ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Should fingerprints be "key-canonical"?

2016-04-09 14:09:56
from [Daniel Kahn Gillmor] [Permanent Link] 
On Sat 2016-04-09 00:07:33 -0400, Jon Callas <jon(_at_)callas(_dot_)org> wrote:

Right now, we know that for every fingerprint there is a key (modulo
hash collisions), but a key can have many fingerprints. Why to we want
to change it so that there's one-to-one correspondence between keys
and fingerprints? This sounds to me like it's vaguely
surveillance-friendly.


i think if people want messages to be sent to different fingerprints, we
should be encouraging them to have different keys entirely, no?


On Apr 8, 2016, at 8:15 PM, Daniel Kahn Gillmor 
<dkg(_at_)fifthhorseman(_dot_)net> wrote:

Anyone who has the keys for alice(_at_)example(_dot_)com and 
jobs(_at_)example(_dot_)com can
tell that these are the same keys, and can just join them in their
linkability/trackability database.

Furthermore, it introduces additional management problems for Alice; if
she loses control of the secret key material, she now has to ensure that
she's generated a revocation certificate for each "flavor" of it,
because the revocations are bound to the same material that the
fingerprint is bound to.


So? The reason to break the binding between key material and a certificate is 
so that there's no binding.


if the goal is to break the binding between the key material and the
identity information in the certificate, the right OpenPGP mechanism is
to revoke the User ID, not to revoke the primary key.

The use case i described was an attempt to revoke the primary key
entirely.


Actually -- this sounds like as much a reason to salt it. There are
more reasons to revoke than loss of key material, and this means that
revocation is even less useful.


If the primary goal of key revocation is to render a key permanently
unusuable, then it would be good to be very clear about that, and not
have too many other things that it might mean.

I'm leaning in the direction that if you want to "retire" a key without
revoking it, you should do so by setting the expiration date to "now",
and not by publishing a revocation at all.  That way, direct key
revocations are less complex to reason about, because they mean exactly
one thing.

            --dkg

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Mining protection in fingerprint schemes, Bryan Ford
Next by Date:  Re: [openpgp] Should fingerprints be "key-canonical"?, KellerFuchs
Previous by Thread:  Re: [openpgp] Should fingerprints be "key-canonical"?, Jon Callas
Next by Thread:  Re: [openpgp] Should fingerprints be "key-canonical"?, KellerFuchs
Indexes:  [Date] [Thread] [Top] [All Lists]