Re: [openpgp] Fingerprints
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 13 April 2015 17:32 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFEE71AD06A for <openpgp@ietfa.amsl.com>; Mon, 13 Apr 2015 10:32:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.422
X-Spam-Level: *
X-Spam-Status: No, score=1.422 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0I5ASswCB7xT for <openpgp@ietfa.amsl.com>; Mon, 13 Apr 2015 10:32:24 -0700 (PDT)
Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3469E1AD067 for <openpgp@ietf.org>; Mon, 13 Apr 2015 10:32:24 -0700 (PDT)
Received: by lbbuc2 with SMTP id uc2so65042368lbb.2 for <openpgp@ietf.org>; Mon, 13 Apr 2015 10:32:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ep4SmkfIkWHcb3H9rXKFG1s30K/y/Okvvb+zjcph23w=; b=LBbkYs4JbTgPY9ewF+2cl8rw69pqftkdeRXTdrZKUvA1/7J4c0Zv4WyWLtCCKvqiEA b20RqAvjVE4cQjqwoFFxOmSGXxGSlrkMNl8U9Vl6ax1l/l3IletTcrKIq48B6VvGjJ9b 1sm2MV++k+PAtgqXCo+JKZnddUlK1NYK37yhSrC6O1lA0Pbo60KuvlYk8Op5gSq81uNZ JD+KedThiLs65RFEPdDDN2mc0/myoVE23mbMOJMVVEHt5MPZx87uMYUe3ACdWJODKOYS y2cUrBgkpgTIqziAj+dwj58E/m9zSeQ5o6Ar3J8Y4F7fB3JNYQPITNyuXqZALA8G6Or+ Cz0w==
MIME-Version: 1.0
X-Received: by 10.152.87.162 with SMTP id az2mr14631912lab.58.1428946342629; Mon, 13 Apr 2015 10:32:22 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.147.165 with HTTP; Mon, 13 Apr 2015 10:32:22 -0700 (PDT)
In-Reply-To: <1428939645.12460.1.camel@scientia.net>
References: <CAMm+LwhbB+-MnGRBCvprgAGOuu+5CJ2rgod7EBGOQR5UNVrspQ@mail.gmail.com> <87y4m0ozlt.fsf@vigenere.g10code.de> <sjmk2xkf2t8.fsf@securerf.ihtfp.org> <CA+cU71=M2JzBkJXgUYCgp=Q=0c_7UuZWY14myA6cpMRwKt+Hjg@mail.gmail.com> <87sic4jwzx.fsf@vigenere.g10code.de> <1428939645.12460.1.camel@scientia.net>
Date: Mon, 13 Apr 2015 13:32:22 -0400
X-Google-Sender-Auth: V5otEMgbA2DkogojbTwnuUVhM1E
Message-ID: <CAMm+LwigZ2raZDdBQ1CLdUE0iuhfnBvTj6M=5bWHkGdxXcYG_w@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Christoph Anton Mitterer <calestyo@scientia.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/srfV5QcVYoa_gIeQIPnBWgaKUic>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
Subject: Re: [openpgp] Fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2015 17:32:25 -0000
I think what the discussion of the fingerprint issue is demonstrating is that there is actually a semantic difference between the hash algorithm ID and the fingerprint ID. While this does not make a difference to the bits on the wire, we should probably maintain the distinction or else confusion will be introduced. It is settled practice that if you are going to sign any important piece of data then you had better sign (Content-Type + Data) and not just Data. Otherwise there is a substitution attack waiting. The same principle applies to fingerprints. With a fingerprint we have to distinguish: 1) The hash algorithm used to create a fingerprint 2) The packaging format that converts (AlgorithmID, PublicKeyBytes) -> PackedBytes Right now (2) is a PGP format. But it is not impossible that we would want to switch to a different format down the road. The chief limitation in the PGP format is that all the slots and structures are essentially fixed. The chief benefit of JSON is that it the slots in a structure are not fixed and unlike previous attempts (ASN.1, XML) making use of the extension mechanism does not completely suck. Given the way fingerprints are used, there is an intense pressure to use a single algorithm for everything. That is why I think that we should pick either SHA-2-512 or SHA-3-512 and truncate as necessary. As a practical matter, I could care less about the code points people choose. But this really is a separate registry from the hash algorithms. We don't need to do anything to identify legacy fingerprints because they are a different size. But totting up all the expected needs, I can only see the need for 3 entries in the next 20 years, maximum: Code, Packaging, Algorithm 10, PGP, SHA-?-512 0, X.509 KeyInfo, SHA-2-512 42, JSON-y, SHA-3-512 The type 10 fingerprint would be used for all keys that have a PGP algorithm identifier code assigned and type 0 would be used for vanity crypto, etc. I picked 10 for PGP because that is the code for the SHA-2-512 algorithm which I think is probably the best choice right now and 42 for some future packing because why not and 0 because that is what I am using now. I don't think we are likely to need code 42 for a decade. It is the sort of thing that you do AFTER all the other structures are converted. And even then only if you have to. But the point is that this is a registry with 3 entries maximum. It is not equivalent to the hash registry.
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Fingerprints Werner Koch
- [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Tom Ritter
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Daniel A. Nagy
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Stephen Paul Weber
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Jon Callas
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints David Shaw
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Jon Callas
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Daniel Kahn Gillmor
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Designated Revokers Vincent Breitmoser
- Re: [openpgp] Fingerprints Vincent Breitmoser
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Jon Callas
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Derek Atkins
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Daniel Ranft
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Daniel A. Nagy
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Vincent Breitmoser
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Vincent Breitmoser
- Re: [openpgp] Fingerprints Werner Koch
- Re: [openpgp] Fingerprints Vincent Breitmoser
- Re: [openpgp] [eX-bulk] : Re: Fingerprints Christopher LILJENSTOLPE
- Re: [openpgp] [eX-bulk] : Re: Fingerprints Christopher LILJENSTOLPE
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Vincent Breitmoser
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints Christoph Anton Mitterer
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints ianG
- Re: [openpgp] Fingerprints Phillip Hallam-Baker
- [openpgp] [RFC4880bis PATCH] Deprecate "Revocatio… Daniel Kahn Gillmor
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Daniel Kahn Gillmor
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Neal H. Walfield
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Daniel Kahn Gillmor
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Daniel Kahn Gillmor
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Werner Koch
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… vedaal
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Paul Wouters
- Re: [openpgp] [Suspected Junk Mail] Re: [RFC4880b… vedaal
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Daniel Kahn Gillmor
- Re: [openpgp] [RFC4880bis PATCH] Deprecate "Revoc… Daniel Kahn Gillmor
- Re: [openpgp] [Suspected Junk Mail] Re: [RFC4880b… Daniel Kahn Gillmor