Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
ianG <iang@iang.org> Sun, 16 March 2014 11:56 UTC
Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FE511A0104 for <openpgp@ietfa.amsl.com>; Sun, 16 Mar 2014 04:56:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kkjFurKyZuUi for <openpgp@ietfa.amsl.com>; Sun, 16 Mar 2014 04:56:00 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) by ietfa.amsl.com (Postfix) with ESMTP id 0C9491A00FB for <openpgp@ietf.org>; Sun, 16 Mar 2014 04:55:59 -0700 (PDT)
Received: from tormenta.local (www2.futureware.at [78.41.115.142]) by virulha.pair.com (Postfix) with ESMTPSA id 0CBC66D451; Sun, 16 Mar 2014 07:55:48 -0400 (EDT)
Message-ID: <53259142.3020101@iang.org>
Date: Sun, 16 Mar 2014 11:55:46 +0000
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <8761nh1549.fsf@vigenere.g10code.de> <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com> <5323146D.4050006@fifthhorseman.net> <a9cf1a7b7e08e0d601fa5c7c5cf50e71@smtp.hushmail.com> <5323DF28.5070809@fifthhorseman.net> <F4D2857E-0D33-4B6E-8829-9026CE9398DF@callas.org>
In-Reply-To: <F4D2857E-0D33-4B6E-8829-9026CE9398DF@callas.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/j86xx_-SAX7FvX6ioQPk2jcTi0Q
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Mar 2014 11:56:02 -0000
On 15/03/2014 17:47 pm, Jon Callas wrote: > Now on the other hand, ages ago, we discussed ring signatures, and a use case that I wanted to do was to make it so that whenever Alice sends Bob a signed email or other casual message, she would (could?) sign it with a ring signature of her key and Bob's. Bob knows that he didn't sign it so he knows that Alice did. Which might be a nice property, but if it goes further it might be problematic. Where I'm thinking is experiences with the oddly-named OTR, which raises questions on two counts. Firstly, it isn't OTR because it is a protocol, not a record-keeping or securing agent [0]. The protocol instead claims something that we might call "deniability" as in "plausible deniability." Which leads to fubar #2. "Plausible deniability" might work in the movies, but it doesn't work in court, being precisely the place were we might want to be able to claim something didn't happen. Unfortunately, deniability is also the weapon the courts are most used to, and they test for exactly this [1]. In short words, that's their game, and they're daring you to try it... Fubar #3 is that because of the claim of off-the-record and ability to plausibly deny, the presence of the product itself can be evidence against the victim. If for example one were to "plausibly deny" a record or transcript of a chat session, you're already damned by having used the product. > Of course, it's one of those things that are cool, and yet it's hard to say what it actually does to improve anything. Which all is really sad, because other than that, the OTR protocol and system has really filled a gap and been quite successful. With the fall of skype, it's about the only game out there for widespread secure chat. It's just the name and claims that run into unforeseen consequences. Drifting more OT somewhat, what I think is far more useful is disappearing messages. I believe that Snapchat was on the money, because it disappeared the messages & photos, which was much closer to what the user needed. Snapchat is a $16bn lesson to the cryptography industry. Anyway, I'm out west of Tahiti by now... iang [0] The name is less of relevance here, so in footnotes: The record is kept or not kept by the app. It might be that this latter is useful but what is not useful is advertising a property such as "off the record" that the protocol cannot provide, and has no way of knowing if the app provides it or not. [1] For the exact same reason, non-repudiation is a concept that the courts reject in general and in concept. Oops.
- [openpgp] Proposal for a separable ring signature… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- [openpgp] Non-SHA-1 fingerprints in signatures [w… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Daniel Kahn Gillmor
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… David Shaw
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Peter Pentchev
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Peter Pentchev
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… vedaal
- Re: [openpgp] Proposal for a separable ring signa… Falcon Darkstar Momot
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… ianG
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie