Re: [openpgp] Proposed text for V5 fingerprint

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 19 September 2016 13:24 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CED1C12B05A for <openpgp@ietfa.amsl.com>; Mon, 19 Sep 2016 06:24:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HUMQ7bKEp16N for <openpgp@ietfa.amsl.com>; Mon, 19 Sep 2016 06:24:16 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 274E712B0ED for <openpgp@ietf.org>; Mon, 19 Sep 2016 06:24:16 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id t7so145958427qkh.2 for <openpgp@ietf.org>; Mon, 19 Sep 2016 06:24:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=5b5OKg2LhESR8ed8MEVOgW/xL4GoCX0u2EwKoqa9zx0=; b=AzJ/x3Ng5v5I2hrdajGnAkCo/6IRA7g3Ky5Gryw113X/WjJjgBNAPMfmLlkr9J4w58 WidSCOUgPq8kyhYjkZUW8KS8lEHFhJnp1HBy59HHkTU9ycs7cXpEXEFaBgE2w/cDFzZn YUdlYxfCuDiMLjlME31e1fXS5jVFLaWkRTG9M8tmmwA1vcus5/jGHprv5Ph/uLqN4PJU 0HQNeHmwqK5iBBNJuu9t2zRcfy2rbObPkKVX6ye/Y/y4lE74oqovUks+jdp3UeJqW7Pk HmCoai/mZTGknsbuD/S9LPTqI8FBBZBajrKcsMx2ey9hYrbXvv0dv+zz2/VMHc7YBlWf i7GQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=5b5OKg2LhESR8ed8MEVOgW/xL4GoCX0u2EwKoqa9zx0=; b=R/Jc8IsPTKMidjUv1oWVtjucPI3FeXnvlLry8NREObOnbbpbe+hYxHjSb6+O5PCJl/ JR3ZQq3RNjOxocOdTjU0v8yS2JZsMBwKOQTx+HEX6xxaQdAsQdu5/84dNKfOJe6wDgG8 bn9biBQSGENlL6TqS3K4u1fCDe96L8W9WfOZFm23se0YqsqX6Q2RmjlIHjRETWTMvyie Twu3Z3Cy3A0d3Zrjd0NvdztVoZv+i5LGQCGE+DWUzqBBenWCGutt+1AYA75/EdHiEO1W b9Ibrnof8NKnbP/84rjSJWYxhKQ1IULRhxUl2ie+H5SkTaM+0W6i7hzzfRtjnXq23ALV zIZw==
X-Gm-Message-State: AE9vXwNR08jlv1rATR0I9D2rjBlsKiAPvW/rdEl9TarpuD+hxiv63Yq24KPJ/T+X9Eh0Xotx0MBqYEc/QlF/9g==
X-Received: by 10.55.6.8 with SMTP id 8mr30329538qkg.5.1474291455331; Mon, 19 Sep 2016 06:24:15 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.55.209.87 with HTTP; Mon, 19 Sep 2016 06:24:14 -0700 (PDT)
In-Reply-To: <CADGaDpE7qdY8VnHWQboW5RYoDTs0GsgT8A8Zg2psKi9goQ=RHQ@mail.gmail.com>
References: <CAMm+Lwhz973u20W0TETFrE0Y_frKQth=B0QcisP5bD2jskta4g@mail.gmail.com> <CAMm+Lwj595p1QtrBbFTeig0VX2Mg0giBXCoZNhNZwzXuKfVUNQ@mail.gmail.com> <CADGaDpEJhvktfTtr1V6rVdd7LqORDwwZhFbbSZnz-7LdH_6qEA@mail.gmail.com> <CAMm+Lwjz603dPF+74A0tXBhOC86+ag8r2qHcD8LoVZcrDSTpXQ@mail.gmail.com> <CADGaDpEL7CiO+cWzA=cEDjAqjLwvnf9efRkGOFBsHtgEjcZA0A@mail.gmail.com> <CAMm+LwjC94cKFCbRrTYAcixqkVygQ7zefRAE0pb7nXQBGg+50Q@mail.gmail.com> <CADGaDpE7qdY8VnHWQboW5RYoDTs0GsgT8A8Zg2psKi9goQ=RHQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 19 Sep 2016 09:24:14 -0400
X-Google-Sender-Auth: dp-KJXoR4MUdB9beFzgjLB3Tovg
Message-ID: <CAMm+LwiEJJeTvOXaacHiX01ytq5BuoQykcK2kPH_wZcvokyDDQ@mail.gmail.com>
To: Thijs van Dijk <schnabbel@inurbanus.nl>
Content-Type: multipart/alternative; boundary=001a114da1127d987f053cdc3a1e
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/voQl3LeFEBl2QkGtg-UMyYhOe8w>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] Proposed text for V5 fingerprint
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2016 13:24:26 -0000

On Mon, Sep 19, 2016 at 6:36 AM, Thijs van Dijk <schnabbel@inurbanus.nl>
wrote:

> On 17 September 2016 at 23:43, Phillip Hallam-Baker <phill@hallambaker.com
> > wrote:
>
>> ​
>>
> The only thing that forces a change of VersionID is a change in digest
>> algorithm. Which is probably the thing that would lead to a V6 format
>> anyway.​
>>
>
> That's a good point. In fact, I'll hazard a guess and say that that's
> likely to be the only event to warrant a key version bump.
>

​Yep, if it wasn't for the fact that we need to get rid of the issue time
and use SHA2 and Base32, maybe we wouldn't ​be doing it now. I hope
OpenPGPv6 won't need to rev the format.



> ​I think we should kill fingerprints with a work factor of less than 2^92 ​
>> ​as unsafe.​ No matter what, they just keep coming back and biting in bad
>> ways.
>>
>
> Fair enough.
> At the other end of the spectrum, do you have any thoughts on what we can
> consider the "full" fingerprint? This scheme has an implied maximum length
> of 500 bits (the largest multiple of 25 less than 512+8). Apart from
> specifying a minimum (100 bits), do you think we should make a
> recommendation for what is an appropriate level of assurance? (E.g. 250
> bits - 10 groups of 5 base32 characters, similar in size and grouping to V4
> fingerprints.)
>

​I think that for virtually all purposes, a 50+9 character (i.e. 2^242 work
factor) fingerprint is sufficient.​ I don't see more being useful unless
you are really keen on keeping the full 256WF of AES-256.

This is a manageable length for configuration files (looking at you SSH).
So yesterday, I was working on a IoT project to develop a secure means of
controlling the garage door etc. on the house. The config file looks like:

Remote1 = M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
Remote2 = MF3WU-23FNR-VWU4L-XMVTG-Y23RN-J3WK3-DGNNY-XO3DL-MVTGU-3DLOF
...

In this case the remote is currently a Teensy 3.2 device ($12) that has a
32 bit processor and so I am using public key (cos I can). But I might well
want to use a Kerberos type approach and a cheaper CPU (Arduino Nano,
$1.30) instead. I can still use the same approach to authenticate and
authorize the remote.

Note that the configuration file does not need to specify the type of key
because that will be specified when the public portion of the key is
presented. Whether that is a Curve25529 key or a Kerberos ticket, the
message that presents the public key will specify what it is.


I could well see the same approach for SSH authorized_keys files. In fact
my project for this morning/week is to get something like this working:

mesh M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0KJDLOiiXj9XdMxiCT9Kv
​... (5000 chars)..

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAywWhrwq4FjHt+UuwZcZ
​... (5000 chars)..


​The first lines is the actual trust anchor which is a fingerprint of a
master key of a mesh profile. This is a long term (100 year) key and is not
expected to change. The next two lines are keys that have been fetched from
the mesh and are the latest SSH keys for the two devices the user has
connected to that profile for SSH use.


​The equivalent for OpenPGP would be to manually edit your keyring. In this
case Carol enters the following:

alice@example.com
M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
bob@example.com ​MF3WU-23FNR-VWU4L-XMVTG

When a mail from Bob is received, the mail client updates its copy of the
keyring with the strengthened fingerprint:

alice@example.com
M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
bob@example.com ​MF3WU-23FNR-VWU4L-XMVTG-Y23RN-J3WK3-DGNNY-XO3DL-MVTGU-3DLOF


Apart from this, you'll be glad to know that I've kicked the tyres of this
> proposal about all I can, and I like it a lot. Eagerly awaiting someone
> else to chime in at this point.
>

​Thanks for doing so.​