Re: [openpgp] Proposed text for V5 fingerprint

[Phillip Hallam-Baker <phill@hallambaker.com>]

On Mon, Sep 19, 2016 at 6:36 AM, Thijs van Dijk <schnabbel@inurbanus.nl>
wrote:

> On 17 September 2016 at 23:43, Phillip Hallam-Baker <phill@hallambaker.com
> > wrote:
>
>> ​
>>
> The only thing that forces a change of VersionID is a change in digest
>> algorithm. Which is probably the thing that would lead to a V6 format
>> anyway.​
>>
>
> That's a good point. In fact, I'll hazard a guess and say that that's
> likely to be the only event to warrant a key version bump.
>

​Yep, if it wasn't for the fact that we need to get rid of the issue time
and use SHA2 and Base32, maybe we wouldn't ​be doing it now. I hope
OpenPGPv6 won't need to rev the format.



> ​I think we should kill fingerprints with a work factor of less than 2^92 ​
>> ​as unsafe.​ No matter what, they just keep coming back and biting in bad
>> ways.
>>
>
> Fair enough.
> At the other end of the spectrum, do you have any thoughts on what we can
> consider the "full" fingerprint? This scheme has an implied maximum length
> of 500 bits (the largest multiple of 25 less than 512+8). Apart from
> specifying a minimum (100 bits), do you think we should make a
> recommendation for what is an appropriate level of assurance? (E.g. 250
> bits - 10 groups of 5 base32 characters, similar in size and grouping to V4
> fingerprints.)
>

​I think that for virtually all purposes, a 50+9 character (i.e. 2^242 work
factor) fingerprint is sufficient.​ I don't see more being useful unless
you are really keen on keeping the full 256WF of AES-256.

This is a manageable length for configuration files (looking at you SSH).
So yesterday, I was working on a IoT project to develop a secure means of
controlling the garage door etc. on the house. The config file looks like:

Remote1 = M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
Remote2 = MF3WU-23FNR-VWU4L-XMVTG-Y23RN-J3WK3-DGNNY-XO3DL-MVTGU-3DLOF
...

In this case the remote is currently a Teensy 3.2 device ($12) that has a
32 bit processor and so I am using public key (cos I can). But I might well
want to use a Kerberos type approach and a cheaper CPU (Arduino Nano,
$1.30) instead. I can still use the same approach to authenticate and
authorize the remote.

Note that the configuration file does not need to specify the type of key
because that will be specified when the public portion of the key is
presented. Whether that is a Curve25529 key or a Kerberos ticket, the
message that presents the public key will specify what it is.


I could well see the same approach for SSH authorized_keys files. In fact
my project for this morning/week is to get something like this working:

mesh M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0KJDLOiiXj9XdMxiCT9Kv
​... (5000 chars)..

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAywWhrwq4FjHt+UuwZcZ
​... (5000 chars)..


​The first lines is the actual trust anchor which is a fingerprint of a
master key of a mesh profile. This is a long term (100 year) key and is not
expected to change. The next two lines are keys that have been fetched from
the mesh and are the latest SSH keys for the two devices the user has
connected to that profile for SSH use.


​The equivalent for OpenPGP would be to manually edit your keyring. In this
case Carol enters the following:

alice@example.com
M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
bob@example.com ​MF3WU-23FNR-VWU4L-XMVTG

When a mail from Bob is received, the mail client updates its copy of the
keyring with the strengthened fingerprint:

alice@example.com
M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
bob@example.com ​MF3WU-23FNR-VWU4L-XMVTG-Y23RN-J3WK3-DGNNY-XO3DL-MVTGU-3DLOF


Apart from this, you'll be glad to know that I've kicked the tyres of this
> proposal about all I can, and I like it a lot. Eagerly awaiting someone
> else to chime in at this point.
>

​Thanks for doing so.​