ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Summary v5 fingerprint proposal

2017-03-23 13:55:12

On Mar 23, 2017, at 9:49 AM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:

On Thu, 23 Mar 2017 15:00, tony(_at_)att(_dot_)com said:

I’m with Jon on this one – if you’re going to do truncation, then use
a scheme that’s DESIGNED to generate a truncated value. And the only
one that’s been discussed that meets that criteria is SHA2-512/t.

OpenPGP has always used a truncated hash for the keyid.  The change is
that with v5 we will use use the leftmost 64 bits instead of the
rightmost 64 bit.

I explained in the original proposal the reasons why truncating certain
uses of the fingerprint makes sense.

I don't have any objection to truncating the fingerprint to get the KeyID. The 
KeyID is merely a database key (as in key-value, not crypto) and has no 
security value. Implementations already need to consider the possibility that 
there could be a collision in the KeyID.


Jon's suggestion of using SHA2-512/t does not work: if we ever need to
switch to the full fingerprint for the two signature subpackets, we
would need to define a v6 key format because the fingerprint changes by
using a different t with SHA2-512/t.

You don't need a new format, you'd just specify the new fingerprint. You can 
consider SHA512/t to be a family of hashes of output 't'.

If you're mentioning using SHA512/64 for a key id — no, no, that's just 
unnecessary.


What we put into the signature subpackets is an abbreviation of the
fingerprint and this can be changed easily by introducing new signature
subpackets.  This would be the same as our migration from the /Issuer/
to the /Issuer Fingerprint/ subpacket.  This is an non-intrusive change
to fix the problems with the use of the 64 bit truncated fingerprint in
the /Issuer/ subpacket.

But I also find Derek’s desire to use SHA2-256 to be compelling because of 
performance.

Noted.

For the record, I don't object to using SHA-256. I observe that there are a set 
of cases where someone finds problems in SHA2 that would have a longer runway 
for replacement if we're using SHA-512, and *that* is either a bug or a feature 
since arguably once someone finds some actual problem in SHA-256 (e.g. of the 
sort that has plagued SHA-1 since 2004), that should be the event that leads to 
tossing all of SHA2.

 I also observe that the performance issue is real, but hardly fatal — small 
devices will be with us always and fingerprints can be computed once and cached 
no matter what. This is why I didn't bring up the counter-argument which is 
that ARM64 is already sub- one euro per core.

The real reason to use a wider hash is that every time we've compromised on 
security for the sake of small devices, it bites us in the ass. This will also 
bite us in the ass. It's a small bite in the grand scheme of things, but it's 
going to happen and it will be inconvenient.

Do we have a meta-strategy for an upgrade? For example, if we know that you'd 
pick whatever hash at that time the cool kids recommend, change a couple of 
parameters (like simply bump the key version to v6 and go), that could be a 
recommendation in the RFC.

        Jon






_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp