Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 15 March 2014 05:03 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E5D51A0002 for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 22:03:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKOgKygF-Vc7 for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 22:03:45 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 295E51A0007 for <openpgp@ietf.org>; Fri, 14 Mar 2014 22:03:45 -0700 (PDT)
Received: from [10.0.0.4] (h-67-100-110-8.nycm.ny.dynamic.megapath.net [67.100.110.8]) by che.mayfirst.org (Postfix) with ESMTPSA id 55AE5F984; Sat, 15 Mar 2014 01:03:36 -0400 (EDT)
Message-ID: <5323DF28.5070809@fifthhorseman.net>
Date: Sat, 15 Mar 2014 01:03:36 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: Vincent Yu <v@v-yu.com>, Werner Koch <wk@gnupg.org>
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <8761nh1549.fsf@vigenere.g10code.de> <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com> <5323146D.4050006@fifthhorseman.net> <a9cf1a7b7e08e0d601fa5c7c5cf50e71@smtp.hushmail.com>
In-Reply-To: <a9cf1a7b7e08e0d601fa5c7c5cf50e71@smtp.hushmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="6ForcDNj3l6vcRDXIFVUWsDOLGBI8BQH6"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/cspL7rXAsRayJzlea7dJl2H3Kco
Cc: openpgp@ietf.org
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 05:03:47 -0000
On 03/14/2014 07:42 PM, Vincent Yu wrote: > On 03/14/2014 10:38 AM, Daniel Kahn Gillmor wrote: >> Guidance would also be useful for implementations processing (or >> generating) ring signatures that were made by one of a set of keys where >> some of those keys appear to be expired or revoked. (i haven't thought >> this use case through in sufficient detail, but i could see >> implementations getting tripped up here or behaving in wildly divergent >> ways if there is no clear guidance) > > I think a good general recommendation here would be to look at each > public key individually and output the same warnings and errors that > would be output if this were a standard signature. Are there significant > issues that you see with this? i'm just imagining a troubling use case in terms of UI (maybe it isn't an issue): Alice and Bob have keys; Alice decides she wants to frame Bob. Alice makes a ring signature with her key and with Bob's key at time T over a document that is particularly terrible. She then sets her computer's clock back to time T-1 and expires or revokes her own key. Carol comes along and checks the signature on the terrible document. her OpenPGP implementation says "this signature was made by either Alice or Bob, but Alice's key was expired/revoked" If Carol is naive, the implication she might take away from such a UI is that Alice couldn't have made the signature, therefore it must have been Bob that said the terrible thing. I don't know how to clarify the UI to avoid giving that impression. --dkg
- [openpgp] Proposal for a separable ring signature… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- [openpgp] Non-SHA-1 fingerprints in signatures [w… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Daniel Kahn Gillmor
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… David Shaw
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Peter Pentchev
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Peter Pentchev
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… vedaal
- Re: [openpgp] Proposal for a separable ring signa… Falcon Darkstar Momot
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… ianG
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie