Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

Nicholas Cole <nicholas.cole@gmail.com> Sat, 15 March 2014 22:02 UTC

Return-Path: <nicholas.cole@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2A2F1A01DA for <openpgp@ietfa.amsl.com>; Sat, 15 Mar 2014 15:02:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvLeoP3FBtUC for <openpgp@ietfa.amsl.com>; Sat, 15 Mar 2014 15:02:29 -0700 (PDT)
Received: from mail-ee0-x235.google.com (mail-ee0-x235.google.com [IPv6:2a00:1450:4013:c00::235]) by ietfa.amsl.com (Postfix) with ESMTP id 53CF01A01D8 for <openpgp@ietf.org>; Sat, 15 Mar 2014 15:02:29 -0700 (PDT)
Received: by mail-ee0-f53.google.com with SMTP id b57so2001565eek.26 for <openpgp@ietf.org>; Sat, 15 Mar 2014 15:02:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=7EYu0SP5HrVof8fx7IFPPjEOq52VZ03wvmVJ/VgKDrg=; b=q+6JnnRxexla2469N+zSEKygMzU5eC8Y77jJsPToJbd8GURAa9JwYF+VzV8k50T7DB foGbQUbatqxeS0wWUxuK6hbfA45/e9E2zukRQzxBMwAN3Li/hNWU7yEg8PVQSe2kPOaV x+np6RB4t+fkBha4/CLD8CxfSJlTvFvPh7npEAG1ulUENT8QHOdvgrsOUl69/ql/LqRu 9Sx3LZ94oUIiqAgFY+8i3JFMG4dPrtX6ZsL0/7A4yE6kyjeUW5zSBn9Gh46z9hdyg/6N uussFdx2aWZXTHdWjfZnV5ourkPDcIXWByhCbk16qKpxyJoWbk4Q8xwqOW5kJqhUzLuY vbSQ==
MIME-Version: 1.0
X-Received: by 10.15.21.2 with SMTP id c2mr332976eeu.78.1394920941546; Sat, 15 Mar 2014 15:02:21 -0700 (PDT)
Received: by 10.14.80.135 with HTTP; Sat, 15 Mar 2014 15:02:21 -0700 (PDT)
In-Reply-To: <029427f6d271b61840ad3f919796c18c@smtp.hushmail.com>
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <8761nh1549.fsf@vigenere.g10code.de> <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com> <5323146D.4050006@fifthhorseman.net> <a9cf1a7b7e08e0d601fa5c7c5cf50e71@smtp.hushmail.com> <5323DF28.5070809@fifthhorseman.net> <F4D2857E-0D33-4B6E-8829-9026CE9398DF@callas.org> <CAAu18hczJb9C2qv-HYJ0kwP7npEgy4f-D0VOMReBSi==XqT9Eg@mail.gmail.com> <CAAu18hc2BPd3u2OnvxMGattGrdEXZgpxTGsR05GU7D-7L10Usw@mail.gmail.com> <029427f6d271b61840ad3f919796c18c@smtp.hushmail.com>
Date: Sat, 15 Mar 2014 22:02:21 +0000
Message-ID: <CAAu18hdh+muvDG=SkBs_Y2gDKtMzMPgx8kv6KUNEzODE1j36qQ@mail.gmail.com>
From: Nicholas Cole <nicholas.cole@gmail.com>
To: openpgp@ietf.org
Content-Type: multipart/alternative; boundary=089e0160d2b835f39a04f4ac5763
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/en8CNwThB3ijy3PUkT6ll7WUXxY
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 22:02:32 -0000

On Saturday, 15 March 2014, Vincent Yu <v@v-yu.com> wrote:

> On 03/15/2014 04:40 PM, Nicholas Cole wrote:
>
>> On Sat, Mar 15, 2014 at 8:33 PM, Nicholas Cole <nicholas.cole@gmail.com>
>> wrote:
>>
>>>
>>>
>>> On Saturday, 15 March 2014, Jon Callas <jon@callas.org> wrote:
>>>
>>>> Now on the other hand, ages ago, we discussed ring signatures, and a use
>>>> case that I wanted to do was to make it so that whenever Alice sends
>>>> Bob a
>>>> signed email or other casual message, she would (could?) sign it with a
>>>> ring
>>>> signature of her key and Bob's. Bob knows that he didn't sign it so he
>>>> knows
>>>> that Alice did.
>>>>
>>>> Of course, it's one of those things that are cool, and yet it's hard to
>>>> say what it actually does to improve anything.
>>>>
>>>
>>>
>>> It also breaks the metaphor of a 'signature' too: the signatures we
>>> currently have work in a very similar way to the ideal real-world
>>> signature.
>>> This type of signature doesn't: it is a signature only specific people
>>> can
>>> verify, or rather, a signature that could have been made by any one of a
>>> number of people. The problem might then become proving you were *not*
>>> the
>>> person who made it, rather than the person who did, and proving a
>>> negative
>>> is impossible. I think for that reason I'm not sure would welcome it
>>> being
>>> added to gpg.  "Yes, that is a signature that I could have made, but I
>>> didn't" is not an easy position...
>>>
>>
>> And thinking about it even further, it compounds a problem that
>> someone (was it you, Jon?) has written about in the past.  Even though
>> we all know that key UIDs can be signed by complete strangers, users
>> are *often* disconcerted by this fact (which is why there is a
>> no-modifier flag, even if keyservers have never respected it and even
>> if it would make the use of OpenPGP even more complicated).  Still, a
>> naive user of an OpenPGP program may draw incorrect inferences about
>> social relationships from UID signatures.  Imagine the outcry of users
>> if they discovered that documents were in the wild that 'might' have
>> been signed by them...
>>
>> N.
>>
>
> This reminds me that I used the name "signer-ambiguous signature" in some
> of the early drafts of my proposal. This name concisely describes the most
> important property of ring signatures. Now that I think about it, that is a
> much better name than "ring signature" for implementations to present to
> their end users.
>
> "Signer-ambiguity" was coined by Rivest et al. to describe ring signatures
> in their seminal paper in 2001, so it's well-connected to the concept of
> ring signatures in the literature.
>
> Unless there are severe objections, I will modify the proposal to use the
> phrase "signer-ambiguous signature" to refer generally to the signatures
> produced by the scheme, and use "ring signature" only as technical term for
> the specific scheme that was chosen to provide signer-ambiguity.


I think that is a better name.  It gets away from the idea that there is a
'ring' of people who have authorized each other to make signatures.  But
still, I think that this proposal will bring more problems than benefits.
 Signatures will appear that 'might' have been made by all kinds of people
on all kinds of documents.  User interfaces will struggle to help users to
make good decisions as a result.  I can't help feeling that this kind of
signature belongs in very specific applications, and not in general purpose
tools. But I could be wrong.

N.