RRW/MKlNc+cnYgBj5a86HKPt+8VHwGT30r VuDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:date:from:to:message-id:in-reply-to :references:subject:mime-version; bh=agHlianYXDAIB2Euqd2Poko4PnX6gvfyYiR1Yk5iWo8=; b=XKyBrShjwFSWT+zQgBbPX0vKETXwadiZ15afD1ByB6h+oE/TSJHAzShE57zHGjR1h0 PB1qwwOJUX7VpMVZXvcAPOy16j1eWiWXDCbV8hnRVFmzNJlrzaSRVCt5sXsPqfOIvx9r v2t+N/G40sQDcxwPWtEwrmvQAj9gho/IVilSKeOKnNHah6sq0PWshVB7IqM7E4mB9+fq 98XC2yDCWaRsG9m2ekBDEgF8JbDG3/6aTIuArr6Z8ETuWnYUgSJyFQH3+leRo9atxEXI 5LJQ+Ez/WXs5KBYESaUIWUQjYMlH2aJwuKibNmuZL2hvE5vgfrfgubZG9xzFxJTCesmY lRFw==
X-Gm-Message-State: AOPr4FVitoUoGZ7j9BQ7C6UIgqF//veF+3BTUnffeZj+opiTmXU2gbfhAFGrbBGZLAbU5A==
X-Received: by 10.66.139.9 with SMTP id qu9mr23762330pab.101.1460662195896; Thu, 14 Apr 2016 12:29:55 -0700 (PDT)
Received: from mail.outlook.com (ec2-52-24-139-88.us-west-2.compute.amazonaws.com. [52.24.139.88]) by smtp.gmail.com with ESMTPSA id ch2sm59791011pad.28.2016.04.14.12.29.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Apr 2016 12:29:53 -0700 (PDT)
Sender: Phillip Hallam-Baker <hallam@gmail.com>
Date: Thu, 14 Apr 2016 19:29:52 +0000
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Bill Frantz <frantz@pwpconsult.com>, IETF OpenPGP <openpgp@ietf.org>
Message-ID: <994C5976EA09B556.C7F805B4-A4A2-4B9D-827C-A320136C493A@mail.outlook.com>
In-Reply-To: <r470Ps-10114i-FF371A5B16CB415486EB8C1D2128D626@Williams-MacBook-Pro.local>
References: <sjmbn5e3na2.fsf@securerf.ihtfp.org> <r470Ps-10114i-FF371A5B16CB415486EB8C1D2128D626@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_6846_1199658313.1460662192254"
X-Mailer: Outlook for iOS and Android
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/b7ccg-Ci9Ckv69K7xvrPIUN3djY>
Subject: Re: [openpgp] Fingerprint requirements for OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2016 19:29:58 -0000


Sent from Outlook Mobile

    _____________________________
From: Bill Frantz <frantz@pwpconsult.com>
Sent: Tuesday, April 12, 2016 9:01 PM
Subject: Re: [openpgp] Fingerprint requirements for OpenPGP
To: IETF OpenPGP <openpgp@ietf.org>


I have not heard anyone arguing that we don't need some form of 
fingerprint that can be typed into a computer for comparison. 
(Several have argued that eyeball comparison is error prone.)

Well, typing random data is error prone too. Perhaps we should 
have some form of check digit(s) so the program processing the 
type in can flag bad data entry and not confuse it with 
fingerprint match failure.

Cheers - Bill

--------------------------------------------------------------

There are many use cases for typing in a fingerprint. I want to send someone a mail, I read their fingerprint off a business card or they read it over the phone or I cut n'paste from somewhere.Comparison is more common though. And that allow us to use 'big dictionary' type approaches.
I am working on a doc, but there are some important points from the WG meeting. One is that there seems to be a confusion between whether the fingerprint or the key is a root of trust. If you think it is the key that is the root of trust then the fingerprint has to be canonical, must not include a date stamp (like it does at present). If however you regard the fingerprint of the key as the root of trust then it does not need to be canonical. Invalidating a key in one context does not necessitate invalidating it in all contexts. The catch being that when the key is presented for validation, you have to also present all the original attributes bound to it.

v2.23.0 | Report a Bug | By Email