IETF Logo Mail Archive

Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

Vincent Yu <v@v-yu.com> Sat, 15 March 2014 05:26 UTC

Return-Path: <v@v-yu.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C24121A0020 for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 22:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jsYnkPbxP33a for <openpgp@ietfa.amsl.com>; Fri, 14 Mar 2014 22:26:45 -0700 (PDT)
Received: from smtp2.hushmail.com (smtp2.hushmail.com [65.39.178.134]) by ietfa.amsl.com (Postfix) with ESMTP id 9E6A71A0002 for <openpgp@ietf.org>; Fri, 14 Mar 2014 22:26:45 -0700 (PDT)
Received: from smtp2.hushmail.com (localhost [127.0.0.1]) by smtp2.hushmail.com (Postfix) with SMTP id 947A1A022D for <openpgp@ietf.org>; Sat, 15 Mar 2014 05:26:38 +0000 (UTC)
Received: from smtp.hushmail.com (w4.hushmail.com [65.39.178.50]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp2.hushmail.com (Postfix) with ESMTPS; Sat, 15 Mar 2014 05:26:37 +0000 (UTC)
Message-ID: <8ab357017d32acdb2afedcfbabe63ac3@smtp.hushmail.com>
Date: Sat, 15 Mar 2014 01:26:34 -0400
From: Vincent Yu <v@v-yu.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Werner Koch <wk@gnupg.org>
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <8761nh1549.fsf@vigenere.g10code.de> <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com> <5323146D.4050006@fifthhorseman.net> <a9cf1a7b7e08e0d601fa5c7c5cf50e71@smtp.hushmail.com> <5323DF28.5070809@fifthhorseman.net>
In-Reply-To: <5323DF28.5070809@fifthhorseman.net>
X-Enigmail-Version: 1.6
OpenPGP: id=d28d7c4078b3742a; url=https://v-yu.com/pubkeys/openpgp.asc
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="Og1ANmLhsOPDsAt8g8GOXjOLxO414mLrI"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/pbQSggxg38YI-AKDqM4O59sYvi0
Cc: openpgp@ietf.org
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 05:26:48 -0000

On 03/15/2014 01:03 AM, Daniel Kahn Gillmor wrote:
> On 03/14/2014 07:42 PM, Vincent Yu wrote:
>> On 03/14/2014 10:38 AM, Daniel Kahn Gillmor wrote:
>>> Guidance would also be useful for implementations processing (or
>>> generating) ring signatures that were made by one of a set of keys where
>>> some of those keys appear to be expired or revoked.  (i haven't thought
>>> this use case through in sufficient detail, but i could see
>>> implementations getting tripped up here or behaving in wildly divergent
>>> ways if there is no clear guidance)
>>
>> I think a good general recommendation here would be to look at each
>> public key individually and output the same warnings and errors that
>> would be output if this were a standard signature. Are there significant
>> issues that you see with this?
>
> i'm just imagining a troubling use case in terms of UI (maybe it isn't
> an issue):
>
>   Alice and Bob have keys; Alice decides she wants to frame Bob.  Alice
> makes a ring signature with her key and with Bob's key at time T over a
> document that is particularly terrible.  She then sets her computer's
> clock back to time T-1 and expires or revokes her own key.
>
> Carol comes along and checks the signature on the terrible document.
> her OpenPGP implementation says "this signature was made by either Alice
> or Bob, but Alice's key was expired/revoked"
>
> If Carol is naive, the implication she might take away from such a UI is
> that Alice couldn't have made the signature, therefore it must have been
> Bob that said the terrible thing.
>
> I don't know how to clarify the UI to avoid giving that impression.
>
> 	--dkg

Hm. Yes, scenarios like that sound like they can confuse the typical 
user and possibly lead to incorrect conclusions. It seems like it would 
be prudent for implementations to issue conspicuous errors when any 
aspect of a ring signature fails to verify, and to warn the user against 
drawing any conclusion other than the fact that the ring signature did 
not verify correctly.

But at the end of the day, the security of the scheme and the behavior 
of the implementation don't matter if users misuse them... A possibly 
more important thing to do is to provide easy-to-read references that 
users can look up. If ring signatures ever get implemented in GnuPG (or 
elsewhere), we should take care to write up clear and concise 
explanations for end users. (This is a difficult task.)

Vincent

v2.23.0 | Report a Bug | By Email