On Apr 7, 2016, at 7:55 AM, Bryan Ford <brynosaurus(_at_)gmail(_dot_)com>
wrote:
* PGP - S/MIME Signed by an unverified key: 04/07/2016 at 07:55:36 AM
On Apr 6, 2016, at 7:39 PM, Jon Callas <jon(_at_)callas(_dot_)org> wrote:
I don't get it. What problem are you trying to solve. Along with the
previous note -- the fingerprint is in fact merely a hash of the key. It's a
handle you can use in a database to identify the key with a fixed string.
That's it.
The problem is that one of the most common uses of fingerprints in practice
is to verify consistency.
A lot of the people I meet at conferences who use PGP at all tend to put
their PGP key fingerprint on their business card. People also put their PGP
key fingerprints on their websites, etc. Given the general unusability of
the “web-of-trust” model as originally envisioned and the lack of any better
form of effective PKI in the PGP ecosystem, this casual fingerprint
verification often tends to be “the best we can do” in terms of actually
ensuring that you have the key you think you have.
But when eyeball-verifying a fingerprint, how many people really look/compare
beyond the first 10 digits or so? Whether mentally or verbally, we’re all
tempted just to say, “oh yeah, that’s the fingerprint that starts with …” and
assume we’re done.
Which leaves a huge attack vulnerability, at least in principle (although I
don’t know if it’s actually happened in practice). Someone who wants to pass
themselves off as me can simply spend a bit of time mining for a new PGP key
whose fingerprint matches mine, or yours, in the first 10 digits or so, and
perhaps the last few as well. They post their key with my E-mail address on
one or more PGP key servers, and people download it and assume it’s my key
because it “looks like” the fingerprint on my business card or web site in
the first and/or last digits, the only ones they actually look at. They
might not be able to fool everyone that way, but still it seems like a pretty
serious concern.
The whole idea of providing some form of “mining-resistance” in a fingerprint
scheme is to enable the key-owner to invest some effort at key-creation time,
to ensure that any attacker who wants to try to mine for a key with a
similar-looking fingerprint will have to invest a *lot* more time and effort,
not just a little.
Does this make sense?
I believe I understand you.
You're complexifying key creation for a hypothetical, movie-plot attack.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp