ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Keyholder-configurable fingerprint schemes?

2015-11-08 05:18:58
from [ianG] [Permanent Link]
If the author of the signature scheme wants to protect against the attack, then fine. I'm not sure it is worth the effort myself, but I think the author of the scheme should be given leeway to predict the future for the next 20 years and take their best shot at it. Go for it. 


On 7/11/2015 03:31 am, Bryan Ford wrote:


2. A “memory-hard” salted-hash scheme, such as the Argon2 scheme to be used for passphrase hashing.  
Memory-hardness would be nice to achieve, but schemes like Argon2 may not be directly realistic in this context, because 
password-hashing schemes such as this by design take a lot of work both at creation *and* verification time, and we 
probably don’t want to impose seconds-long delays on (say) importing someone’s key into my keyring and 
verifying its consistency.  It might not be completely a non-starter provided those delays *only* occur during key-import 
and not overtime I touch or use the key for any purpose, but it would still be a downer.  Are there 
“memory-hard-to-create, but quick-to-verify” PoW schemes that might be worth considering?


That.  If we're adding Argon2 then let's use it for every applicable case.
Sure there might be other better ones, but adding new algorithms to achieve marginal benefits on paper results in developers having to code new stuff up and implementations having to bloat and potentially not fit in tight places. Both of these costs will cause multiplier effects that lose us far more users. Lost users are a security breach. We'll lose far more security in bloat and developer cost than we're ever likely to gain by this PoW work feature. 



At any rate, independent of these varying possible approaches to fingerprint PoWs, I 
feel like at least the first approach above that Christian suggested (simple PoW) 
seems practical, offers a nice parametrizable strengthening against prefix attacks, 
and doesn’t violate the essential consistency issue that users should need to 
deal with only one fingerprint *per keypair*.  And if we were careful in specifying 
how the fingerprint-generation and fingerprint-validation mechanism works, we could 
easily leave the door open to different, further strengthened (and perhaps 
user-selectable) fingerprint protection mechanisms later.  Thoughts?
From where I sit in my armchair, I'd frown against it. But I'd not vote against the author of the ciphersuite if they want it. 



iang

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Keyholder-configurable fingerprint schemes?, ianG
Next by Date:  Re: [openpgp] Reducing the meta-data leak, ianG
Previous by Thread:  Re: [openpgp] Keyholder-configurable fingerprint schemes?, ianG
Next by Thread:  Re: [openpgp] Keyholder-configurable fingerprint schemes?, brian m. carlson
Indexes:  [Date] [Thread] [Top] [All Lists]