Re: [openpgp] Revocations of third-party certifications (TPK+"CRL") [was: draft-dkg-openpgp-abuse-resistant-keystore-04.txt]
Benjamin Kaduk <kaduk@mit.edu> Fri, 30 August 2019 04:43 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B2AB120CD4 for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2019 21:43:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id unWxa-jmDRhn for <openpgp@ietfa.amsl.com>; Thu, 29 Aug 2019 21:43:39 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 089EC120CAF for <openpgp@ietf.org>; Thu, 29 Aug 2019 21:43:38 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x7U4hUGb011639 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 30 Aug 2019 00:43:34 -0400
Date: Thu, 29 Aug 2019 23:43:30 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: openpgp@ietf.org
Message-ID: <20190830044304.GL84368@kduck.mit.edu>
References: <156650274021.14785.10325255315266801149.idtracker@ietfa.amsl.com> <875zmodi1v.fsf@fifthhorseman.net> <8736hsdfm4.fsf@fifthhorseman.net> <20190826071911.GE84368@kduck.mit.edu> <87blwbbwe4.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <87blwbbwe4.fsf@fifthhorseman.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/rrfkEQIgjkfDz3lSg-V-QZkV9P0>
Subject: Re: [openpgp] Revocations of third-party certifications (TPK+"CRL") [was: draft-dkg-openpgp-abuse-resistant-keystore-04.txt]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2019 04:43:44 -0000
On Mon, Aug 26, 2019 at 02:43:15PM -0400, Daniel Kahn Gillmor wrote: > On Mon 2019-08-26 02:19:12 -0500, Benjamin Kaduk wrote: > > On Thu, Aug 22, 2019 at 06:01:23PM -0400, Daniel Kahn Gillmor wrote: > >> Note that this only works if there is a well-established convention > >> about what digest algorithm to use. I don't want to keep a SHA256 and a > >> SHA512 and a blake2b index of all the certifications i know about. Note > >> also that SHA256 isn't used here for strong cryptographic purposes -- > >> it's just a hash table indexer. > > > > This sounds an awful lot like (my understanding of) what PHB's UDF [1] > > (uniform data fingerprint) is supposed to be. Sadly, I've not had time > > yet to give it a proper read... > > > > [1] https://tools.ietf.org/html/draft-hallambaker-mesh-udf > > I don't think that this is the same thing as i'm proposing above -- my > understanding is that PHB's UDF is intended to have some level of > cryptographic resilience -- to collisions at least, and maybe to > pre-images in some contexts. That's my understanding as well, but with the related property that a single index will encompass all fingerprint-generating algorithms, which is what I was focusing on. It does not really get you the property that if you have one fingerprint you can look up the entry for the object with that fingerprint, though (IIUC), since the entry might only be in the index under a different "name". Sorry for not thinking it through more, Ben > In the scheme i've proposed above, the digest is simply used to find a > certification in an index. It could conceivably be non-unique, even, > since the verification is expected to be done over the full underlying > certification data. (i.e. it's an index to a non-keyed hashtable) > > To avoid malicious attacks against the efficiency of the non-keyed > hashtable (e.g. if we used CRC32, an adversary could flood the user with > certifications that produce identical checksums, reducing them to linear > search), we probably *do* want it to be collision-resistant, but it's > not going to need the same level of cryptographic rigor that we'd need > for a fingerprint, where the fingerprint itself is used to prove > identity of data. > > --dkg
- [openpgp] [internet-drafts@ietf.org] New Version … Daniel Kahn Gillmor
- [openpgp] Revocations of third-party certificatio… Daniel Kahn Gillmor
- Re: [openpgp] Revocations of third-party certific… vedaal
- Re: [openpgp] Revocations of third-party certific… Daniel Kahn Gillmor
- Re: [openpgp] Revocations of third-party certific… Benjamin Kaduk
- Re: [openpgp] Revocations of third-party certific… Daniel Kahn Gillmor
- Re: [openpgp] Revocations of third-party certific… Jon Callas
- Re: [openpgp] Revocations of third-party certific… Daniel Kahn Gillmor
- Re: [openpgp] Revocations of third-party certific… Jon Callas
- Re: [openpgp] Revocations of third-party certific… Daniel Kahn Gillmor
- Re: [openpgp] Revocations of third-party certific… Peter Gutmann
- Re: [openpgp] Revocations of third-party certific… Benjamin Kaduk
- Re: [openpgp] Revocations of third-party certific… Jon Callas