IETF Logo Mail Archive

Re: [openpgp] Fingerprints

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 10 April 2015 15:15 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B3DD1A1AE3 for <openpgp@ietfa.amsl.com>; Fri, 10 Apr 2015 08:15:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YpErCyBUv2sj for <openpgp@ietfa.amsl.com>; Fri, 10 Apr 2015 08:15:31 -0700 (PDT)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 010BA1A1A8C for <openpgp@ietf.org>; Fri, 10 Apr 2015 08:15:30 -0700 (PDT)
Received: by layy10 with SMTP id y10so15596025lay.0 for <openpgp@ietf.org>; Fri, 10 Apr 2015 08:15:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=d7w5zDcAg3XQpaE++UHlemqDHMHqcD2oXGdd3jl70mI=; b=bvghggLxg5we87BBKjNURBGbX4IBrOuLrZig5fe4ihm//jEC2wIDk500yWOskNHrmm O4FxDnjQtrJQYgFKT0B9h1KYDzwbXMXyB3JSSWZwJ5h6q0VPCASXru6nUNvrEHPUj602 D6bNAW9kXhUYmsmvmqoibl7f0X9DgAhNGkMdibhyeEbCt8Vg7vFaHQUkDHZZUroclZge fZnEPjh2yiKbUg8RpLWF1Ol8kszjkvE2CAlK9jcxucJuM+ctrnYLTdt9msACMETIK/yW 7EPhWG2CmKd+eLtiy6G4s4WuyuBW78F5GfTS/KPJ3zoCLP8lhi0X1CoqQniNoaua4Ttu W2YA==
MIME-Version: 1.0
X-Received: by 10.152.6.1 with SMTP id w1mr1808227law.91.1428678928431; Fri, 10 Apr 2015 08:15:28 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.147.165 with HTTP; Fri, 10 Apr 2015 08:15:28 -0700 (PDT)
In-Reply-To: <87y4m0ozlt.fsf@vigenere.g10code.de>
References: <CAMm+LwhbB+-MnGRBCvprgAGOuu+5CJ2rgod7EBGOQR5UNVrspQ@mail.gmail.com> <87y4m0ozlt.fsf@vigenere.g10code.de>
Date: Fri, 10 Apr 2015 11:15:28 -0400
X-Google-Sender-Auth: wqDK2PbGfsCGIq_wEojU9i_6s0g
Message-ID: <CAMm+LwgC79wqHYMmFAXBarLQE0+8eSZMnNVtniaqD8jyFgLGbg@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "openpgp@ietf.org" <openpgp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/qZXNx2BgeELB6EPn_m8y-_FjCsk>
Subject: Re: [openpgp] Fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 15:15:33 -0000

On Fri, Apr 10, 2015 at 9:57 AM, Werner Koch <wk@gnupg.org> wrote:
> On Fri, 10 Apr 2015 15:23, phill@hallambaker.com said:
>
>> There is no need to have an algorithm field, a version field is
>> sufficient because we should only be using one algorithm at a given
>
> Right.  However an algorithm field is as good as a version field because
> they have the same purpose in this context.  An algorithm field saves us
> a mapping to the actual algorithm.  Recall that OpenPGP uses an
> one-octet indentifier and not an OID.
>
>> time. There is no need for a length field either.
>
> Agreed.
>
> It is often useful to have a keyid to quickly (but insecure) refer to a
> key.  I suggest to take it from the fingerprint bytes 1 to 4 (ignoring
> the algorithm byte).  There is no need for a long keyid.  However, we
> may also suggest a use like in git where you may abbreviate it as you
> like - however the keyid should be non-normative because the protocol
> should not make any use of it.
>
>> I am also using SHA512 and truncating to 128 bits, then base 32
>> encoding. The rationale for this is
>
> Because there are several versions of BASE-32 I suggest the use of
> z-base-32 which is used by Tahoe-LAFS and ZRTP.  The truncation length of
> the hash should be match a best match for the base 32 encoding.

That is the one I am using already. Truncating to a multiple of 5 bits makes
sense to me (32 = 2^5). If we truncate to a multiple of 5 characters as well,
we can break at the segment boundaries:

100 bit fingerprint:
opgp:xxxxx-xxxxx-xxxxx-xxxxx

125 bit fingerprint:
opgp:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

200 bit fingerprint:
opgp:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

250 bit fingerprint:
opgp:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

The version field will steal a few bits. We might want to consider using
a 5 bit field rather than 8 and set it up so that the first character gives
the version number. Future generations can always decide to add bits
if they start to run out.


>> * Fingerprints are the root of trust, there is an outside chance that
>> SHA-2-256 might be broken but breaking SHA-2-512 truncated to 256 bits
>> is a lot harder because it has 80 rounds rather than 64.
>
> I think that should be discussed in the context of the new default hash
> algorithm.

OK, fair enough.


>> The bit that will probably be controversial is how I am calculating
>> them, over an X.509v3 KeyInfo block. There is method to the madness
>
> X.509 has no definition for a fingerprint but OpenPG already uses a well
> defined method to compute the fingerprint.  You can't compare the two
> protocols or define a unique fingerprint method.

The objective here is to be able to establish the fingerprint as the interface
between the trust model and the protocol.

X.509 does not have that concept at the moment. But introducing that
concept into the PKIX world is how I think we can get to convergence between
the two models.


>> If people really can't stomach ASN.1 code then we could do some other
>> key format. But the problem then becomes having to specify how to
>
> We want to do an rfc4880bis and not an entire new protocol.  Thus any
> ASN.1 encoding is not an option.

For approved algorithms, I really don't care. I will need to implement
the existing
key format in any case.


What I would like to avoid is having to review drafts describing vanity crypto.

The fingerprint is going to need to include some sort of algorithm
identifier key
in the data being hashed to prevent algorithm substitution attacks. So
one option
would be to specify how to encode the algorithms we plan to approve and
recommend and then reserve one code for 'X.509 KeyInfo Blob' just treating
it as an algorithm.

Then when the Russians come looking to get a PGP RFC issued describing
how to use GOST, the NSA come along wanting code points for Suites A, B and C,
Fred comes round with Power One Time Pad, etc. etc. They can be told they
don't need it.

This has the major advantage that there would be no need to shift away from
the existing one byte registries and it would reduce the risk of having them
filled up with junk.

One of the things I would like the IETF to adopt as a general policy
is to have one
Mandatory to Implement algorithm and one backup algorithm that are supported by
all IETF crypto protocols that are in active use and to avoid having
working groups
dragging on for five years after they were really finished as people bikeshed
algorithm choices.

v2.23.0 | Report a Bug | By Email