Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
Nicholas Cole <nicholas.cole@gmail.com> Sat, 15 March 2014 22:02 UTC
Return-Path: <nicholas.cole@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2A2F1A01DA for <openpgp@ietfa.amsl.com>; Sat, 15 Mar 2014 15:02:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvLeoP3FBtUC for <openpgp@ietfa.amsl.com>; Sat, 15 Mar 2014 15:02:29 -0700 (PDT)
Received: from mail-ee0-x235.google.com (mail-ee0-x235.google.com [IPv6:2a00:1450:4013:c00::235]) by ietfa.amsl.com (Postfix) with ESMTP id 53CF01A01D8 for <openpgp@ietf.org>; Sat, 15 Mar 2014 15:02:29 -0700 (PDT)
Received: by mail-ee0-f53.google.com with SMTP id b57so2001565eek.26 for <openpgp@ietf.org>; Sat, 15 Mar 2014 15:02:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=7EYu0SP5HrVof8fx7IFPPjEOq52VZ03wvmVJ/VgKDrg=; b=q+6JnnRxexla2469N+zSEKygMzU5eC8Y77jJsPToJbd8GURAa9JwYF+VzV8k50T7DB foGbQUbatqxeS0wWUxuK6hbfA45/e9E2zukRQzxBMwAN3Li/hNWU7yEg8PVQSe2kPOaV x+np6RB4t+fkBha4/CLD8CxfSJlTvFvPh7npEAG1ulUENT8QHOdvgrsOUl69/ql/LqRu 9Sx3LZ94oUIiqAgFY+8i3JFMG4dPrtX6ZsL0/7A4yE6kyjeUW5zSBn9Gh46z9hdyg/6N uussFdx2aWZXTHdWjfZnV5ourkPDcIXWByhCbk16qKpxyJoWbk4Q8xwqOW5kJqhUzLuY vbSQ==
MIME-Version: 1.0
X-Received: by 10.15.21.2 with SMTP id c2mr332976eeu.78.1394920941546; Sat, 15 Mar 2014 15:02:21 -0700 (PDT)
Received: by 10.14.80.135 with HTTP; Sat, 15 Mar 2014 15:02:21 -0700 (PDT)
In-Reply-To: <029427f6d271b61840ad3f919796c18c@smtp.hushmail.com>
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <8761nh1549.fsf@vigenere.g10code.de> <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com> <5323146D.4050006@fifthhorseman.net> <a9cf1a7b7e08e0d601fa5c7c5cf50e71@smtp.hushmail.com> <5323DF28.5070809@fifthhorseman.net> <F4D2857E-0D33-4B6E-8829-9026CE9398DF@callas.org> <CAAu18hczJb9C2qv-HYJ0kwP7npEgy4f-D0VOMReBSi==XqT9Eg@mail.gmail.com> <CAAu18hc2BPd3u2OnvxMGattGrdEXZgpxTGsR05GU7D-7L10Usw@mail.gmail.com> <029427f6d271b61840ad3f919796c18c@smtp.hushmail.com>
Date: Sat, 15 Mar 2014 22:02:21 +0000
Message-ID: <CAAu18hdh+muvDG=SkBs_Y2gDKtMzMPgx8kv6KUNEzODE1j36qQ@mail.gmail.com>
From: Nicholas Cole <nicholas.cole@gmail.com>
To: openpgp@ietf.org
Content-Type: multipart/alternative; boundary="089e0160d2b835f39a04f4ac5763"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/en8CNwThB3ijy3PUkT6ll7WUXxY
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 22:02:32 -0000
On Saturday, 15 March 2014, Vincent Yu <v@v-yu.com> wrote: > On 03/15/2014 04:40 PM, Nicholas Cole wrote: > >> On Sat, Mar 15, 2014 at 8:33 PM, Nicholas Cole <nicholas.cole@gmail.com> >> wrote: >> >>> >>> >>> On Saturday, 15 March 2014, Jon Callas <jon@callas.org> wrote: >>> >>>> Now on the other hand, ages ago, we discussed ring signatures, and a use >>>> case that I wanted to do was to make it so that whenever Alice sends >>>> Bob a >>>> signed email or other casual message, she would (could?) sign it with a >>>> ring >>>> signature of her key and Bob's. Bob knows that he didn't sign it so he >>>> knows >>>> that Alice did. >>>> >>>> Of course, it's one of those things that are cool, and yet it's hard to >>>> say what it actually does to improve anything. >>>> >>> >>> >>> It also breaks the metaphor of a 'signature' too: the signatures we >>> currently have work in a very similar way to the ideal real-world >>> signature. >>> This type of signature doesn't: it is a signature only specific people >>> can >>> verify, or rather, a signature that could have been made by any one of a >>> number of people. The problem might then become proving you were *not* >>> the >>> person who made it, rather than the person who did, and proving a >>> negative >>> is impossible. I think for that reason I'm not sure would welcome it >>> being >>> added to gpg. "Yes, that is a signature that I could have made, but I >>> didn't" is not an easy position... >>> >> >> And thinking about it even further, it compounds a problem that >> someone (was it you, Jon?) has written about in the past. Even though >> we all know that key UIDs can be signed by complete strangers, users >> are *often* disconcerted by this fact (which is why there is a >> no-modifier flag, even if keyservers have never respected it and even >> if it would make the use of OpenPGP even more complicated). Still, a >> naive user of an OpenPGP program may draw incorrect inferences about >> social relationships from UID signatures. Imagine the outcry of users >> if they discovered that documents were in the wild that 'might' have >> been signed by them... >> >> N. >> > > This reminds me that I used the name "signer-ambiguous signature" in some > of the early drafts of my proposal. This name concisely describes the most > important property of ring signatures. Now that I think about it, that is a > much better name than "ring signature" for implementations to present to > their end users. > > "Signer-ambiguity" was coined by Rivest et al. to describe ring signatures > in their seminal paper in 2001, so it's well-connected to the concept of > ring signatures in the literature. > > Unless there are severe objections, I will modify the proposal to use the > phrase "signer-ambiguous signature" to refer generally to the signatures > produced by the scheme, and use "ring signature" only as technical term for > the specific scheme that was chosen to provide signer-ambiguity. I think that is a better name. It gets away from the idea that there is a 'ring' of people who have authorized each other to make signatures. But still, I think that this proposal will bring more problems than benefits. Signatures will appear that 'might' have been made by all kinds of people on all kinds of documents. User interfaces will struggle to help users to make good decisions as a result. I can't help feeling that this kind of signature belongs in very specific applications, and not in general purpose tools. But I could be wrong. N.
- [openpgp] Proposal for a separable ring signature… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- [openpgp] Non-SHA-1 fingerprints in signatures [w… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Daniel Kahn Gillmor
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… David Shaw
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Peter Pentchev
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Peter Pentchev
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… vedaal
- Re: [openpgp] Proposal for a separable ring signa… Falcon Darkstar Momot
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… ianG
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie