Date: Thu, 7 Apr 2016 16:36:09 -0700
> On Apr 7, 2016, at 7:55 AM, Bryan Ford <brynosaurus(_at_)gmail(_dot_)com>
wrote:
>
> * PGP - S/MIME Signed by an unverified key: 04/07/2016 at 07:55:36 AM
>
>
>> On Apr 6, 2016, at 7:39 PM, Jon Callas <jon(_at_)callas(_dot_)org> wrote:
>>
>> I don't get it. What problem are you trying to solve. Along with the
previous note -- the fingerprint is in fact merely a hash of the key. It's a
handle you can use in a database to identify the key with a fixed string.
That's it.
>
> The problem is that one of the most common uses of fingerprints in
practice is to verify consistency.
>
> A lot of the people I meet at conferences who use PGP at all tend to put
their PGP key fingerprint on their business card. People also put their PGP
key fingerprints on their websites, etc. Given the general unusability of
the â??web-of-trustâ?? model as originally envisioned and the lack of any
better form of effective PKI in the PGP ecosystem, this casual fingerprint
verification often tends to be â??the best we can doâ?? in terms of actually
ensuring that you have the key you think you have.
>
> But when eyeball-verifying a fingerprint, how many people really
look/compare beyond the first 10 digits or so? Whether mentally or verbally,
weâ??re all tempted just to say, â??oh yeah, thatâ??s the fingerprint that
starts with â?¦â?? and assume weâ??re done.
>
> Which leaves a huge attack vulnerability, at least in principle (although
I donâ??t know if itâ??s actually happened in practice). Someone who wants
to pass themselves off as me can simply spend a bit of time mining for a new
PGP key whose fingerprint matches mine, or yours, in the first 10 digits or
so, and perhaps the last few as well. They post their key with my E-mail
address on one or more PGP key servers, and people download it and assume
itâ??s my key because it â??looks likeâ?? the fingerprint on my business card
or web site in the first and/or last digits, the only ones they actually look
at. They might not be able to fool everyone that way, but still it seems
like a pretty serious concern.
>
> The whole idea of providing some form of â??mining-resistanceâ?? in a
fingerprint scheme is to enable the key-owner to invest some effort at
key-creation time, to ensure that any attacker who wants to try to mine for a
key with a similar-looking fingerprint will have to invest a *lot* more time
and effort, not just a little.
>
> Does this make sense?
I believe I understand you.
You're complexifying key creation for a hypothetical, movie-plot attack.
Jon
Millions of people every year are victims of fake business card attacks.
I read that somewhere.
Hilarie
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp