ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Fingerprint requirements for OpenPGP

2016-04-12 12:23:20
On Tue, Apr 12, 2016 at 10:32:47AM -0400, Daniel Kahn Gillmor wrote:
On Tue 2016-04-12 04:34:09 -0400, Vincent Breitmoser wrote:
Daniel Kahn Gillmor(dkg(_at_)fifthhorseman(_dot_)net)@Mon, Apr 11, 2016 at 
08:40:22PM -0400:
* it should be strong enough that we do not believe anyone can create a
  key with a fingerprint that collides with another key's fingerprint

Quite importantly, this should be "another *independent* key's
fingerprint", i.e. the requirement is preimage resistance, not
collision resistance.  Creating two keys with colliding fingerprints
is fine, at least noone could come up with a attack scenario where it
mattered.

This clarification also matches my understanding.  Thanks for the
precision, Vincent.

I think it is sane here to require collision resistence, because that's what
  multi-target preimages devolves to: an attacker might not want to target
  one specific key, but one amongst a large set of key (says, the developers
  of a popular software, or perhaps any “widely signed” key in the WoT).

In that case, the attacker gets a non-trivial speedup, and as the set of
  targets grows larger, the hardness of the problem devolves into that of
  finding a collision.

Moreover, colision resistence implies second-preimage resistence, and hash
  functions are usually considered “broken” by cryptographers once there is
  an attack for colisions, so it seems OK to be somewhat cautious here and
  require collisions to be hard.

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp