[Top] [All Lists]

Re: PGP 6.5.1 - word list and SDAs?

1999-07-13 23:03:03
At 4:07 AM -0700 7/7/99, Will Price wrote:

Thomas Roessler wrote:
> On 1999-07-07 02:38:43 -0700, Will Price wrote:

Yes, it was obvious.  You're not seeing what I mean by biometric.
The word list is a feature we implemented to provide better biometric
properties for key fingerprint authentication.

> Technical documentation and mappings for the word lists are
> published in the docs for PGP where they belong.  Not in this
> group.

Sorry, Will, this word mapping _is_ an interchange format for
OpenPGP key properties, so it _does_ belong on this list and into
an (at least informational) Internet RFC. After all, there is a
reason behind having a well-defined key fingerprint displayed to
and exchanged by users, isn't it?

I could see a case for documenting the word list we developed into an
informational RFC with no relation to this working group.  I'm sure
we'd be happy to see that happen.  However, the feature is a
biometric authentication method that has no relation to the OpenPGP
data formats.  Saying that this should have gone through OpenPGP in
the first place is like saying the PGPkeys GUI and whether RSA keys
are silver or gold should go through OpenPGP.

There are interesting points here. If the word list is relied upon the the users of the application to exchange the fingerprint, then it is part of the protocol of key exchange. While RFC2440 doesn't deal with key exchange, we've assumed that key verification by users would be performed by exchanging fingerprints in some fashion. The word list is an example of "in some fashion", and must equate to the fingerprint, otherwise it wouldn't unambiguously identify a key.

It is mandatory that any RFC2440 implementation generate and parse a particular kind of fingerprint. While the word list may prove to be eminently useful (it may not, I was amused by Thomas' notion of a "spoken" business card). It seems to me we can safely put this aside.

It may become an issue, however, if work on key exchange protocols and experience with word lists indicates it will likely become widely accepted, and is a preferred way to express the fingerprint. For now, I'd prefer to leave it aside and concentrate on verifying the status in implementations of existing MUSTs in 2440.

john noerenberg (in Oslo Jul 10-19, 1999)
  The man that can most truly be accounted brave is he who best
  knows the meaning of what is sweet in life and what is terrible,
  and then goes out undeterred to meet what is to come.
  -- Pericles, "Funeral Oration", 479 B.C.