[openpgp] Fingerprints
"Neal H. Walfield" <neal@walfield.org> Fri, 25 November 2022 16:03 UTC
Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FE57C14CE4C for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 08:03:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RpNBS2kF8D0D for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 08:03:11 -0800 (PST)
Received: from mail.dasr.de (mail.dasr.de [202.61.250.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C777AC1522C5 for <openpgp@ietf.org>; Fri, 25 Nov 2022 08:02:44 -0800 (PST)
Received: from p5de92f23.dip0.t-ipconnect.de ([93.233.47.35] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1oybA1-00009L-77 for openpgp@ietf.org; Fri, 25 Nov 2022 17:02:41 +0100
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <neal@walfield.org>) id 1oybA0-004zZL-3i for openpgp@ietf.org; Fri, 25 Nov 2022 17:02:40 +0100
Date: Fri, 25 Nov 2022 17:02:40 +0100
Message-ID: <87cz9bt42n.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: IETF OpenPGP WG <openpgp@ietf.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (Gojō) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ercj-pZ7SnBZUhN9Yj3PqEFe93E>
Subject: [openpgp] Fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2022 16:03:13 -0000
Hi,
The crypto-refresh defines fingerprints as follows:
> 5.5.4. Key IDs and Fingerprints
>
> A v5 fingerprint is the 256-bit SHA2-256 hash of...
draft-koch defines fingerprints as follows:
> 12.2. Key IDs and Fingerprints
>
> A V5 fingerprint is the 256-bit SHA2-256 hash of...
Historically, it has been possible to use the length of the
fingerprint to derive the version. If draft-koch is deployed, and the
crypto-refresh does s/v5/v6/, then this will no longer be possible.
I'm concerned about this, because it makes the programmatic use of
fingerprints more difficult. Note: I'm not actually worried about
collisions here. I'm thinking primarily about implementation
complexity, and how to apriori avoid bugs.
Consider. In Sequoia, we have a Fingerprint data structure. It may
eventually look something like this:
enum Fingerprint {
V4([u8; 20]),
V5([u8; 32]),
V6([u8; 32]),
Invalid(Box<[u8]>),
}
This data structure implements equality, i.e., it implements the ==
operator, and hash, so that it can be used as a key in a hash table.
Let's imagine that we have a collection of certificates stored in a
hash table. If a program using Sequoia is handed a fingerprint (FPR)
without a version, perhaps a user copied and pasted it, then it either
can't use the Fingerprint data structure as the key and needs a second
data structure, perhaps, UnversionedFingerprint, or it needs to first
try looking up Fingerprint::V5(FPR) and then try looking up
Fingerprint::V6(FPR).
To be clear: I'm not claiming that this is a showstopper, or that the
complexity is unmanageable. I'm just saying that it increases
implementation complexity without any other gains, i.e., its a bad
tradeoff.
I see two solutions:
First, we could use a different fingerprint length from draft-koch.
That's straightforward, but potentially changes the security calculus,
e.g., if we use a truncated SHA2-256 hash. That's annoying.
Second, we could just make the version number part of the fingerprint.
That is, the fingerprint could be defined as the concatenation of 6
(assuming we do s/v5/v6/) plus the 256-bit SHA2-256 hash.
This works nicely as, as far as I can see, whenever crypto-refresh
specifies a fingerprint, the version is also specified. So, all of
the data structures like the Issuer Fingerprint subpacket can be
redefined without changing the wire format. And an implementation
would never be tempted to accept a fingerprint without a version, as
the version is by definition part of the fingerprint.
Thoughts?
Neal
- [openpgp] Fingerprints Neal H. Walfield
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Fingerprints Daniel Huigens
- Re: [openpgp] Fingerprints Neal H. Walfield
- Re: [openpgp] Fingerprints Neal H. Walfield
- Re: [openpgp] Fingerprints Neal H. Walfield