Re: [openpgp] Fingerprints
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 10 April 2015 15:15 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B3DD1A1AE3 for <openpgp@ietfa.amsl.com>; Fri, 10 Apr 2015 08:15:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YpErCyBUv2sj for <openpgp@ietfa.amsl.com>; Fri, 10 Apr 2015 08:15:31 -0700 (PDT)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 010BA1A1A8C for <openpgp@ietf.org>; Fri, 10 Apr 2015 08:15:30 -0700 (PDT)
Received: by layy10 with SMTP id y10so15596025lay.0 for <openpgp@ietf.org>; Fri, 10 Apr 2015 08:15:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=d7w5zDcAg3XQpaE++UHlemqDHMHqcD2oXGdd3jl70mI=; b=bvghggLxg5we87BBKjNURBGbX4IBrOuLrZig5fe4ihm//jEC2wIDk500yWOskNHrmm O4FxDnjQtrJQYgFKT0B9h1KYDzwbXMXyB3JSSWZwJ5h6q0VPCASXru6nUNvrEHPUj602 D6bNAW9kXhUYmsmvmqoibl7f0X9DgAhNGkMdibhyeEbCt8Vg7vFaHQUkDHZZUroclZge fZnEPjh2yiKbUg8RpLWF1Ol8kszjkvE2CAlK9jcxucJuM+ctrnYLTdt9msACMETIK/yW 7EPhWG2CmKd+eLtiy6G4s4WuyuBW78F5GfTS/KPJ3zoCLP8lhi0X1CoqQniNoaua4Ttu W2YA==
MIME-Version: 1.0
X-Received: by 10.152.6.1 with SMTP id w1mr1808227law.91.1428678928431; Fri, 10 Apr 2015 08:15:28 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.147.165 with HTTP; Fri, 10 Apr 2015 08:15:28 -0700 (PDT)
In-Reply-To: <87y4m0ozlt.fsf@vigenere.g10code.de>
References: <CAMm+LwhbB+-MnGRBCvprgAGOuu+5CJ2rgod7EBGOQR5UNVrspQ@mail.gmail.com> <87y4m0ozlt.fsf@vigenere.g10code.de>
Date: Fri, 10 Apr 2015 11:15:28 -0400
X-Google-Sender-Auth: wqDK2PbGfsCGIq_wEojU9i_6s0g
Message-ID: <CAMm+LwgC79wqHYMmFAXBarLQE0+8eSZMnNVtniaqD8jyFgLGbg@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "openpgp@ietf.org" <openpgp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/qZXNx2BgeELB6EPn_m8y-_FjCsk>
Subject: Re: [openpgp] Fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 15:15:33 -0000
On Fri, Apr 10, 2015 at 9:57 AM, Werner Koch <wk@gnupg.org> wrote: > On Fri, 10 Apr 2015 15:23, phill@hallambaker.com said: > >> There is no need to have an algorithm field, a version field is >> sufficient because we should only be using one algorithm at a given > > Right. However an algorithm field is as good as a version field because > they have the same purpose in this context. An algorithm field saves us > a mapping to the actual algorithm. Recall that OpenPGP uses an > one-octet indentifier and not an OID. > >> time. There is no need for a length field either. > > Agreed. > > It is often useful to have a keyid to quickly (but insecure) refer to a > key. I suggest to take it from the fingerprint bytes 1 to 4 (ignoring > the algorithm byte). There is no need for a long keyid. However, we > may also suggest a use like in git where you may abbreviate it as you > like - however the keyid should be non-normative because the protocol > should not make any use of it. > >> I am also using SHA512 and truncating to 128 bits, then base 32 >> encoding. The rationale for this is > > Because there are several versions of BASE-32 I suggest the use of > z-base-32 which is used by Tahoe-LAFS and ZRTP. The truncation length of > the hash should be match a best match for the base 32 encoding. That is the one I am using already. Truncating to a multiple of 5 bits makes sense to me (32 = 2^5). If we truncate to a multiple of 5 characters as well, we can break at the segment boundaries: 100 bit fingerprint: opgp:xxxxx-xxxxx-xxxxx-xxxxx 125 bit fingerprint: opgp:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx 200 bit fingerprint: opgp:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx 250 bit fingerprint: opgp:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx The version field will steal a few bits. We might want to consider using a 5 bit field rather than 8 and set it up so that the first character gives the version number. Future generations can always decide to add bits if they start to run out. >> * Fingerprints are the root of trust, there is an outside chance that >> SHA-2-256 might be broken but breaking SHA-2-512 truncated to 256 bits >> is a lot harder because it has 80 rounds rather than 64. > > I think that should be discussed in the context of the new default hash > algorithm. OK, fair enough. >> The bit that will probably be controversial is how I am calculating >> them, over an X.509v3 KeyInfo block. There is method to the madness > > X.509 has no definition for a fingerprint but OpenPG already uses a well > defined method to compute the fingerprint. You can't compare the two > protocols or define a unique fingerprint method. The objective here is to be able to establish the fingerprint as the interface between the trust model and the protocol. X.509 does not have that concept at the moment. But introducing that concept into the PKIX world is how I think we can get to convergence between the two models. >> If people really can't stomach ASN.1 code then we could do some other >> key format. But the problem then becomes having to specify how to > > We want to do an rfc4880bis and not an entire new protocol. Thus any > ASN.1 encoding is not an option. For approved algorithms, I really don't care. I will need to implement the existing key format in any case. What I would like to avoid is having to review drafts describing vanity crypto. The fingerprint is going to need to include some sort of algorithm identifier key in the data being hashed to prevent algorithm substitution attacks. So one option would be to specify how to encode the algorithms we plan to approve and recommend and then reserve one code for 'X.509 KeyInfo Blob' just treating it as an algorithm. Then when the Russians come looking to get a PGP RFC issued describing how to use GOST, the NSA come along wanting code points for Suites A, B and C, Fred comes round with Power One Time Pad, etc. etc. They can be told they don't need it. This has the major advantage that there would be no need to shift away from the existing one byte registries and it would reduce the risk of having them filled up with junk. One of the things I would like the IETF to adopt as a general policy is to have one Mandatory to Implement algorithm and one backup algorithm that are supported by all IETF crypto protocols that are in active use and to avoid having working groups dragging on for five years after they were really finished as people bikeshed algorithm choices.
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Fingerprints Werner Koch
- [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Tom Ritter
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Daniel A. Nagy
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Stephen Paul Weber
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Jon Callas
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints David Shaw
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Jon Callas
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Designated Revokers Vincent Breitmoser
- Re: [openpgp] Fingerprints Vincent Breitmoser
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Jon Callas
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Daniel Ranft
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Daniel A. Nagy
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Vincent Breitmoser
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Vincent Breitmoser
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Vincent Breitmoser
- Re: [openpgp] [eX-bulk] : Re: Fingerprints Christopher LILJENSTOLPE
- Re: [openpgp] [eX-bulk] : Re: Fingerprints Christopher LILJENSTOLPE
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Vincent Breitmoser
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- [openpgp] [RFC4880bis PATCH] Deprecate "Revocatio… Daniel Kahn Gillmor
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Daniel Kahn Gillmor
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Neal H. Walfield
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Daniel Kahn Gillmor
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Daniel Kahn Gillmor
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Werner Koch
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… vedaal
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Paul Wouters
- Re: [openpgp] [Suspected Junk Mail] Re: [RFC4880b… vedaal
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Daniel Kahn Gillmor
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Daniel Kahn Gillmor
- Re: [openpgp] [Suspected Junk Mail] Re: [RFC4880b… Daniel Kahn Gillmor