Re: [openpgp] Followup on fingerprints

Nicholas Cole <nicholas.cole@gmail.com> Thu, 06 August 2015 16:12 UTC

Return-Path: <nicholas.cole@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBFD11B3B0E for <openpgp@ietfa.amsl.com>; Thu, 6 Aug 2015 09:12:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GK5G_N1tON5N for <openpgp@ietfa.amsl.com>; Thu, 6 Aug 2015 09:12:50 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A418E1B3B0C for <openpgp@ietf.org>; Thu, 6 Aug 2015 09:12:49 -0700 (PDT)
Received: by wicgj17 with SMTP id gj17so29016754wic.1 for <openpgp@ietf.org>; Thu, 06 Aug 2015 09:12:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=lRoBN1h4+B4uV5JZOaoVe0Ov4N0bxBDhAK1WQtAFc+Y=; b=xxl9f9taoYtYcNFEQGKNy1dPeHdmPR+ab7pRJKOJN1wq5MlMkScJRzL9vJAQ83A9TI nzgfHspVqahDYWErgJkLPmdv2Mt2yRFAP19FWY5LAztjVcNa6wkw64Cvbx3rdH+jVs9y Rl6OyxPUFsagGVV55qWV0kB0O2uA/IQWrbJlYVOtzQVbkSqlwcKWcihrb7PTz0SLgscb T0TTRDqQntQKBq8b1FHhUhs/RAIGKrRP983nx/2eJr1Mu3lJVyS6Qr3K0mTWKBVLXiWh tmggL6artklXr2CpI0H+puASVm0mQW/yPadIab3TYTu1QwkYa5Uh3BvCg91iOoxyhXko IoeA==
MIME-Version: 1.0
X-Received: by 10.194.109.97 with SMTP id hr1mr4913020wjb.38.1438877568423; Thu, 06 Aug 2015 09:12:48 -0700 (PDT)
Received: by 10.194.66.163 with HTTP; Thu, 6 Aug 2015 09:12:48 -0700 (PDT)
In-Reply-To: <87d1z0763m.fsf@littlepip.fritz.box>
References: <87twsn2wcz.fsf@vigenere.g10code.de> <CAMm+LwgRJX-SvydmpUAJMmN3yysi4zzGSpO2yY4JAMhD-9xLgQ@mail.gmail.com> <87zj2ecmv8.fsf@alice.fifthhorseman.net> <CAMm+LwgKmcTes=V7uS3MjCQixWCo-i7PY=VE7eCHSqt3Ho3OSg@mail.gmail.com> <87a8udd4u6.fsf@alice.fifthhorseman.net> <sjm61503182.fsf@securerf.ihtfp.org> <CAMm+LwgEVySpfL-iN2uzX-4tu7R+isDkHE9D8uAeLTxxd4VxqQ@mail.gmail.com> <sjmwpxc1kbv.fsf@securerf.ihtfp.org> <CAAS2fgR6LYck+km5Ze6S9z65ZgsR61d8md2CqojDaceZ0OrZrw@mail.gmail.com> <9c2c8c5df67c83925d7e3c21fe943483.squirrel@mail2.ihtfp.org> <20150803173231.GG3067@straylight.m.ringlet.net> <2439a89a6c4eb70044e144406a732482.squirrel@mail2.ihtfp.org> <87io8v7uqt.fsf@littlepip.fritz.box> <87h9of7p0e.fsf@littlepip.fritz.box> <87wpxbtuwk.fsf@vigenere.g10code.de> <CAAu18hez49oVhTwRLqv=3rifbg5q5+EqsSvBO0c-ezq+M_Qmyw@mail.gmail.com> <87614u4u7q.fsf@alice.fifthhorseman.net> <55C3836D.2040104@iang.org> <87d1z0763m.fsf@littlepip.fritz.box>
Date: Thu, 06 Aug 2015 17:12:48 +0100
Message-ID: <CAAu18hcnjnZjwZn-uPO936CHDABn_HmqOibtsrBC7Ya7b-93Lg@mail.gmail.com>
From: Nicholas Cole <nicholas.cole@gmail.com>
To: Vincent Breitmoser <look@my.amazin.horse>
Content-Type: multipart/alternative; boundary="089e01494b38575ce9051ca6ca77"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/u-XQoihCfOnDxpGnbbplUGuy6rw>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>, ianG <iang@iang.org>
Subject: Re: [openpgp] Followup on fingerprints
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 16:12:52 -0000

On Thursday, 6 August 2015, Vincent Breitmoser <look@my.amazin.horse> wrote:

>
> On 6 Aug 2015, ianG wrote:
>
> > I'll bite: A person with two keys can sign a document that holds
> > him, then announce that it wasn't signed by him.
>
> Even though two keys exists with the same fingerprint, a signature made
> by one will only check out with that one, so creating ambiguous
> signatures is not that simple unless the attacker can also freely choose
> which one of the two keys will be used for verification.  Also keep in
> mind that certificates are made over public key material, not only
> fingerprints.
>
> > As proof, he can anonymously publish his other key...
>
> Yes, well.  He could also publish this key if it wasn't a collided one,
> or simply state that it was compromised.  Which leads us to the same old
> discussion about the usefulness of non-repudiation in practice.
>
>
There's actually just a more basic, practical problem. Most gpg tools
assume unique fingerprints. Is it even possible to specify one key rather
than another if both have the same fingerprint?