Re: including the entire fingerprint of the issuer in an OpenPGP certification

David Shaw <dshaw@jabberwocky.com> Tue, 18 January 2011 23:23 UTC

Received: from hoffman.proper.com (localhost [127.0.0.1]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p0INNwjU064070 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 18 Jan 2011 16:23:58 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by hoffman.proper.com (8.14.4/8.13.5/Submit) id p0INNwqx064069; Tue, 18 Jan 2011 16:23:58 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: hoffman.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from walrus.jabberwocky.com (walrus.jabberwocky.com [173.9.29.57]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p0INNuVG064063 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-openpgp@imc.org>; Tue, 18 Jan 2011 16:23:57 -0700 (MST) (envelope-from dshaw@jabberwocky.com)
Received: from dshaw.nasuni.net (gw-comcast1.nasuni.com [173.166.63.186]) (authenticated bits=0) by walrus.jabberwocky.com (8.14.4/8.14.4) with ESMTP id p0INNtY5019504 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <ietf-openpgp@imc.org>; Tue, 18 Jan 2011 18:23:55 -0500
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1081)
Subject: Re: including the entire fingerprint of the issuer in an OpenPGP certification
From: David Shaw <dshaw@jabberwocky.com>
In-Reply-To: <4D3615A5.1050700@fifthhorseman.net>
Date: Tue, 18 Jan 2011 18:23:54 -0500
Message-Id: <A6FC20DE-6094-46D2-BEF5-D4C1DBFBE45F@jabberwocky.com>
References: <E1Pf1WI-0007aL-EN@login01.fos.auckland.ac.nz> <CFCF61BD-9281-4F09-AD31-C5AAC38315FE@callas.org> <4D354A08.1010206@iang.org> <87lj2isgm8.fsf@vigenere.g10code.de> <58216C60-3DFD-4312-B514-19243ED4220A@callas.org> <4D36010A.30205@fifthhorseman.net> <4D360E46.1080208@epointsystem.org> <4D3615A5.1050700@fifthhorseman.net>
To: IETF OpenPGP Working Group <ietf-openpgp@imc.org>
X-Mailer: Apple Mail (2.1081)
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by hoffman.proper.com id p0INNvVF064065
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Jan 18, 2011, at 5:35 PM, Daniel Kahn Gillmor wrote:

>> I think that there must be only ONE string called THE fingerprint of a certain
>> public key.
> 
> why?  we currently have three strings that are frequently used to
> identify keys with varying levels of assurance of "uniqueness" -- the
> 32-bit keyID (no guarantee at all, trivially spoofable), the 64-bit
> keyID (more difficult to spoof), and the 160-bit SHA1-based fingerprint
> (believed to be invulnerable to preimage attacks given the state of
> knowledge of math and available computer hardware).  I'm aware that
> these are derivable from each other, but it doesn't seem to change the
> fact that we're using them in a comparable way right now.
> 
> What significant problems will we encounter by adding a 4th identifying
> shorthand variant (hopefully with stronger guarantees of "uniqueness"
> than the existing three) that people can use if they want the stronger
> guarantees?

I think we're overloading the term "fingerprint" and it's causing confusion.  The original mail was a desire to help disambiguate the signer of a particular signature to resist a particular attack.  Of course, we have a thing-that-disambiguates already - the key fingerprint, which is already well defined in the spec and very widely implemented.

I don't want to invent a brand new thing-that-disambiguates that a) only applies to making signatures, and b) is not compatible with the existing method.  Like Werner, I don't want to have to support it more-or-less forever after V5 obsoletes it, and it also feels rather like an end-run around the "let's wait for SHA-3" consensus here on fingerprint changes.

My proposal is to make a subpacket that is defined as the fingerprint of the signing key plus a version byte.  This is an excellent disambiguator.  As you point out, it is believed to be invulnerable to preimage attacks given the state of knowledge of math and available computer hardware.  If and when we do V5, the same subpacket can be used for the V5 fingerprint (whatever that turns out to be), so we're not being forced to support an obsolete subpacket.

Think of it as an improved Issuer (#16) subpacket.

Shorter version of all that from your original email:

> Alternately, what about a new subpacket type that simply includes the
> entire 160 bits of the issuer's fingerprint?   (the "full fingerprint"
> proposal)


Add a version byte to the front of that, and we're talking about the same thing.

David