Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 14 March 2014 18:00 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E7E1A019F for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 11:00:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id az6iViPlEwVD for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 11:00:34 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 512051A019C for <openpgp@ietf.org>; Fri, 14 Mar 2014 11:00:27 -0700 (PDT)
Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id D5004F984; Fri, 14 Mar 2014 14:00:18 -0400 (EDT)
Message-ID: <532343B3.7090807@fifthhorseman.net>
Date: Fri, 14 Mar 2014 14:00:19 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: Werner Koch <wk@gnupg.org>
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <8761nh1549.fsf@vigenere.g10code.de> <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com> <87y50cybh3.fsf@vigenere.g10code.de> <53233BD4.4020804@fifthhorseman.net> <87lhwcy93w.fsf@vigenere.g10code.de>
In-Reply-To: <87lhwcy93w.fsf@vigenere.g10code.de>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="mbw26Vh4WXIUqr3PejLeFUrlsHP5voG8l"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/bcLPA0sxXYH0PaEMDdfz7aQlva0
Cc: openpgp@ietf.org, Vincent Yu <v@v-yu.com>
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2014 18:00:36 -0000
On 03/14/2014 01:37 PM, Werner Koch wrote: > It is all about probability. > >> goal here is simply cryptographic non-repudiability, Alice's peer is > > There is no such thing as mechanically created non-reputability. But > why make it too easy. > >> it doesn't make sense to rely on non-cryptographic signals (e.g. typical >> OpenPGP implemnetation version information, etc) to rule out possible >> cryptographic signers. > > I case we are speaking about this: The whole point of criminial > investigations is to collect lots of evidence from _different sources_ > to prove or disprove a claim. sure, i'm not claiming that cryptographic deniability is a particularly useful feature in the courts. Even with the extra limits you're proposing, i'm not convinced it has much utility, though. I've written about this here (slightly different context, but much of the reasoning applies): https://www.debian-administration.org/users/dkg/weblog/104 Do you think that saying "ring signatures are limited to these new-fangled keys" would make the arguments for deniability stronger? if so, why does making the specification *possible* to use with older keys make them any weaker? That is, if the spec makes it possible to work with multiple key types, two users exchanging ring signatures with ECC keys will be no worse off than if the spec constrains its users to only allow ECC keys. But a user corresponding with someone who still uses an RSA key has *no way* to make a ring signature under the constrained proposal, thereby removing what little argument they could have made otherwise. Why not leave the proposal open to those users? So perhaps some guidance is suggested, along the lines of "Due to the novelty of this scheme within OpenPGP as of this writing, making a ring signature over multiple ECC keys offers more plausible deniability than a ring signature covering an ECC key and any other form of public key" Is there another argument for constraining ring signatures to ECC keys, though? for example, arguments by implementation simplicity, efficiency, or mathematical clarity might be a good reason to constrain the spec to new key types. --dkg
- [openpgp] Proposal for a separable ring signature… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- [openpgp] Non-SHA-1 fingerprints in signatures [w… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Daniel Kahn Gillmor
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… David Shaw
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Peter Pentchev
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Peter Pentchev
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… vedaal
- Re: [openpgp] Proposal for a separable ring signa… Falcon Darkstar Momot
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… ianG
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie