I just found an even more compelling use case for a single fingerprint
format. Let us say that we have the following entry in /etc/passwd (or
something equivalent):
jsmith:M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-RVXOZ-LGNJW-GW53K-MVTGY-2LKNR:1001:1000:Joe
Smith,Room 1007,(234)555-8910,(234)555-0044,email:/home/jsmith:/bin/sh
OK, so we are still working within the clunky /etc/passwd format. But the
point is that we can put the fingerprint of a public key in the password
file. And that could then be used to validate all interactions with that
user:
* Single sign on tokens
* SSH login
* OpenPGP emails to/from system admins.
Now obviously, you probably wouldn't want to put an OpenPGP key in the
password file. But you might want to put the key that is used to sign a
policy statement describing the keys for all the above in that file. And
you might well want to use OpenPGP key format to do that.
On Mon, Sep 19, 2016 at 9:24 AM, Phillip Hallam-Baker
<phill(_at_)hallambaker(_dot_)com
wrote:
On Mon, Sep 19, 2016 at 6:36 AM, Thijs van Dijk
<schnabbel(_at_)inurbanus(_dot_)nl>
wrote:
On 17 September 2016 at 23:43, Phillip Hallam-Baker <
phill(_at_)hallambaker(_dot_)com> wrote:
The only thing that forces a change of VersionID is a change in digest
algorithm. Which is probably the thing that would lead to a V6 format
anyway.
That's a good point. In fact, I'll hazard a guess and say that that's
likely to be the only event to warrant a key version bump.
Yep, if it wasn't for the fact that we need to get rid of the issue time
and use SHA2 and Base32, maybe we wouldn't be doing it now. I hope
OpenPGPv6 won't need to rev the format.
I think we should kill fingerprints with a work factor of less than 2^92
as unsafe. No matter what, they just keep coming back and biting in
bad ways.
Fair enough.
At the other end of the spectrum, do you have any thoughts on what we can
consider the "full" fingerprint? This scheme has an implied maximum length
of 500 bits (the largest multiple of 25 less than 512+8). Apart from
specifying a minimum (100 bits), do you think we should make a
recommendation for what is an appropriate level of assurance? (E.g. 250
bits - 10 groups of 5 base32 characters, similar in size and grouping to V4
fingerprints.)
I think that for virtually all purposes, a 50+9 character (i.e. 2^242
work factor) fingerprint is sufficient. I don't see more being useful
unless you are really keen on keeping the full 256WF of AES-256.
This is a manageable length for configuration files (looking at you SSH).
So yesterday, I was working on a IoT project to develop a secure means of
controlling the garage door etc. on the house. The config file looks like:
Remote1 = M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
Remote2 = MF3WU-23FNR-VWU4L-XMVTG-Y23RN-J3WK3-DGNNY-XO3DL-MVTGU-3DLOF
...
In this case the remote is currently a Teensy 3.2 device ($12) that has a
32 bit processor and so I am using public key (cos I can). But I might well
want to use a Kerberos type approach and a cheaper CPU (Arduino Nano,
$1.30) instead. I can still use the same approach to authenticate and
authorize the remote.
Note that the configuration file does not need to specify the type of key
because that will be specified when the public portion of the key is
presented. Whether that is a Curve25529 key or a Kerberos ticket, the
message that presents the public key will specify what it is.
I could well see the same approach for SSH authorized_keys files. In fact
my project for this morning/week is to get something like this working:
mesh M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0KJDLOiiXj9XdMxiCT9Kv
... (5000 chars)..
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAywWhrwq4FjHt+UuwZcZ
... (5000 chars)..
The first lines is the actual trust anchor which is a fingerprint of a
master key of a mesh profile. This is a long term (100 year) key and is not
expected to change. The next two lines are keys that have been fetched from
the mesh and are the latest SSH keys for the two devices the user has
connected to that profile for SSH use.
The equivalent for OpenPGP would be to manually edit your keyring. In
this case Carol enters the following:
alice(_at_)example(_dot_)com M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-
RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
bob(_at_)example(_dot_)com MF3WU-23FNR-VWU4L-XMVTG
When a mail from Bob is received, the mail client updates its copy of the
keyring with the strengthened fingerprint:
alice(_at_)example(_dot_)com M5VWK-ZTIO5-WGWZL-GNRVX-OZLGN-
RVXOZ-LGNJW-GW53K-MVTGY-2LKNR
bob(_at_)example(_dot_)com
MF3WU-23FNR-VWU4L-XMVTG-Y23RN-J3WK3-DGNNY-XO3DL-MVTGU-
3DLOF
Apart from this, you'll be glad to know that I've kicked the tyres of this
proposal about all I can, and I like it a lot. Eagerly awaiting someone
else to chime in at this point.
Thanks for doing so.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp