Re: [openpgp] Non-SHA-1 fingerprints in signatures [was: Proposal for a separable ring signature scheme...]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 14 March 2014 02:26 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 058F11A06C3 for <openpgp@ietfa.amsl.com>; Thu, 13 Mar 2014 19:26:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LmLZ1GnEOkGW for <openpgp@ietfa.amsl.com>; Thu, 13 Mar 2014 19:26:56 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id DCD821A06C1 for <openpgp@ietf.org>; Thu, 13 Mar 2014 19:26:55 -0700 (PDT)
Received: from [192.168.13.159] (lair.fifthhorseman.net [108.58.6.98]) by che.mayfirst.org (Postfix) with ESMTPSA id 22F5EF984; Thu, 13 Mar 2014 22:26:47 -0400 (EDT)
Message-ID: <532268E5.8090001@fifthhorseman.net>
Date: Thu, 13 Mar 2014 22:26:45 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: openpgp@ietf.org
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <23C2DE82-93B7-48A6-95A6-14B4F5DD1F42@callas.org> <3e9143bf60d2252a67149eb4b984bcdb@smtp.hushmail.com>
In-Reply-To: <3e9143bf60d2252a67149eb4b984bcdb@smtp.hushmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="Pj5O3lcXRxdsBvj1VwKlTJoQaCM8BdPVH"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/jpei6Eb4L_fwl7BMMlQA3aogxnQ
Cc: Vincent Yu <v@v-yu.com>
Subject: Re: [openpgp] Non-SHA-1 fingerprints in signatures [was: Proposal for a separable ring signature scheme...]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2014 02:26:58 -0000

On 03/13/2014 09:28 PM, Vincent Yu wrote:
> In past threads, there were discussions about supporting non-SHA-1
> fingerprints [1] and including full issuer fingerprints in signatures
> [2]. You forwarded to this list a proposal for a new fingerprint [3].
> Did anything concrete come out of that proposal or other discussions?
> 
> In my proposal, I am using key IDs (i.e., the rightmost 8 octets of
> SHA-1 fingerprints) in a new signature subpacket, but I would like to
> switch to non-SHA-1 fingerprints if there is a standard or consensus
> about how they should be formatted. This is an opportune time to
> introduce such fingerprints since backward compatibility is not a
> relevant consideration.

the OpenPGP fingerprint revision discussions have not yet terminated in
a clear conclusion -- the last stage we reached was was "wait until
SHA-3 has settled down and then reconsider".

You should *not* use keyIDs as distinct identifiers in the subpacket
body of the ring signature design; the use of keyIDs in the traditional
issuer subpacket is a mistake that i hope we don't propagate if/when
OpenPGPv5 ever gets standardized.

Your I-D should have the subpacket body built from either OpenPGPv4
fingerprints, or full public key packets.  the search space for key IDs
is too small to distinguish "bad signature" from "i don't have the
appropriate key" with sufficient confidence, which causes all sorts of
nasty UI edge cases.

	--dkg