ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Should fingerprints be "key-canonical"?

2016-04-09 18:04:13
from [KellerFuchs] [Permanent Link] 
I will avoid re-hashing points that dkg already made.

On Fri, Apr 08, 2016 at 09:07:33PM -0700, Jon Callas wrote:



On Apr 8, 2016, at 8:15 PM, Daniel Kahn Gillmor 
<dkg(_at_)fifthhorseman(_dot_)net> wrote:

What is the utility here, specifically?

I appreciate making tracking/linkability harder as a goal, but i'm not
conivnced that this achieves that purpose.


PGP 3 and thus OpenPGP threw the creation time in there as a quickie salt. I 
didn't do it. I don't know the full reasons. 

I originally thought this was dumb. I got turned around, and believe that 
salting the hash is a good thing. I know that I have used this property so 
that I can re-use key material, but it's not the total reason.

I can think of a bunch of half-assed things someone can do with key-canonical 
fingerprints if they are, say, the NSA. Nothing that's an attack, but just 
stuff.


Given that the NSA can easily keep around a database of all public
  keys and fingerprints they have observed, I would like to know
  what is that hand-wavy “just stuff”.

Moreover, what would be the purpose of reusing the same key material?


If anything, I think that salting the hash ought to be with more than the 
timestamp. But really, I'd keep the fingerprint computation the same, just 
with a more modern algorithm than SHA-1. The problem we're trying to solve is 
that SHA-1 is old. I like to change only one knob at a time.


Which purpose does the “salt” serve here?  It doesn't make it harder
  to find keys with a similar-looking fingerprint, at least...



Most of all, I think that semantic properties like this shouldn't change 
without a reason. At present, there are uses, questionable as they are, for 
this, and why break it just because?

Right now, we know that for every fingerprint there is a key (modulo hash 
collisions), but a key can have many fingerprints. Why to we want to change 
it so that there's one-to-one correspondence between keys and fingerprints? 
This sounds to me like it's vaguely surveillance-friendly.


Again, please make this explicit.


Best,

  kf

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Should fingerprints be "key-canonical"?, KellerFuchs
Next by Date:  Re: [openpgp] Mining protection in fingerprint schemes, Vincent Breitmoser
Previous by Thread:  Re: [openpgp] Should fingerprints be "key-canonical"?, Daniel Kahn Gillmor
Next by Thread:  Re: [openpgp] Should fingerprints be "key-canonical"?, Derek Atkins
Indexes:  [Date] [Thread] [Top] [All Lists]