ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

2014-03-15 16:41:02
from [Vincent Yu] [Permanent Link] 
On 03/15/2014 04:40 PM, Nicholas Cole wrote:

On Sat, Mar 15, 2014 at 8:33 PM, Nicholas Cole 
<nicholas(_dot_)cole(_at_)gmail(_dot_)com> wrote:



On Saturday, 15 March 2014, Jon Callas <jon(_at_)callas(_dot_)org> wrote:

Now on the other hand, ages ago, we discussed ring signatures, and a use
case that I wanted to do was to make it so that whenever Alice sends Bob a
signed email or other casual message, she would (could?) sign it with a ring
signature of her key and Bob's. Bob knows that he didn't sign it so he knows
that Alice did.

Of course, it's one of those things that are cool, and yet it's hard to
say what it actually does to improve anything.



It also breaks the metaphor of a 'signature' too: the signatures we
currently have work in a very similar way to the ideal real-world signature.
This type of signature doesn't: it is a signature only specific people can
verify, or rather, a signature that could have been made by any one of a
number of people. The problem might then become proving you were *not* the
person who made it, rather than the person who did, and proving a negative
is impossible. I think for that reason I'm not sure would welcome it being
added to gpg.  "Yes, that is a signature that I could have made, but I
didn't" is not an easy position...


And thinking about it even further, it compounds a problem that
someone (was it you, Jon?) has written about in the past.  Even though
we all know that key UIDs can be signed by complete strangers, users
are *often* disconcerted by this fact (which is why there is a
no-modifier flag, even if keyservers have never respected it and even
if it would make the use of OpenPGP even more complicated).  Still, a
naive user of an OpenPGP program may draw incorrect inferences about
social relationships from UID signatures.  Imagine the outcry of users
if they discovered that documents were in the wild that 'might' have
been signed by them...

N.
This reminds me that I used the name "signer-ambiguous signature" in some of the early drafts of my proposal. This name concisely describes the most important property of ring signatures. Now that I think about it, that is a much better name than "ring signature" for implementations to present to their end users.
"Signer-ambiguity" was coined by Rivest et al. to describe ring signatures in their seminal paper in 2001, so it's well-connected to the concept of ring signatures in the literature.
Unless there are severe objections, I will modify the proposal to use the phrase "signer-ambiguous signature" to refer generally to the signatures produced by the scheme, and use "ring signature" only as technical term for the specific scheme that was chosen to provide signer-ambiguity. 

Vincent

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Nicholas Cole
Next by Date:  Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Nicholas Cole
Previous by Thread:  Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Nicholas Cole
Next by Thread:  Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys, Nicholas Cole
Indexes:  [Date] [Thread] [Top] [All Lists]