[openpgp] v5 fingerprints in ECDH

On 2021-02-23 at 02:19:03, Paul Wouters wrote:
> Hi,
>
> I pushed an updated version of the crypto refresh document:
>
> https://www.ietf.org/rfcdiff?url2=draft-ietf-openpgp-crypto-refresh-02
>
> I've also pushed the git changes to https://gitlab.com/openpgp-wg/rfc4880bis
>
>
> The commit on white space changes was reverted, as the WG will be
> re-opening that discussion later once we have all the consensus
> items from the previous 4880bis discussion re-published in this
> document.
>
> The following items were merged in:
>
> - Produce 4-level-deep ToC
> - Reserve codepoints in the registries
> - reorganize signature and asymmetric key value fields
> - Re-flow the v3 and v4 signature descriptions
> - Incorporated RFC 6637 (ECDSA and ECDH, using NIST curves)
I noticed for v5 fingerprints we hash only the left 20 octets in the
ECDH KDF:

  20 octets representing a recipient encryption subkey or a master
  key fingerprint, identifying the key material that is needed for
  the decryption.  For version 5 keys the 20 leftmost octets of the
  fingerprint are used.

Absent a compelling reason, I'd prefer to see the entire fingerprint
used.  It doesn't make sense to define a fingerprint that's 32 octets
and then truncate it to 20 octets in some cases.  At that point, we're
relying on the collision resistance of a different algorithm, not
SHA-256, and decreasing the security level to below 128 bits.

Note that if we do this, we'll need to update the text above and below
to reflect that the sizes are not invariant.
-- 
brian m. carlson (he/him or they/them)
Houston, Texas, US

signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp