Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

[Nicholas Cole <nicholas.cole@gmail.com>]

On Saturday, 15 March 2014, Vincent Yu <v@v-yu.com> wrote:

> On 03/15/2014 04:40 PM, Nicholas Cole wrote:
>
>> On Sat, Mar 15, 2014 at 8:33 PM, Nicholas Cole <nicholas.cole@gmail.com>
>> wrote:
>>
>>>
>>>
>>> On Saturday, 15 March 2014, Jon Callas <jon@callas.org> wrote:
>>>
>>>> Now on the other hand, ages ago, we discussed ring signatures, and a use
>>>> case that I wanted to do was to make it so that whenever Alice sends
>>>> Bob a
>>>> signed email or other casual message, she would (could?) sign it with a
>>>> ring
>>>> signature of her key and Bob's. Bob knows that he didn't sign it so he
>>>> knows
>>>> that Alice did.
>>>>
>>>> Of course, it's one of those things that are cool, and yet it's hard to
>>>> say what it actually does to improve anything.
>>>>
>>>
>>>
>>> It also breaks the metaphor of a 'signature' too: the signatures we
>>> currently have work in a very similar way to the ideal real-world
>>> signature.
>>> This type of signature doesn't: it is a signature only specific people
>>> can
>>> verify, or rather, a signature that could have been made by any one of a
>>> number of people. The problem might then become proving you were *not*
>>> the
>>> person who made it, rather than the person who did, and proving a
>>> negative
>>> is impossible. I think for that reason I'm not sure would welcome it
>>> being
>>> added to gpg.  "Yes, that is a signature that I could have made, but I
>>> didn't" is not an easy position...
>>>
>>
>> And thinking about it even further, it compounds a problem that
>> someone (was it you, Jon?) has written about in the past.  Even though
>> we all know that key UIDs can be signed by complete strangers, users
>> are *often* disconcerted by this fact (which is why there is a
>> no-modifier flag, even if keyservers have never respected it and even
>> if it would make the use of OpenPGP even more complicated).  Still, a
>> naive user of an OpenPGP program may draw incorrect inferences about
>> social relationships from UID signatures.  Imagine the outcry of users
>> if they discovered that documents were in the wild that 'might' have
>> been signed by them...
>>
>> N.
>>
>
> This reminds me that I used the name "signer-ambiguous signature" in some
> of the early drafts of my proposal. This name concisely describes the most
> important property of ring signatures. Now that I think about it, that is a
> much better name than "ring signature" for implementations to present to
> their end users.
>
> "Signer-ambiguity" was coined by Rivest et al. to describe ring signatures
> in their seminal paper in 2001, so it's well-connected to the concept of
> ring signatures in the literature.
>
> Unless there are severe objections, I will modify the proposal to use the
> phrase "signer-ambiguous signature" to refer generally to the signatures
> produced by the scheme, and use "ring signature" only as technical term for
> the specific scheme that was chosen to provide signer-ambiguity.


I think that is a better name.  It gets away from the idea that there is a
'ring' of people who have authorized each other to make signatures.  But
still, I think that this proposal will bring more problems than benefits.
 Signatures will appear that 'might' have been made by all kinds of people
on all kinds of documents.  User interfaces will struggle to help users to
make good decisions as a result.  I can't help feeling that this kind of
signature belongs in very specific applications, and not in general purpose
tools. But I could be wrong.

N.