Jon Callas(joncallas(_at_)icloud(_dot_)com)@Thu, Mar 23, 2017 at 11:55:00AM
-0700:
The real reason to use a wider hash is that every time we've
compromised on security for the sake of small devices, it bites us in
the ass. This will also bite us in the ass. It's a small bite in the
grand scheme of things, but it's going to happen and it will be
inconvenient.
Is your point that we should use *more* than 256 bits for an identifier
that doesn't even need preimage resistance?
There are four use cases for such an identifier:
- provide a reference to a key in signatures. note that this is not a
cryptograhpic purpose, since the actual signatures are calculated
over the entire key. we have been using 64 bit key ids for this
purpose so far.
- show to humans to have them verify two keys are identical. by
definition, we trust the person showing this fingerprint, which
renders collision a pointless attack scenario.
- use as a handle for a designated revoker. assuming there is a
collision, either colliding key could be used for revocation. since
those would both be generated by an attacker in either case, there's
no issue.
- use as a handle for obtaining (downloading / updating) a key. a
keyserver (or equivalent) could equivocate here, but *only* if they
control the looked-up fingerprint in the first place, or at least
generated the (colliding) key.
Am I missing a use case? Even including a ton of security margin, 256
bits already seems way overkill to me for any of those purposes.
- V
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp