On Apr 6, 2016, at 7:39 PM, Jon Callas <jon(_at_)callas(_dot_)org> wrote:
I don't get it. What problem are you trying to solve. Along with the previous
note -- the fingerprint is in fact merely a hash of the key. It's a handle
you can use in a database to identify the key with a fixed string. That's it.
The problem is that one of the most common uses of fingerprints in practice is
to verify consistency.
A lot of the people I meet at conferences who use PGP at all tend to put their
PGP key fingerprint on their business card. People also put their PGP key
fingerprints on their websites, etc. Given the general unusability of the
“web-of-trust” model as originally envisioned and the lack of any better form
of effective PKI in the PGP ecosystem, this casual fingerprint verification
often tends to be “the best we can do” in terms of actually ensuring that you
have the key you think you have.
But when eyeball-verifying a fingerprint, how many people really look/compare
beyond the first 10 digits or so? Whether mentally or verbally, we’re all
tempted just to say, “oh yeah, that’s the fingerprint that starts with …” and
assume we’re done.
Which leaves a huge attack vulnerability, at least in principle (although I
don’t know if it’s actually happened in practice). Someone who wants to pass
themselves off as me can simply spend a bit of time mining for a new PGP key
whose fingerprint matches mine, or yours, in the first 10 digits or so, and
perhaps the last few as well. They post their key with my E-mail address on
one or more PGP key servers, and people download it and assume it’s my key
because it “looks like” the fingerprint on my business card or web site in the
first and/or last digits, the only ones they actually look at. They might not
be able to fool everyone that way, but still it seems like a pretty serious
concern.
The whole idea of providing some form of “mining-resistance” in a fingerprint
scheme is to enable the key-owner to invest some effort at key-creation time,
to ensure that any attacker who wants to try to mine for a key with a
similar-looking fingerprint will have to invest a *lot* more time and effort,
not just a little.
Does this make sense?
B
Jon
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp