Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

Jon Callas <jon@callas.org> Sat, 15 March 2014 17:47 UTC

Return-Path: <jon@callas.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03BB71A0180 for <openpgp@ietfa.amsl.com>; Sat, 15 Mar 2014 10:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPeQo8a4ZDFI for <openpgp@ietfa.amsl.com>; Sat, 15 Mar 2014 10:47:14 -0700 (PDT)
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by ietfa.amsl.com (Postfix) with ESMTP id D05821A0174 for <openpgp@ietf.org>; Sat, 15 Mar 2014 10:47:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id 97E7F4F46FF0 for <openpgp@ietf.org>; Sat, 15 Mar 2014 10:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYcy3u80FYaE for <openpgp@ietf.org>; Sat, 15 Mar 2014 10:47:05 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id 7AEF24F46FE5 for <openpgp@ietf.org>; Sat, 15 Mar 2014 10:47:05 -0700 (PDT)
Received: from [10.0.23.30] ([173.164.244.98]) by keys.merrymeet.com (PGP Universal service); Sat, 15 Mar 2014 10:47:05 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Sat, 15 Mar 2014 10:47:05 -0700
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <5323DF28.5070809@fifthhorseman.net>
Date: Sat, 15 Mar 2014 10:47:10 -0700
Message-Id: <F4D2857E-0D33-4B6E-8829-9026CE9398DF@callas.org>
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <8761nh1549.fsf@vigenere.g10code.de> <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com> <5323146D.4050006@fifthhorseman.net> <a9cf1a7b7e08e0d601fa5c7c5cf50e71@smtp.hushmail.com> <5323DF28.5070809@fifthhorseman.net>
To: "openpgp@ietf.org OpenPGP" <openpgp@ietf.org>
X-Mailer: Apple Mail (2.1874)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/cJrck53zxAAIFF1MgyqhM_Y-Dfw
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 17:47:17 -0000

On Mar 14, 2014, at 10:03 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:

> i'm just imagining a troubling use case in terms of UI (maybe it isn't
> an issue):
> 
> Alice and Bob have keys; Alice decides she wants to frame Bob.  Alice
> makes a ring signature with her key and with Bob's key at time T over a
> document that is particularly terrible.  She then sets her computer's
> clock back to time T-1 and expires or revokes her own key.
> 
> Carol comes along and checks the signature on the terrible document.
> her OpenPGP implementation says "this signature was made by either Alice
> or Bob, but Alice's key was expired/revoked"
> 
> If Carol is naive, the implication she might take away from such a UI is
> that Alice couldn't have made the signature, therefore it must have been
> Bob that said the terrible thing.
> 
> I don't know how to clarify the UI to avoid giving that impression.

I confess that I don't see it as an issue.

There's part of me that wants to say ironically, "Well, I guess we shouldn't do it, then!" But I don't want to be dismissive of your point.

But I would also say that a lot of what you're saying is just hard to do -- like revocation. Revocation doesn't work and *can't* work the way one might naively expect it. The situation you describe exists today in a slightly mutated form. Here's an example:

Bob is a politician and wants to repudiate a previous position he used to have, so he sets his clock back, revokes his own key and then claims that all the signatures made after that date come from his computer having been hacked back in the day.

It's really the same problem, just with a one-person variety. It boils down to the fact that revocation doesn't really work, beyond trivial cases.

Now on the other hand, ages ago, we discussed ring signatures, and a use case that I wanted to do was to make it so that whenever Alice sends Bob a signed email or other casual message, she would (could?) sign it with a ring signature of her key and Bob's. Bob knows that he didn't sign it so he knows that Alice did. 

Of course, it's one of those things that are cool, and yet it's hard to say what it actually does to improve anything.

	Jon