ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

2014-03-15 12:47:20
from [Jon Callas] [Permanent Link] 
On Mar 14, 2014, at 10:03 PM, Daniel Kahn Gillmor 
<dkg(_at_)fifthhorseman(_dot_)net> wrote:


i'm just imagining a troubling use case in terms of UI (maybe it isn't
an issue):

Alice and Bob have keys; Alice decides she wants to frame Bob.  Alice
makes a ring signature with her key and with Bob's key at time T over a
document that is particularly terrible.  She then sets her computer's
clock back to time T-1 and expires or revokes her own key.

Carol comes along and checks the signature on the terrible document.
her OpenPGP implementation says "this signature was made by either Alice
or Bob, but Alice's key was expired/revoked"

If Carol is naive, the implication she might take away from such a UI is
that Alice couldn't have made the signature, therefore it must have been
Bob that said the terrible thing.

I don't know how to clarify the UI to avoid giving that impression.


I confess that I don't see it as an issue.

There's part of me that wants to say ironically, "Well, I guess we shouldn't do 
it, then!" But I don't want to be dismissive of your point.

But I would also say that a lot of what you're saying is just hard to do -- 
like revocation. Revocation doesn't work and *can't* work the way one might 
naively expect it. The situation you describe exists today in a slightly 
mutated form. Here's an example:

Bob is a politician and wants to repudiate a previous position he used to have, 
so he sets his clock back, revokes his own key and then claims that all the 
signatures made after that date come from his computer having been hacked back 
in the day.

It's really the same problem, just with a one-person variety. It boils down to 
the fact that revocation doesn't really work, beyond trivial cases.

Now on the other hand, ages ago, we discussed ring signatures, and a use case 
that I wanted to do was to make it so that whenever Alice sends Bob a signed 
email or other casual message, she would (could?) sign it with a ring signature 
of her key and Bob's. Bob knows that he didn't sign it so he knows that Alice 
did. 

Of course, it's one of those things that are cool, and yet it's hard to say 
what it actually does to improve anything.

        Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Ben Laurie
Next by Date:  Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Nicholas Cole
Previous by Thread:  Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Vincent Yu
Next by Thread:  Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Nicholas Cole
Indexes:  [Date] [Thread] [Top] [All Lists]