Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
Vincent Yu <v@v-yu.com> Sun, 16 March 2014 02:28 UTC
Return-Path: <v@v-yu.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E4471A024E for <openpgp@ietfa.amsl.com>; Sat, 15 Mar 2014 19:28:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9HsGcp-puMGv for <openpgp@ietfa.amsl.com>; Sat, 15 Mar 2014 19:28:26 -0700 (PDT)
Received: from smtp10.hushmail.com (smtp10.hushmail.com [65.39.178.143]) by ietfa.amsl.com (Postfix) with ESMTP id F34F31A022D for <openpgp@ietf.org>; Sat, 15 Mar 2014 19:28:25 -0700 (PDT)
Received: from smtp10.hushmail.com (localhost [127.0.0.1]) by smtp10.hushmail.com (Postfix) with SMTP id 7DA5EC016A for <openpgp@ietf.org>; Sun, 16 Mar 2014 02:28:18 +0000 (UTC)
Received: from smtp.hushmail.com (w9.hushmail.com [65.39.178.29]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp10.hushmail.com (Postfix) with ESMTPS; Sun, 16 Mar 2014 02:28:17 +0000 (UTC)
Message-ID: <78443bf532834a1dfdd4e0c80af2bea3@smtp.hushmail.com>
Date: Sat, 15 Mar 2014 22:28:14 -0400
From: Vincent Yu <v@v-yu.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Nicholas Cole <nicholas.cole@gmail.com>, openpgp@ietf.org
References: <80674820640dbeb5ae81f81c67d87541@smtp.hushmail.com> <8761nh1549.fsf@vigenere.g10code.de> <a6d56e791a2c878f34369abc6f09b71d@smtp.hushmail.com> <5323146D.4050006@fifthhorseman.net> <a9cf1a7b7e08e0d601fa5c7c5cf50e71@smtp.hushmail.com> <5323DF28.5070809@fifthhorseman.net> <F4D2857E-0D33-4B6E-8829-9026CE9398DF@callas.org> <CAAu18hczJb9C2qv-HYJ0kwP7npEgy4f-D0VOMReBSi==XqT9Eg@mail.gmail.com> <CAAu18hc2BPd3u2OnvxMGattGrdEXZgpxTGsR05GU7D-7L10Usw@mail.gmail.com> <029427f6d271b61840ad3f919796c18c@smtp.hushmail.com> <CAAu18hdh+muvDG=SkBs_Y2gDKtMzMPgx8kv6KUNEzODE1j36qQ@mail.gmail.com>
In-Reply-To: <CAAu18hdh+muvDG=SkBs_Y2gDKtMzMPgx8kv6KUNEzODE1j36qQ@mail.gmail.com>
X-Enigmail-Version: 1.6
OpenPGP: id=d28d7c4078b3742a; url=https://v-yu.com/pubkeys/openpgp.asc
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="afe0e6bA62nffC633nt70CRj59SrggkQ7"
Archived-At: http://mailarchive.ietf.org/arch/msg/openpgp/tBkLIdG3p1foDRoZzcVIAnpL6r8
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Mar 2014 02:28:28 -0000
On 03/15/2014 06:02 PM, Nicholas Cole wrote: > > > On Saturday, 15 March 2014, Vincent Yu <v@v-yu.com <mailto:v@v-yu.com>> > wrote: > This reminds me that I used the name "signer-ambiguous signature" in > some of the early drafts of my proposal. This name concisely > describes the most important property of ring signatures. Now that I > think about it, that is a much better name than "ring signature" for > implementations to present to their end users. > > "Signer-ambiguity" was coined by Rivest et al. to describe ring > signatures in their seminal paper in 2001, so it's well-connected to > the concept of ring signatures in the literature. > > Unless there are severe objections, I will modify the proposal to > use the phrase "signer-ambiguous signature" to refer generally to > the signatures produced by the scheme, and use "ring signature" only > as technical term for the specific scheme that was chosen to provide > signer-ambiguity. > > > I think that is a better name. It gets away from the idea that there is > a 'ring' of people who have authorized each other to make signatures. > But still, I think that this proposal will bring more problems than > benefits. Signatures will appear that 'might' have been made by all > kinds of people on all kinds of documents. User interfaces will > struggle to help users to make good decisions as a result. I can't help > feeling that this kind of signature belongs in very specific > applications, and not in general purpose tools. But I could be wrong. I share your concerns, but on the whole, I think it is a net positive to offer signers the option to create signer-ambiguous signatures. Let me go into more detail. Within benign use cases, there are two sides to signer-ambiguous signatures: the recipient's side and the signer's side. The recipient would generally prefer to receive standard signatures rather than signer-ambiguous signatures because standard signatures offer stronger guarantees and grant them the power to prove to others what they received. However, recipients would prefer to receive signer-ambiguous signatures rather than no signature. So from the recipient's perspective, signer-ambiguous signatures can be bad or good, depending on whether the alternative is a standard signature or no signature. However, signer-ambiguous signatures are designed with the signer in mind. The signer would find signer-ambiguous signatures useful in situations where they wish to ensure authenticity without granting recipients the power to transfer their signatures (here, I am considering only two-party communications; there are potentially other applications of signer-ambiguous signatures). Signer-ambiguous signatures are always good from the signer's perspective, because they provide an extra option that they may choose to use. Within malicious use cases, there is the attacker's side. At the end of the day, a new signature type will indeed create a potential attack vector, and it is hard to predict exactly what types of attack will become possible because the details will depend on the interactions between users and implementations. It seems to me that your worries fall mainly within scenarios with an attacker. Without an attacker, there is little reason to worry about verifier confusion because the goals of signers coincide with those of recipients: signatures are a way for signers to provide a guarantee to recipients. If it turns out that recipients get excessively confused over signer-ambiguous signatures, then signers will simply decide not to use them. In the long run, signers will adapt and use signer-ambiguous signatures only when they judge that the benefits outweigh the potential confusion. So we need only worry about the potential for verifier confusion in scenarios with an attacker. Here, I think implementations have a good response available if attacks grow rampant: they simply refuse to verify signer-ambiguous signatures. Without the cooperation of implementations, attackers can do no harm. That is the worst case scenario. However, I consider it unlikely that attacks using signer-ambiguous signatures will ever become common enough to outweigh the benefits to signers. Perhaps our intuitions differ here. The main point I wish to reemphasize is that signers are free not to create signer-ambiguous signatures if they think that the potential for confusion outweighs the benefits. Their goals are aligned with those of recipients. Vincent
- [openpgp] Proposal for a separable ring signature… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- [openpgp] Non-SHA-1 fingerprints in signatures [w… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Daniel Kahn Gillmor
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… David Shaw
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Peter Pentchev
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Vincent Yu
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Peter Pentchev
- Re: [openpgp] Non-SHA-1 fingerprints in signature… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… Vincent Yu
- Re: [openpgp] Proposal for a separable ring signa… vedaal
- Re: [openpgp] Proposal for a separable ring signa… Falcon Darkstar Momot
- Re: [openpgp] Proposal for a separable ring signa… Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signa… ianG
- Re: [openpgp] Proposal for a separable ring signa… Jon Callas
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie
- Re: [openpgp] Proposal for a separable ring signa… Werner Koch
- Re: [openpgp] Proposal for a separable ring signa… Ben Laurie