[openpgp] Fingerprints
"Neal H. Walfield" <neal@walfield.org> Fri, 25 November 2022 16:03 UTC
Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FE57C14CE4C for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 08:03:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RpNBS2kF8D0D for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 08:03:11 -0800 (PST)
Received: from mail.dasr.de (mail.dasr.de [202.61.250.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C777AC1522C5 for <openpgp@ietf.org>; Fri, 25 Nov 2022 08:02:44 -0800 (PST)
Received: from p5de92f23.dip0.t-ipconnect.de ([93.233.47.35] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1oybA1-00009L-77 for openpgp@ietf.org; Fri, 25 Nov 2022 17:02:41 +0100
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <neal@walfield.org>) id 1oybA0-004zZL-3i for openpgp@ietf.org; Fri, 25 Nov 2022 17:02:40 +0100
Date: Fri, 25 Nov 2022 17:02:40 +0100
Message-ID: <87cz9bt42n.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: IETF OpenPGP WG <openpgp@ietf.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (Gojō) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ercj-pZ7SnBZUhN9Yj3PqEFe93E>
Subject: [openpgp] Fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2022 16:03:13 -0000
Hi, The crypto-refresh defines fingerprints as follows: > 5.5.4. Key IDs and Fingerprints > > A v5 fingerprint is the 256-bit SHA2-256 hash of... draft-koch defines fingerprints as follows: > 12.2. Key IDs and Fingerprints > > A V5 fingerprint is the 256-bit SHA2-256 hash of... Historically, it has been possible to use the length of the fingerprint to derive the version. If draft-koch is deployed, and the crypto-refresh does s/v5/v6/, then this will no longer be possible. I'm concerned about this, because it makes the programmatic use of fingerprints more difficult. Note: I'm not actually worried about collisions here. I'm thinking primarily about implementation complexity, and how to apriori avoid bugs. Consider. In Sequoia, we have a Fingerprint data structure. It may eventually look something like this: enum Fingerprint { V4([u8; 20]), V5([u8; 32]), V6([u8; 32]), Invalid(Box<[u8]>), } This data structure implements equality, i.e., it implements the == operator, and hash, so that it can be used as a key in a hash table. Let's imagine that we have a collection of certificates stored in a hash table. If a program using Sequoia is handed a fingerprint (FPR) without a version, perhaps a user copied and pasted it, then it either can't use the Fingerprint data structure as the key and needs a second data structure, perhaps, UnversionedFingerprint, or it needs to first try looking up Fingerprint::V5(FPR) and then try looking up Fingerprint::V6(FPR). To be clear: I'm not claiming that this is a showstopper, or that the complexity is unmanageable. I'm just saying that it increases implementation complexity without any other gains, i.e., its a bad tradeoff. I see two solutions: First, we could use a different fingerprint length from draft-koch. That's straightforward, but potentially changes the security calculus, e.g., if we use a truncated SHA2-256 hash. That's annoying. Second, we could just make the version number part of the fingerprint. That is, the fingerprint could be defined as the concatenation of 6 (assuming we do s/v5/v6/) plus the 256-bit SHA2-256 hash. This works nicely as, as far as I can see, whenever crypto-refresh specifies a fingerprint, the version is also specified. So, all of the data structures like the Issuer Fingerprint subpacket can be redefined without changing the wire format. And an implementation would never be tempted to accept a fingerprint without a version, as the version is by definition part of the fingerprint. Thoughts? Neal
- [openpgp] Fingerprints Neal H. Walfield
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Fingerprints Daniel Huigens
- Re: [openpgp] Fingerprints Neal H. Walfield
- Re: [openpgp] Fingerprints Neal H. Walfield
- Re: [openpgp] Fingerprints Neal H. Walfield