Re: [openpgp] Proposal for a separable ring signature scheme compatible

On Sat, Mar 15, 2014 at 8:33 PM, Nicholas Cole 
<nicholas(_dot_)cole(_at_)gmail(_dot_)com> wrote:
> On Saturday, 15 March 2014, Jon Callas <jon(_at_)callas(_dot_)org> wrote:
> > On Mar 14, 2014, at 10:03 PM, Daniel Kahn Gillmor 
> > <dkg(_at_)fifthhorseman(_dot_)net>
> > wrote:
> >
> > > i'm just imagining a troubling use case in terms of UI (maybe it isn't
> > > an issue):
> > >
> > > Alice and Bob have keys; Alice decides she wants to frame Bob.  Alice
> > > makes a ring signature with her key and with Bob's key at time T over a
> > > document that is particularly terrible.  She then sets her computer's
> > > clock back to time T-1 and expires or revokes her own key.
> > >
> > > Carol comes along and checks the signature on the terrible document.
> > > her OpenPGP implementation says "this signature was made by either Alice
> > > or Bob, but Alice's key was expired/revoked"
> > >
> > > If Carol is naive, the implication she might take away from such a UI is
> > > that Alice couldn't have made the signature, therefore it must have been
> > > Bob that said the terrible thing.
> > >
> > > I don't know how to clarify the UI to avoid giving that impression.
> > I confess that I don't see it as an issue.
> >
> > There's part of me that wants to say ironically, "Well, I guess we
> > shouldn't do it, then!" But I don't want to be dismissive of your point.
> >
> > But I would also say that a lot of what you're saying is just hard to do
> > -- like revocation. Revocation doesn't work and *can't* work the way one
> > might naively expect it. The situation you describe exists today in a
> > slightly mutated form. Here's an example:
> >
> > Bob is a politician and wants to repudiate a previous position he used to
> > have, so he sets his clock back, revokes his own key and then claims that
> > all the signatures made after that date come from his computer having been
> > hacked back in the day.
>
> That is an interesting 'attack' on your own key. Never rely on the date of a
> revocakation signature is obvious when you think about it.  It does make you
> wonder if signature packets like this should have dates at all.  They make
> everything much more complicated in some ways...
>
>
> > It's really the same problem, just with a one-person variety. It boils
> > down to the fact that revocation doesn't really work, beyond trivial cases.
> >
> > Now on the other hand, ages ago, we discussed ring signatures, and a use
> > case that I wanted to do was to make it so that whenever Alice sends Bob a
> > signed email or other casual message, she would (could?) sign it with a ring
> > signature of her key and Bob's. Bob knows that he didn't sign it so he knows
> > that Alice did.
> >
> > Of course, it's one of those things that are cool, and yet it's hard to
> > say what it actually does to improve anything.
>
> It also breaks the metaphor of a 'signature' too: the signatures we
> currently have work in a very similar way to the ideal real-world signature.
> This type of signature doesn't: it is a signature only specific people can
> verify, or rather, a signature that could have been made by any one of a
> number of people. The problem might then become proving you were *not* the
> person who made it, rather than the person who did, and proving a negative
> is impossible. I think for that reason I'm not sure would welcome it being
> added to gpg.  "Yes, that is a signature that I could have made, but I
> didn't" is not an easy position...
And thinking about it even further, it compounds a problem that
someone (was it you, Jon?) has written about in the past.  Even though
we all know that key UIDs can be signed by complete strangers, users
are *often* disconcerted by this fact (which is why there is a
no-modifier flag, even if keyservers have never respected it and even
if it would make the use of OpenPGP even more complicated).  Still, a
naive user of an OpenPGP program may draw incorrect inferences about
social relationships from UID signatures.  Imagine the outcry of users
if they discovered that documents were in the wild that 'might' have
been signed by them...

N.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp