Peter,
Peter Gutmann <pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz> writes:
Bryan Ford <brynosaurus(_at_)gmail(_dot_)com> writes:
DKG brought up the question of whether that octet-string should still
include the Unix timestamp like it currently does.
Definitely not. What you want is a means of generating a unique lookup key
(e.g. for a database or hash table) that locates a public key. By mixing a
nonce, the timestamp, into the calculation, you lose the uniqueness, and in
fact the locatability, because the search key is no longer just a hash of the
public key but a hash of the public key and some other metadata that you may
or may not have.
Other than Werner's use-case, when would you ever have the raw key
paramters without the metadata and need to generate a fingerprint from
it?
The use cases I can imagine are:
1) You receive a signed message and want to look up the signing public
key. In this case, you have the keyID/fingerprint in the signature
and look it up from there. Including the timestamp is okay.
2) You receive an encrypted message and want to see if you can decrypt
it. Again, in this case there is the keyID/fingerprint in the ESK
packet, so you can look up the key this way. Including the timestamp
is okay.
3) You have a smart card with raw key material and want to see which
OpenPGP keys are there. I'm not sure I completely understand this
use-case, but it's true that you don't have the metadata so cannot
easily include a timestamp and use that to generate a fingerprint to
lookup the public key from the raw key material. But is this a real
use-case?
4) You receive a business card and want to verify the key using the
fingerprint. In this case you have the fingerprint and can use it to
lookup the key.
*) Other use cases???
So frankly, except for #3 I don't see a use-case where you need to
derive a fingerprint without already having the OpenPGP certificate.
Ergo, including the timestamp (and other metadata) is Just Fine.
Indeed, not including the meta data opens you up to lots of other
cross-protocol issues. It means that if someone reuses the key material
then you cannot differentiate the original from the subsequent
certificate. E.g., if I take your certificate, extract the public key,
and then create a new certificate with different timing information on
it, then the fingerprints would be the same. Granted, existing
signatures would not work for the new certificate, but for a lookup
don't you want these to be considered unique certificates? I suppose
the counter-argument is that if the metadata is included an attacker
could duplicate that info, too, but then they are literally replicating
your existing key. That would be like someone taking your public key
certificate and adding their own userID to it. This is why we require
self-signatures.
Peter.
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp