1 Return-Path: <jon@callas.org>
\r
2 X-Original-To: notmuch@notmuchmail.org
\r
3 Delivered-To: notmuch@notmuchmail.org
\r
4 Received: from localhost (localhost [127.0.0.1])
\r
5 by olra.theworths.org (Postfix) with ESMTP id 6A55A431FB6
\r
6 for <notmuch@notmuchmail.org>; Mon, 17 Jan 2011 18:20:56 -0800 (PST)
\r
7 X-Virus-Scanned: Debian amavisd-new at olra.theworths.org
\r
11 X-Spam-Status: No, score=1.274 tagged_above=-999 required=5
\r
12 tests=[RDNS_NONE=1.274] autolearn=disabled
\r
13 Received: from olra.theworths.org ([127.0.0.1])
\r
14 by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)
\r
15 with ESMTP id 0oPYLTtvoRJ3 for <notmuch@notmuchmail.org>;
\r
16 Mon, 17 Jan 2011 18:20:54 -0800 (PST)
\r
17 X-Greylist: delayed 375 seconds by postgrey-1.32 at olra;
\r
18 Mon, 17 Jan 2011 18:20:54 PST
\r
19 Received: from merrymeet.com (unknown [173.164.244.100])
\r
20 by olra.theworths.org (Postfix) with ESMTP id 762D3431FB5
\r
21 for <notmuch@notmuchmail.org>; Mon, 17 Jan 2011 18:20:54 -0800 (PST)
\r
22 Received: from localhost (localhost [127.0.0.1])
\r
23 by merrymeet.com (Postfix) with ESMTP id 1E45C2E11C
\r
24 for <notmuch@notmuchmail.org>; Mon, 17 Jan 2011 18:14:53 -0800 (PST)
\r
25 Received: from merrymeet.com ([127.0.0.1])
\r
26 by localhost (host.domain.tld [127.0.0.1]) (amavisd-maia, port 10024)
\r
27 with ESMTP id 12997-04 for <notmuch@notmuchmail.org>;
\r
28 Mon, 17 Jan 2011 18:14:48 -0800 (PST)
\r
29 Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97])
\r
30 (Authenticated sender: jon)
\r
31 by merrymeet.com (Postfix) with ESMTPA id 906D52E05B
\r
32 for <notmuch@notmuchmail.org>; Mon, 17 Jan 2011 18:14:48 -0800 (PST)
\r
33 Received: from [10.0.23.19] ([173.164.244.98])
\r
34 by keys.merrymeet.com (PGP Universal service);
\r
35 Mon, 17 Jan 2011 18:14:34 -0800
\r
36 X-PGP-Universal: processed;
\r
37 by keys.merrymeet.com on Mon, 17 Jan 2011 18:14:34 -0800
\r
38 Subject: Re: including the entire fingerprint of the issuer in an OpenPGP
\r
40 Mime-Version: 1.0 (Apple Message framework v1082)
\r
41 From: Jon Callas <jon@callas.org>
\r
42 In-Reply-To: <4D34F133.3000807@fifthhorseman.net>
\r
43 Date: Mon, 17 Jan 2011 18:14:31 -0800
\r
44 Message-Id: <AFC1EADB-7F7E-4090-A858-8C0012C9ED94@callas.org>
\r
45 References: <4D34F133.3000807@fifthhorseman.net>
\r
46 To: IETF OpenPGP Working Group <ietf-openpgp@imc.org>
\r
47 X-Mailer: Apple Mail (2.1082)
\r
48 Content-Type: text/plain; charset=us-ascii
\r
49 Content-Transfer-Encoding: quoted-printable
\r
50 X-Virus-Scanned: Maia Mailguard
\r
51 X-Mailman-Approved-At: Tue, 18 Jan 2011 12:27:11 -0800
\r
52 Cc: notmuch <notmuch@notmuchmail.org>
\r
53 X-BeenThere: notmuch@notmuchmail.org
\r
54 X-Mailman-Version: 2.1.13
\r
56 List-Id: "Use and development of the notmuch mail system."
\r
57 <notmuch.notmuchmail.org>
\r
58 List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,
\r
59 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
\r
60 List-Archive: <http://notmuchmail.org/pipermail/notmuch>
\r
61 List-Post: <mailto:notmuch@notmuchmail.org>
\r
62 List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
\r
63 List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,
\r
64 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
\r
65 X-List-Received-Date: Tue, 18 Jan 2011 02:20:56 -0000
\r
67 On the one hand, my only disagreement with you is to suggest that your =
\r
68 proposal be tied into using SHA256 for a fingerprint. If you're going to =
\r
69 expand the keyid to a fingerprint, why not get a better fingerprint?
\r
71 On the other hand, this has never been a problem. It's harder than you =
\r
72 think, because you have to generate a new key each time, which takes a =
\r
75 Nonetheless, I think it's a good idea. I'd just go all the way to a =
\r
81 On Jan 17, 2011, at 5:47 PM, Daniel Kahn Gillmor wrote:
\r
83 > * PGP Signed by an unknown key
\r
85 > Hi OpenPGP folks (and Cc'ed notmuch developers/users)--
\r
87 > Some recent discussion about verifying OpenPGP signatures for the
\r
88 > notmuch mail user agent got me thinking about different ways one might
\r
89 > interpret a negative result from a signature made over a message.
\r
91 > Most OpenPGP signatures i've seen use the (unhashed) issuer subpacket =
\r
93 > refer to the low 64 bits of the fingerprint of the issuer's key (the
\r
94 > issuer's "key ID"):
\r
96 > https://tools.ietf.org/html/rfc4880#section-5.2.3.5
\r
98 > Given that we can't assume that key IDs are unique with any high =
\r
100 > of confidence, this creates some ambiguity between these states:
\r
102 > A) "you don't have the key that made this signature"
\r
104 > B) "this signature is bad"
\r
106 > a user-friendly MUA that thinks it is in state A might do something
\r
107 > sensible like offer to do a keyserver lookup (if it is online), while
\r
108 > simply reporting "signature error" if it thinks it is in state B.
\r
110 > But a devious attacker could potentially create a colliding Key ID (i
\r
111 > believe collisions of the low 64 bits of SHA1 are within reach today,
\r
112 > i'd love to be corrected if this is not the case) and cause the
\r
113 > user-friendly MUA to assume it is in state B when it is actually in
\r
114 > state A. The attacker doesn't even need access to the message or
\r
115 > signature in question to do this. They'd only need to have been able =
\r
117 > supply a key to the user at some time in the past. (e.g. push a new
\r
118 > subkey to the keyservers which a user pulls during a keyring refresh)
\r
120 > One way around this ambiguity would be to include the issuer's entire
\r
121 > fingerprint instead of just the low 64 bits, which would make the
\r
122 > certainty of state A vs. state B much clearer.
\r
124 > Would there be any objection to a new subpacket type for OpenPGPv4 =
\r
126 > would include the remaining 96 bits of the issuer's fingerprint? (the
\r
127 > "high 96" proposal)
\r
129 > Alternately, what about a new subpacket type that simply includes the
\r
130 > entire 160 bits of the issuer's fingerprint? (the "full fingerprint"
\r
133 > A third proposal would be a new subpacket type that simply includes =
\r
135 > entire public key of the issuer (the "full pubkey" proposal).
\r
137 > I lean toward "high 96", since using it in conjunction with the issuer
\r
138 > subpacket retains backward compatibility with existing tools (which =
\r
140 > how to interpret the issuer subpacket) while introducing the smallest
\r
141 > amount of additional data per signature.
\r
143 > Given that the size of a signature from a 2048-bit RSA key is 256 =
\r
145 > already, adding an additional 12 bytes (plus a few bytes of subpacket
\r
146 > overhead) per signature doesn't seem particularly excessive.
\r
148 > I'm also assuming that the typical use of this subpacket would be in =
\r
150 > unhashed section of a signature packet, since it is an advisory field
\r
151 > and not intended to address attacks against an adversary capable of
\r
152 > tampering directly with the data in the signature itself.
\r
154 > I will write code to implement this using an experimental subpacket =
\r
156 > but i'd like to know if anyone has any caveats, concerns, or =
\r
158 > between the proposals i've outlined above (or entirely different
\r
159 > proposals that would address the underlying concern).
\r