Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
2014-03-15 00:26:57
On 03/15/2014 01:03 AM, Daniel Kahn Gillmor wrote:
On 03/14/2014 07:42 PM, Vincent Yu wrote:
On 03/14/2014 10:38 AM, Daniel Kahn Gillmor wrote:
Guidance would also be useful for implementations processing (or
generating) ring signatures that were made by one of a set of keys where
some of those keys appear to be expired or revoked. (i haven't thought
this use case through in sufficient detail, but i could see
implementations getting tripped up here or behaving in wildly divergent
ways if there is no clear guidance)
I think a good general recommendation here would be to look at each
public key individually and output the same warnings and errors that
would be output if this were a standard signature. Are there significant
issues that you see with this?
i'm just imagining a troubling use case in terms of UI (maybe it isn't
an issue):
Alice and Bob have keys; Alice decides she wants to frame Bob. Alice
makes a ring signature with her key and with Bob's key at time T over a
document that is particularly terrible. She then sets her computer's
clock back to time T-1 and expires or revokes her own key.
Carol comes along and checks the signature on the terrible document.
her OpenPGP implementation says "this signature was made by either Alice
or Bob, but Alice's key was expired/revoked"
If Carol is naive, the implication she might take away from such a UI is
that Alice couldn't have made the signature, therefore it must have been
Bob that said the terrible thing.
I don't know how to clarify the UI to avoid giving that impression.
--dkg
Hm. Yes, scenarios like that sound like they can confuse the typical
user and possibly lead to incorrect conclusions. It seems like it would
be prudent for implementations to issue conspicuous errors when any
aspect of a ring signature fails to verify, and to warn the user against
drawing any conclusion other than the fact that the ring signature did
not verify correctly.
But at the end of the day, the security of the scheme and the behavior
of the implementation don't matter if users misuse them... A possibly
more important thing to do is to provide easy-to-read references that
users can look up. If ring signatures ever get implemented in GnuPG (or
elsewhere), we should take care to write up clear and concise
explanations for end users. (This is a difficult task.)
Vincent
signature.asc
Description: OpenPGP digital signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Werner Koch
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Vincent Yu
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Vincent Yu
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Daniel Kahn Gillmor
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys,
Vincent Yu <=
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Jon Callas
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Vincent Yu
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Nicholas Cole
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Vincent Yu
- Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Nicholas Cole
Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Jon Callas
Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, vedaal
Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Falcon Darkstar Momot
|
Previous by Date: |
Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Daniel Kahn Gillmor |
Next by Date: |
Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Ben Laurie |
Previous by Thread: |
Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Daniel Kahn Gillmor |
Next by Thread: |
Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Jon Callas |
Indexes: |
[Date]
[Thread]
[Top]
[All Lists] |
|
|