Re: [openpgp] Summary of WG status

Vincent Breitmoser <look@my.amazin.horse> Tue, 15 August 2017 13:13 UTC

Return-Path: <look@my.amazin.horse>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5065B13257F for <openpgp@ietfa.amsl.com>; Tue, 15 Aug 2017 06:13:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NKFmMmfQ4lyV for <openpgp@ietfa.amsl.com>; Tue, 15 Aug 2017 06:13:32 -0700 (PDT)
Received: from mail.mugenguild.com (mugenguild.com [5.135.189.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A3F91321C6 for <openpgp@ietf.org>; Tue, 15 Aug 2017 06:13:31 -0700 (PDT)
Received: from localhost (p5B11CF40.dip0.t-ipconnect.de [91.17.207.64]) by mail.mugenguild.com (Postfix) with ESMTPSA id B1C605FAE8; Tue, 15 Aug 2017 15:13:28 +0200 (CEST)
Date: Tue, 15 Aug 2017 15:13:26 +0200
From: Vincent Breitmoser <look@my.amazin.horse>
To: "Robert J. Hansen" <rjh@sixdemonbag.org>
Cc: Derek Atkins <derek@ihtfp.com>, openpgp@ietf.org
Message-ID: <20170815131326.wa5guttvgsp2la5g@calamity>
References: <20170712223852.zmnvw4iwvziqsynq@genre.crustytoothpaste.net> <20170810014751.erufvruh2lm5cdpe@genre.crustytoothpaste.net> <1b68dbbb-38ac-6370-fe20-76be795b2634@sixdemonbag.org> <20170811202924.yiwzjom3tag3ivkk@genre.crustytoothpaste.net> <a2f2973f-2b34-5e07-2651-a1910d992c6a@sixdemonbag.org> <sjmefsef9b6.fsf@securerf.ihtfp.org> <3bff215c-4de7-3994-8f78-5a06caa3fbfe@sixdemonbag.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3bff215c-4de7-3994-8f78-5a06caa3fbfe@sixdemonbag.org>
User-Agent: NeoMutt/20170609 (1.8.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/e-DUcBPq9eBMTaqEp6akWmsWLOE>
Subject: Re: [openpgp] Summary of WG status
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 13:13:34 -0000

I'm conflicted about this.

Yes, moving away from SHA1 is a good idea. We should do that asap. But I
really dislike that this comes with an increased fingerprint size to 256
bits.

Looking at the use case we are trying to cover here, and the actual
requirements the fingerprint has to fulfill, even the 160 bits we had
before were "super-duper-safe because who knows what might happen"
terrain. And we are going to bolt another 96 bits on top of that.
People are going to read sixty-four hexadecimal characters to one
another to verify their keys.

On the other hand, I can see how the choice of just using SHA2-256 is
attractive for its simplicity, especially in a context where consensus
is hard to find.

 - V