Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 14 March 2014 14:38 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B95B1A015D for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 07:38:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5EOwmDF_JuDl for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 07:38:45 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 52B2A1A015E for <openpgp@ietf.org>; Fri, 14 Mar 2014 07:38:45 -0700 (PDT)
Received: from [10.70.10.55] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 3B8DAF986; Fri, 14 Mar 2014 10:38:37 -0400 (EDT)
Message-ID: <5323146D.4050006@fifthhorseman.net>
Date: Fri, 14 Mar 2014 10:38:37 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: Vincent Yu <v@v-yu.com>, Werner Koch <wk@gnupg.org>
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <8761nh1549.fsf@vigenere.g10code.de> <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com>
In-Reply-To: <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="mCew2SI7UdEQqMwjtXnGaRTSI36xvRDhe"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/g5I9s2jLKRz8YuNR5od776Q57lI
Cc: openpgp@ietf.org
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2014 14:38:50 -0000

On 03/14/2014 09:55 AM, Vincent Yu wrote:
> I agree with you that it is mostly useless. Unless someone has a better
> idea, I will remove the registry and modify the new signature subpacket
> to hold only the fingerprints of possible signers. This will nicely
> simplify things.

For extra safety, you could still include the public key's algorithm ID
in the subpacket as a separate one-byte marker, just using the value
from https://tools.ietf.org/html/rfc4880#section-9.1 instead of pulling
the values from a new/duplicate registry.

> A major consideration in the proposed scheme is to make sure that it is
> separable; i.e., that different types of existing keys can be used
> together without a dedicated setup. In the current scheme, signers are
> able to produce a ring signature without any cooperation or setup from
> the other possible signers (as long as they each have an RSA, DSA, or
> ECDSA signing key). I think this is an essential feature; otherwise, it
> would be a pain to make sure that all possible signers have the correct
> type of key.
> 
> Thus, I think it is important to have a new algorithm ID for ring
> signatures so that signers are free to mix together different types of
> keys in the ring signature. I would also prefer to leave RSA and DSA
> keys in the scheme for the same reason.

i still haven't gotten my head around the particular details of the
proposed scheme, but i agree it would be nice for users to be able to
have this feature without requiring their peers to opt into the scheme
by making a new EC key or designating a new usage flag for this purpose.
 Sticking with widespread existing keys and the common "data signing"
usage flag seems like the way to go.

I note that you've specified the ring signature approach as a generic
public key algorithm for arbitrary signature packets, and left
"decisions regarding creation and interpretation" up to the
implementation.  I think a bit more guidance would be helpful in at
least two cases:

signature types: at the moment, i only see this as a useful mechanism
for data signatures (sigtype 0x00 and 0x01) ; i don't see a reasonable
use case here for identity certifications (sigtypes 0x10 through 0x13),
or other signature types currently available:
https://tools.ietf.org/html/rfc4880#section-5.2.1  -- i'm not suggesting
that we need to say these MUST NOT be made as ring signatures, but it
might be worth considering the applicability to the other signature types.

Guidance would also be useful for implementations processing (or
generating) ring signatures that were made by one of a set of keys where
some of those keys appear to be expired or revoked.  (i haven't thought
this use case through in sufficient detail, but i could see
implementations getting tripped up here or behaving in wildly divergent
ways if there is no clear guidance)

	--dkg