From owner-ietf-openpgp@mail.imc.org Sun Jun 1 07:08:29 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA04485 for ; Sun, 1 Jun 2003 07:08:28 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h51ARRAF013874 for ; Sun, 1 Jun 2003 03:27:27 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h51ARRfE013873 for ietf-openpgp-bks; Sun, 1 Jun 2003 03:27:27 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h51ARQAF013863 for ; Sun, 1 Jun 2003 03:27:26 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.180] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Sun, 1 Jun 2003 03:27:24 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Sun, 01 Jun 2003 03:27:24 -0700 Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) From: Jon Callas To: John Wilkinson , OpenPGP Message-ID: In-Reply-To: <3ED7EDD2.4050105@attbi.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On 5/30/03 4:48 PM, "John Wilkinson" wrote: > > With all due respect, Jon, I would like to see a quote from a recognized > crypto expert who feels that AES-128 is "safer" than AES-256. I think you misunderstand what I'm saying. In crypto circles, there's a subtle difference between being conservative and being insecure. Safety is like wine. It ages over years. We tend to use the word "safe" informally. What I said was that the 256 bit ciphers make two changes, and that makes them daring. I did say that I did not share the concerns I've heard, but I still value them as the opinions of colleagues. As for "recognized crypto experts" -- well, there are a lot of them here, even if a number of us crypto experts aren't cipher designers. You've heard from recognized crypto experts, and note that there's a variation of opinion, and some of them say that yes, AES-256 is more daring than AES-128. When I was at Counterpane, we used Blowfish over either AES or Twofish, despite the fact that we thought that AES and Twofish both were better designs. It was all a matter of aging, and it was at that time that Schneier, Ferguson, and Kelsey (all Twofish designers) opined precisely what I said -- that all of the AES candidates should be used in 128-bit mode, as that was better understood. Now Ferguson and Schneier have a new book out, "Practical Cryptography" and their opinions are well worth paying close attention to, even if you don't completely agree. Personally, I stick with 128-bit keys, but that's because I think too many people want more bits in their keys without understanding what's going on. The question, "Will a key with more bits give me better security?" is a lot like the question, "Will more cylinders in my car engine make me go faster?" The answer to both is, "Ummm, well, maybe. Usually yes, but too many can actually cause all sorts of troubles." It's not what people want to hear. Jon From owner-ietf-openpgp@mail.imc.org Sun Jun 1 20:57:13 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA07574 for ; Sun, 1 Jun 2003 20:57:13 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h520VdAF072607 for ; Sun, 1 Jun 2003 17:31:39 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h520VdDO072606 for ietf-openpgp-bks; Sun, 1 Jun 2003 17:31:39 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h520VbAF072591 for ; Sun, 1 Jun 2003 17:31:38 -0700 (PDT) (envelope-from A.Back@exeter.ac.uk) Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.14) id 19MdEc-00Vjdr-HU; Mon, 02 Jun 2003 01:31:34 +0100 Date: Mon, 2 Jun 2003 01:31:33 +0100 From: Adam Back To: Jon Callas Cc: John Wilkinson , OpenPGP , Adam Back Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) Message-ID: <20030602013133.A10766486@exeter.ac.uk> References: <3ED7EDD2.4050105@attbi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: ; from jon@callas.org on Sun, Jun 01, 2003 at 03:27:24AM -0700 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Not sure if this is what you were referring to about their comments in Practical Cryptography, but in that book they argue for use of 256-bit keys on the basis that protocols and algorithms more frequently than we'd like fall victim to variants of the meet-in-the-middle attack where the key space ends up being half as many bits as you thought it might. So personally I'm not sure I buy that particular argument, but I happen to share the conclusion: 256-bit keys are a good idea. Also I'd think the most suspect aspect of a 256-bit keyed cipher is whether it truly achieves 256-bits of strength. I'd say it's much less controversial however to say 256-bit AES provides a better margin of security than 128-bit AES. Adam On Sun, Jun 01, 2003 at 03:27:24AM -0700, Jon Callas wrote: > Now Ferguson and Schneier have a new book out, "Practical Cryptography" and > their opinions are well worth paying close attention to, even if you don't > completely agree. > > Personally, I stick with 128-bit keys, but that's because I think too many > people want more bits in their keys without understanding what's going on. > > The question, "Will a key with more bits give me better security?" is a lot > like the question, "Will more cylinders in my car engine make me go faster?" > The answer to both is, "Ummm, well, maybe. Usually yes, but too many can > actually cause all sorts of troubles." It's not what people want to hear. > > Jon > From owner-ietf-openpgp@mail.imc.org Tue Jun 3 06:15:39 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA25372 for ; Tue, 3 Jun 2003 06:15:38 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h539liAF024950 for ; Tue, 3 Jun 2003 02:47:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h539lixR024949 for ietf-openpgp-bks; Tue, 3 Jun 2003 02:47:44 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h539lhAF024944 for ; Tue, 3 Jun 2003 02:47:43 -0700 (PDT) (envelope-from jon@callas.org) Received: from [203.112.9.169] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2) for ; Tue, 3 Jun 2003 02:47:40 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Mon, 02 Jun 2003 16:59:09 -0700 Subject: Bis-08 submitted From: Jon Callas To: OpenPGP Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit It contains all the things I think we've agreed to, plus a first stab at the normative/non-normative reference separation, which will no doubt be a subject of debate. Jon From owner-ietf-openpgp@mail.imc.org Wed Jun 4 08:25:39 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA14099 for ; Wed, 4 Jun 2003 08:25:38 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54BxQAF028257 for ; Wed, 4 Jun 2003 05:01:57 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h54BxQhq028256 for ietf-openpgp-bks; Wed, 4 Jun 2003 04:59:26 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54ButAF028208 for ; Wed, 4 Jun 2003 04:59:26 -0700 (PDT) (envelope-from nsyracus@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA12763; Wed, 4 Jun 2003 07:56:54 -0400 (EDT) Message-Id: <200306041156.HAA12763@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-openpgp@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-openpgp-rfc2440bis-08.txt Date: Wed, 04 Jun 2003 07:56:54 -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the An Open Specification for Pretty Good Privacy Working Group of the IETF. Title : OpenPGP Message Format Author(s) : J. Callas, L. Donnerhacke, H. Finney, R. Thayer Filename : draft-ietf-openpgp-rfc2440bis-08.txt Pages : 71 Date : 2003-6-3 This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws. OpenPGP software uses a combination of strong public-key and symmetric cryptography to provide security services for electronic communications and data storage. These services include confidentiality, key management, authentication, and digital signatures. This document specifies the message formats used in OpenPGP. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-openpgp-rfc2440bis-08.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-6-3151148.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-openpgp-rfc2440bis-08.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-6-3151148.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ietf-openpgp@mail.imc.org Wed Jun 4 19:39:05 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA17471 for ; Wed, 4 Jun 2003 19:39:04 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54NKWAF060910 for ; Wed, 4 Jun 2003 16:20:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h54NKWXm060909 for ietf-openpgp-bks; Wed, 4 Jun 2003 16:20:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54NKTAF060900 for ; Wed, 4 Jun 2003 16:20:30 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-06-90.cyberia.net.lb ([195.112.206.91]) by sand.cyberia.net.lb with SMTP id <20030604231555.NGMW1948.sand@ppp-06-90.cyberia.net.lb> for ; Thu, 5 Jun 2003 02:15:55 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: I-D ACTION:draft-ietf-openpgp-rfc2440bis-08.txt Date: Thu, 05 Jun 2003 02:18:31 +0200 Message-ID: <823tdvcb36dtfmrn4k607k0vn2qophahb5@4ax.com> References: <200306041156.HAA12763@ietf.org> In-Reply-To: <200306041156.HAA12763@ietf.org> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h54NKVAF060905 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Mr. Callas, And while we are hacking, by hacking, I mean chopping with an axe. Let us spruce the compression algorithms. The zlib compression algorithm seems to be only implemented in the GnuPG variants, and is causing a lot of inter-operability problems. The compression function is breaking inter operability, therefore, we ought to state what is a "MUST" and what isn't, so that the issue may be resolved, once and for all. Especially so, when, forgive my expression, some implementors, default to zilb, while others seem to be unwilling to implement it. my 2c, Best Regards Imad R. Faiad On Wed, 04 Jun 2003 07:56:54 -0400, you wrote: >A New Internet-Draft is available from the on-line Internet-Drafts >directories. This draft is a work item of the An Open Specification for >Pretty Good Privacy Working Group of the IETF. > > Title : OpenPGP Message Format > Author(s) : J. Callas, L. Donnerhacke, H. Finney, R. Thayer > Filename : draft-ietf-openpgp-rfc2440bis-08.txt > Pages : 71 > Date : 2003-6-3 > >This document is maintained in order to publish all necessary >information needed to develop interoperable applications based on >the OpenPGP format. It is not a step-by-step cookbook for writing an >application. It describes only the format and methods needed to >read, check, generate, and write conforming packets crossing any >network. It does not deal with storage and implementation questions. >It does, however, discuss implementation issues necessary to avoid >security flaws. >OpenPGP software uses a combination of strong public-key and >symmetric cryptography to provide security services for electronic >communications and data storage. These services include >confidentiality, key management, authentication, and digital >signatures. This document specifies the message formats used in >OpenPGP. > >A URL for this Internet-Draft is: >http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt > >To remove yourself from the IETF Announcement list, send a message to >ietf-announce-request with the word unsubscribe in the body of the >message. > >Internet-Drafts are also available by anonymous FTP. Login with the >username "anonymous" and a password of your e-mail address. After logging >in, >type "cd internet-drafts" and then > "get draft-ietf-openpgp-rfc2440bis-08.txt". > >A list of Internet-Drafts directories can be found in >http://www.ietf.org/shadow.html >or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > >Internet-Drafts can also be obtained by e-mail. > >Send a message to: > mailserv@ietf.org. >In the body type: > "FILE /internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt". > >NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > >Below is the data which will enable a MIME compliant mail reader >implementation to automatically retrieve the ASCII version of the >Internet-Draft. -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf iQEVAwUBPt6K3rzDFxiDPxutAQIF7Qf+OjgWE3X6wDxlvFCiSHRgPXhZ26bU4CLE JFaM/5k2yZgiwSrErge92Sp92aUnfvjADrsVfGNFeyz7jMKRpeme4FyCpvqGa6eZ fRVT+VDpE7LfXIfi+m7pKq67LaYiOvrE5ucV5EZgFGkSncAiGDL7PB4PjT9vTSB0 uZieKUS0gurnFjtVev2scnSu0XjTtsblomstRiYC943COlO7+U/GK78seHYW1MnS fAnQqRNksR7adDbBsjdZjMdBpgarYwc6gyIaG3P2CNqq35F6fF2SwhcI8JlqYUPS lO5QjbwFkX0WzhlR3Qm+6RHxpRnlsUfNdTmPZlwG25rAJeyletpqOg== =go/t -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Wed Jun 4 21:10:03 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA20811 for ; Wed, 4 Jun 2003 21:10:02 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h550r8AF063350 for ; Wed, 4 Jun 2003 17:53:08 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h550r8YU063349 for ietf-openpgp-bks; Wed, 4 Jun 2003 17:53:08 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h550r6AF063341 for ; Wed, 4 Jun 2003 17:53:07 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h550r4q28422 for ietf-openpgp@imc.org; Wed, 4 Jun 2003 20:53:04 -0400 Date: Wed, 4 Jun 2003 20:53:03 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: I-D ACTION:draft-ietf-openpgp-rfc2440bis-08.txt Message-ID: <20030605005303.GC23351@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200306041156.HAA12763@ietf.org> <823tdvcb36dtfmrn4k607k0vn2qophahb5@4ax.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <823tdvcb36dtfmrn4k607k0vn2qophahb5@4ax.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (20% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Jun 05, 2003 at 02:18:31AM +0200, Imad R. Faiad wrote: > > Hello Mr. Callas, > > And while we are hacking, by hacking, I mean > chopping with an axe. Let us spruce the > compression algorithms. > > The zlib compression algorithm seems to be only > implemented in the GnuPG variants, and > is causing a lot of inter-operability problems. > The compression function is breaking inter > operability, therefore, we ought to state what is a > "MUST" and what isn't, so that the issue may be resolved, > once and for all. I think the text in the draft is pretty clear on this point. To my reading, it says: * You MUST support uncompressed data. * You SHOULD support ZIP. * You MAY support ZLIB. * If a key states compression preferences, they MUST be followed at least to the point of knowing when to send uncompressed. An easy way to do this is to to always send uncompressed data since it is known to always be supported. * If a key does not state compression preferences, they are assumed to be "ZIP, Uncompressed". It all seems pretty clear-cut to me. I have seen a few interoperability problems between GnuPG and PGP due to ZLIB, but each and every one falls into one of two groups: 1) A GnuPG user who insists on forcing the use of ZLIB when communicating with a PGP user, and ignores the "forcing compression algorithm ZLIB violates recipient preferences" error message. This is depressingly common, but still is not a problem that the OpenPGP design can solve. 2) A key is generated in GnuPG, then later the user switches over to using PGP. Since the ZLIB preference still exists on the key, a correspondant using GnuPG will naturally use ZLIB when encrypting to that key. This is a problem that OpenPGP addresses in section 5.2.3.3 ("Notes on Self-Signatures"): Since a self-signature contains important information about the key's use, an implementation SHOULD allow the user to rewrite the self-signature, and important information in it, such as preferences and key expiration. > Especially so, when, forgive > my expression, some implementors, default to zilb, > while others seem to be unwilling to implement it. Which implementation is that? Both GnuPG and PGP default to ZIP. The problem here is actually wider than the ZIP/ZLIB issue. The same thing happens with any two OpenPGP programs that support any different cipher or hash algorithms. The answer is not to force all implementations to have the exact same algorithms. The answer is to properly use the preference lists. That's what they are there for. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+3pRv4mZch0nhy8kRAs0gAKDJkU7Y0RJmWg5oeJjKICAQ+LTgCACgth2C E2mSyLcJoDRwAMzEIXs4jRA= =poNL -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Wed Jun 4 21:40:38 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA21588 for ; Wed, 4 Jun 2003 21:40:38 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h551RgAF064722 for ; Wed, 4 Jun 2003 18:27:42 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h551RgRl064721 for ietf-openpgp-bks; Wed, 4 Jun 2003 18:27:42 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h551RfAF064716 for ; Wed, 4 Jun 2003 18:27:41 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h551Rcq28872 for ietf-openpgp@imc.org; Wed, 4 Jun 2003 21:27:38 -0400 Date: Wed, 4 Jun 2003 21:27:38 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: I-D ACTION:draft-ietf-openpgp-rfc2440bis-08.txt Message-ID: <20030605012738.GD23351@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200306041156.HAA12763@ietf.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200306041156.HAA12763@ietf.org> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (20% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jun 04, 2003 at 07:56:54AM -0400, Internet-Drafts@ietf.org wrote: > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt I'm quite pleased with this draft. I'm going to give it a more in-depth read, but I did notice a few very minor (mostly language) nits: *************** In section 5.2.1 ("Signature Types"): In the description of the 0x50 signature, there is a sentance that reads "such a a blind party that only sees the signature, not the key nor source document". That first "a" was probably intended as an "as". In the same section, "It is a notary seal on the signed data", could probably be better as "It is analogous to a notary seal on the signed data". This should also help Ian Grigg's concerns about misuse of the word "notary". *************** In section 14 ("Implementation Nits") one of the items mentions: * PGP 2.0 through 2.5 generated V2 Public Key Packets. These are identical to the deprecated V3 keys except for the version number. An implementation may accept or reject them as it sees fit. It might be good to change this a bit to: * PGP 2.0 through 2.5 generated V2 Public Key Packets and V2 signatures. These are identical to the deprecated V3 keys and signatures except for the version number. An implementation may accept or reject them as it sees fit. *************** I understood that the "keyserver preferences" and "features" subpackets contain a collection of single-bit flags, but it isn't completely clear from the text. Maybe a sprinkling of the word "bit" would help here. *************** In section 5.2.4 ("Computing Signatures"), a sentance reads "A V3 certification hashes the contents of the name packet, without any header." Instead of "name packet", I suggest "user ID or attribute packet". *************** In section 10.1 ("Transferable Public Keys"), subkeys are followed by "After each Subkey packet, one signature packet, optionally a revocation." I think the word "plus", as in "... plus optionally a revocation" would be helpful here. A revocation does not take the place of the original binding signature. *************** David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+3pyK4mZch0nhy8kRAnjWAKDAE/pOoO5ERuUoCD89yWF/dzfwogCfZTXt FnFGatmn7C7QTqGpGtjXcYw= =Ulf9 -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Fri Jun 6 05:09:58 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA14620 for ; Fri, 6 Jun 2003 05:09:58 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h568bdAF089660 for ; Fri, 6 Jun 2003 01:37:39 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h568bcY0089659 for ietf-openpgp-bks; Fri, 6 Jun 2003 01:37:38 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h568baAF089651 for ; Fri, 6 Jun 2003 01:37:37 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19OCde-0000Jk-00 for ; Fri, 06 Jun 2003 10:31:54 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19OCl1-0008An-00; Fri, 06 Jun 2003 10:39:31 +0200 To: ietf-openpgp@imc.org Subject: key flag for authentication From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 X-FSFE-Info: http://fsfeurope.org Date: Fri, 06 Jun 2003 10:39:30 +0200 Message-ID: <87ptlrtxa5.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi! I know that we are short of releasing a new RFC and bis-08 looks really good. Due to the project I am currently working on I'd like to suggest a small enhancement: 5.2.3.21. Key Flags [...] 0x20 - This key may be used for authentication. Usage notes are not necessary and it should be left to an implementation on how to handle this key flag. There are drafts and actual implementations to use OpenPGP keys with TLS and ssh. Thus, having a subkey specially for this purpose seems to be a good idea. A key with key flag 0x02 (sign data) could be used for authentication too but this has the problem than there would be no easy way to select the appropriate subkey for data signing or authentication purposes. As a workaround an implementation could use notation data but this would be implementation dependend and a kind of hack. What do you think? Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From owner-ietf-openpgp@mail.imc.org Fri Jun 6 11:50:46 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA29313 for ; Fri, 6 Jun 2003 11:50:45 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56FUKAF018617 for ; Fri, 6 Jun 2003 08:30:20 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h56FUKmZ018616 for ietf-openpgp-bks; Fri, 6 Jun 2003 08:30:20 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56FUJAF018607 for ; Fri, 6 Jun 2003 08:30:19 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (localhost [127.0.0.1]) by mx1.cryptohill.net (Postfix) with ESMTP id 83A3E1C955; Fri, 6 Jun 2003 11:30:14 -0400 (EDT) Message-ID: <3EE0B325.A6F3BB3F@systemics.com> Date: Fri, 06 Jun 2003 11:28:37 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Werner Koch Cc: ietf-openpgp@imc.org Subject: Re: key flag for authentication References: <87ptlrtxa5.fsf@alberti.g10code.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit Werner Koch wrote: > > Hi! > > I know that we are short of releasing a new RFC and bis-08 looks > really good. Due to the project I am currently working on I'd like to > suggest a small enhancement: > > 5.2.3.21. Key Flags > > [...] > > 0x20 - This key may be used for authentication. > > Usage notes are not necessary and it should be left to an > implementation on how to handle this key flag. > > There are drafts and actual implementations to use OpenPGP keys with > TLS and ssh. Thus, having a subkey specially for this purpose seems > to be a good idea. A key with key flag 0x02 (sign data) could be used > for authentication too but this has the problem than there would be no > easy way to select the appropriate subkey for data signing or > authentication purposes. As a workaround an implementation could use > notation data but this would be implementation dependend and a kind of > hack. > > What do you think? Not that I disagree with you, but I'd like to point out alternative practice. We (Systemics/Ricardo/SOX/WebFunds) have been using PGP keys for authentication purposes for years (8, if anyone's counting, with a couple of years gap where we got blindsided into x.509). (Something betwee 100k and a million transactions.) To identify keys and their roles, we stick the following into the keyId textual tag: [role] where role could be one of certification, operator, server, contract, ... This appears to be much more flexible than looking for bits in the key, as it allows lots of roles. When one gets into bigger protocols, one ends up with dozens of different keys at different places in the PKI. And they all need to have their roles and characteristics encoded in them. So, whilst I wouldn't necessarily disagree with the bit being there, I'm not sure I see the need. (And, thinking about it some more, I can see that the issue you might have there is that once you have your authentication bit in place, how do you show that the key is to be used for SSH authentication and not TLS?) Just some thoughts! -- iang From owner-ietf-openpgp@mail.imc.org Fri Jun 6 14:16:29 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA05728 for ; Fri, 6 Jun 2003 14:16:22 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56HvXAF025689 for ; Fri, 6 Jun 2003 10:57:33 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h56HvXgN025688 for ietf-openpgp-bks; Fri, 6 Jun 2003 10:57:33 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56HvVAF025682 for ; Fri, 6 Jun 2003 10:57:32 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19OLNb-0004eQ-00 for ; Fri, 06 Jun 2003 19:51:55 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19OLSS-0000yK-00; Fri, 06 Jun 2003 19:56:56 +0200 To: iang@systemics.com Cc: ietf-openpgp@imc.org Subject: Re: key flag for authentication References: <87ptlrtxa5.fsf@alberti.g10code.de> <3EE0B325.A6F3BB3F@systemics.com> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Fri, 06 Jun 2003 19:56:56 +0200 In-Reply-To: <3EE0B325.A6F3BB3F@systemics.com> (Ian Grigg's message of "Fri, 06 Jun 2003 11:28:37 -0400") Message-ID: <878ysfqec7.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Fri, 06 Jun 2003 11:28:37 -0400, Ian Grigg said: > To identify keys and their roles, we stick the following > into the keyId textual tag: > [role] That used to be the only way during PGP 2 times. A German ISP with an associated CA created pgp 2.63in to formalize their conventions on how to encode more attributes in the User ID. This made it even possible to use separate signing and encryption keys as well as expiration dates. In contrast OpenPGP provides a more general way to encode more information with a key. Most notably notation data can be used instead of tags encoded in the User ID. > (And, thinking about it some more, I can see that the issue > you might have there is that once you have your authentication > bit in place, how do you show that the key is to be used for > SSH authentication and not TLS?) That is not the question I want to address. The problem stems from this: If you have more than one encryption subkey, the most useful way is to use the newest encryption subkey which has not been created in the future. This allows for an automatic key rollover. Although it does not make that much sense, the scheme can also be used for signing subkeys. To figure out what subkey to use, the implementation computes the key capabilities from the used algorithm and the key flags and decided on this. If you add a subkey for authentication, this one is probably the newest one and would be used for signing - that is probably not what you want. Shalom-Salam, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From owner-ietf-openpgp@mail.imc.org Sat Jun 14 11:01:07 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA27399 for ; Sat, 14 Jun 2003 11:01:07 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5EEUirb039639 for ; Sat, 14 Jun 2003 07:30:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5EEUiAK039638 for ietf-openpgp-bks; Sat, 14 Jun 2003 07:30:44 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from itaqui.terra.com.br (itaqui.terra.com.br [200.176.3.19]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5EEUgrb039633 for ; Sat, 14 Jun 2003 07:30:43 -0700 (PDT) (envelope-from mau.go@terra.com.br) Received: from campina.terra.com.br (campina.terra.com.br [200.176.3.38]) by itaqui.terra.com.br (Postfix) with ESMTP id BFD2C3BC624 for ; Sat, 14 Jun 2003 11:30:42 -0300 (BRT) Received: from [192.168.1.3] (200-193-230-044.gnace7001.dsl.brasiltelecom.net.br [200.193.230.44]) (authenticated user mau.go) by campina.terra.com.br (Postfix) with ESMTP id E2C56224062 for ; Sat, 14 Jun 2003 11:30:41 -0300 (BRT) User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Date: Sat, 14 Jun 2003 11:32:27 -0300 Subject: Using all zeros for IV means that.. From: Mauricio Junqueira To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit .. a cipher text encoded in CFB mode could be decrypted in CBC ? That question may be a silly one, but here's the point: I am a Brazilian engineer who are in charge of a system development that needs to send critical data over the internet and other means. Being new to cryptography but with some past experience coding the DES algorithm for TEF I decided to do a little research for new encryption methods. Then I decided for twofish 128bits and implemented the server side of the system using C and mcrypt in the CFB. So I decided a very special convection for the IV bytes and also had hash the IV prior his use. To test the server, we have coded some clients in PHP and everything works just fine. Well, now we are developing for the real client: a 16mhz Hitachi H300 that has its own c libraries. I found the implement mcrypt then twofish was not an option and went to code twofish only. When Looking for some examples showing how to implement twofish, I found a Twofish source for PGP and used that as the basis for the H300 implementation. Aside from differences in what a unsigned char means, I now have it working. But it only operates on 16bytes each time, what makes it a CBC mode ( I guess ). My solution was to complete with spaces the remain bytes to have an entire block, but what about the IV? I will lose some quality if I drop the IV and CFB mode in the server or is there a way to use the IV in CBC mode like pre-pending the IV or using all zeros IV in CFB... I hope I have found the right place to post this and I was encouraged in doing so after reading some messages from this mail list. Thank you for your time in reading this and who knows if some one could enlightenment me in the right direction. Mauricio Junqueira mau.go@terra.com.br AMERICA - SOUTH AMERICA - BRASIL - GOIAS - GOIANIA From owner-ietf-openpgp@mail.imc.org Sun Jun 15 06:27:09 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA27872 for ; Sun, 15 Jun 2003 06:27:09 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FA8rrb007726 for ; Sun, 15 Jun 2003 03:08:53 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5FA8rWN007724 for ietf-openpgp-bks; Sun, 15 Jun 2003 03:08:53 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from gluggsi.fortytwo.ch (zux006-028-188.adsl.green.ch [81.6.28.188]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FA8prb007705 for ; Sun, 15 Jun 2003 03:08:51 -0700 (PDT) (envelope-from vbi@fortytwo.ch) Received: from altfrangg.fortytwo.ch (altfrangg.fortytwo.ch [192.168.1.17]) by gluggsi.fortytwo.ch (Postfix) with ESMTP id 11F556913 for ; Sun, 15 Jun 2003 12:08:44 +0200 (CEST) Received: by altfrangg.fortytwo.ch (Postfix, from userid 1002) id 1C63A414FB; Sun, 15 Jun 2003 12:08:43 +0200 (CEST) From: "Adrian 'Dagurashibanipal' von Bidder" To: ietf-openpgp@imc.org Subject: Re: key flag for authentication Date: Sun, 15 Jun 2003 12:08:38 +0200 User-Agent: KMail/1.5.1 References: <87ptlrtxa5.fsf@alberti.g10code.de> In-Reply-To: <87ptlrtxa5.fsf@alberti.g10code.de> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_qWE7+JXt2jWT7eF"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200306151208.42675@fortytwo.ch> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --Boundary-02=_qWE7+JXt2jWT7eF Content-Type: text/plain; charset="iso-8859-1" Content-Description: signed data Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Friday 06 June 2003 10:39, Werner Koch wrote: > 5.2.3.21. Key Flags > > [...] > > 0x20 - This key may be used for authentication. > > Usage notes are not necessary and it should be left to an > implementation on how to handle this key flag. At least a note that handling of this flag should be implementation defined= =20 should go in. Somebody implementing OpenPGP software needs to know at least= =20 that he needn't worry what to do with such keys (or perhaps that he should= =20 ignore such [sub]keys in most cases?) > authentication purposes. As a workaround an implementation could use > notation data but this would be implementation dependend and a kind of > hack. Hmm. Using a flag which is not documented (except in that it exists) seems= =20 kind of a hack, too. If the correct behaviour of openpgp software is to be= =20 left to implementors, why not use a notation - which is more flexible than = a=20 one-bit flag anyway? greets =2D- vbi =2D-=20 featured link: http://fortytwo.ch/smtp --Boundary-02=_qWE7+JXt2jWT7eF Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj7sRapgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWqboAn1/lQTM9r9kR8K3I7SCALBY5 SQ2AAKD3Qkk1t/q8qBlIU478fHPcrd6EYw== =WGSO -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_qWE7+JXt2jWT7eF-- From owner-ietf-openpgp@mail.imc.org Sun Jun 15 09:38:02 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA01491 for ; Sun, 15 Jun 2003 09:38:01 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FDJqrb015557 for ; Sun, 15 Jun 2003 06:19:52 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5FDJqPl015556 for ietf-openpgp-bks; Sun, 15 Jun 2003 06:19:52 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FDJprb015550 for ; Sun, 15 Jun 2003 06:19:51 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5FDJkK07415 for ietf-openpgp@imc.org; Sun, 15 Jun 2003 09:19:46 -0400 Date: Sun, 15 Jun 2003 09:19:46 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: key flag for authentication Message-ID: <20030615131946.GE28548@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <87ptlrtxa5.fsf@alberti.g10code.de> <200306151208.42675@fortytwo.ch> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline In-Reply-To: <200306151208.42675@fortytwo.ch> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Full User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 15, 2003 at 12:08:38PM +0200, Adrian 'Dagurashibanipal' von Bid= der wrote: > > authentication purposes. As a workaround an implementation could use > > notation data but this would be implementation dependend and a kind of > > hack. >=20 > Hmm. Using a flag which is not documented (except in that it exists) seem= s=20 > kind of a hack, too. If the correct behaviour of openpgp software is to b= e=20 > left to implementors, why not use a notation - which is more flexible tha= n a=20 > one-bit flag anyway? It doesn't need much documentation. This is similar to the "This key may be used to encrypt communications" or "This key may be used to encrypt storage" flags: a usage hint. I think the proposed flag is a good idea. David --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7HJy4mZch0nhy8kRAinHAJ4zTOr5E11w1/bRqyym3qu4LYA/qQCgx5/N FtzfDIJwRg17P8xz4YYRuDo= =fIhw -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l-- From owner-ietf-openpgp@mail.imc.org Sun Jun 15 11:52:40 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA04877 for ; Sun, 15 Jun 2003 11:52:39 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FFTYrb021608 for ; Sun, 15 Jun 2003 08:29:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5FFTYqe021607 for ietf-openpgp-bks; Sun, 15 Jun 2003 08:29:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FFTWrb021602 for ; Sun, 15 Jun 2003 08:29:33 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5FFTXFm018740; Sun, 15 Jun 2003 11:29:33 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5FFTWmv028944; Sun, 15 Jun 2003 11:29:32 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h5FFTVFJ023668; Sun, 15 Jun 2003 11:29:31 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id LAA07996; Sun, 15 Jun 2003 11:29:31 -0400 (EDT) To: Mauricio Junqueira Cc: From: Derek Atkins Subject: Re: Using all zeros for IV means that.. References: Date: 15 Jun 2003 11:29:31 -0400 In-Reply-To: Message-ID: Lines: 62 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, first, this is probably not the apprpriate forum for general cryptographic help (unless of course you are looking for a security consulting to come help you, in which case you can look at my personal website and retain my services ;) Having said that.... Mauricio Junqueira writes: > .. a cipher text encoded in CFB mode could be decrypted in CBC ? No. CFB and CBC are completely different crypto modes. [snip] > But it only operates on 16bytes each time, what makes it > a CBC mode ( I guess ). No. It has a 16-byte block size, but that does not make it CBC. > My solution was to complete with spaces the remain bytes to have > an entire block, but what about the IV? You should read Applied Cryptography. This is "not the way". There are a number of standard padding techniques, but you do not need them if you use CFB mode. CFB mode always gives you the "exact" amount of ciphertext that you need. > I will lose some quality if I drop the IV and CFB mode in the > server or is there a way to use the IV in CBC mode like pre-pending > the IV or using all zeros IV in CFB... This question does not make sense. > I hope I have found the right place to post this and I was encouraged > in doing so after reading some messages from this mail list. Not really, as this list is for discussion of the OpenPGP specification, not about cryptography in general. > Thank you for your time in reading this and > who knows if some one could enlightenment me > in the right direction. As I said, I recommend you read Applied Cryptograhy, or engage the services of a Security Consultant to help you understand all the issues... Good Luck, > Mauricio Junqueira > mau.go@terra.com.br -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant From owner-ietf-openpgp@mail.imc.org Sun Jun 15 12:11:04 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA05081 for ; Sun, 15 Jun 2003 12:11:04 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FFtArb022015 for ; Sun, 15 Jun 2003 08:55:10 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5FFtASt022014 for ietf-openpgp-bks; Sun, 15 Jun 2003 08:55:10 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mta6.adelphia.net (mta6.adelphia.net [64.8.50.190] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FFt8rb022009 for ; Sun, 15 Jun 2003 08:55:09 -0700 (PDT) (envelope-from mwy-opgp97@the-youngs.org) Received: from mwyoung ([68.168.179.202]) by mta6.adelphia.net (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with SMTP id <20030615155454.BJMJ1347.mta6.adelphia.net@mwyoung> for ; Sun, 15 Jun 2003 11:54:54 -0400 Message-ID: <003901c33356$4e3e0fc0$c23fa8c0@transarc.ibm.com> From: "Michael Young" To: References: <87ptlrtxa5.fsf@alberti.g10code.de> <200306151208.42675@fortytwo.ch> <20030615131946.GE28548@jabberwocky.com> Subject: Re: key flag for authentication Date: Sun, 15 Jun 2003 11:53:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This discussion raises another concern I've had regarding new flags. The description (in draft 7, anyway) reads: > This subpacket contains a list of binary flags that hold information > about a key. It is a string of octets, and an implementation MUST > NOT assume a fixed size. This is so it can grow over time. If a list > is shorter than an implementation expects, the unstated flags are > considered to be zero. ... In fact, the list of flags can grow *without* increasing the length. we're contemplating adding new flags to the first octet. I think it's inappropriate to change the meaning of an old signature by adding flags to the specification. Here, we're considering adding exactly one bit: > 0x20 - This key may be used for authentication. An old signature didn't contemplate the meaning of this bit. The key might be intended for authentication; it might not. New software that looks at this bit can't tell whether: the signer explicitly chose not to allow authentication; or, the signer was using an old revision of the specification. But, new flags can be structured to disambiguate new revisions from old. For example, here we can add two bits: 0x20 - This key may be used for authentication. 0x40 - (Bit 0x20 is explicitly set.) Old signatures would have a zero in 0x40, so a new application can apply its own default (rather than having one imposed by the specification). New signatures that actively decide on the value for the 0x20 bit must set 0x40. (A new signer could also choose to accept the viewer's default by leaving 0x40 zero.) I don't know whether this is the right time to start adopting this sort of policy for new flags -- do implementations make use of the existing key flags already? If they do, then I strongly encourage including disambiguation for new flags. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBPuyWWOc3iHYL8FknEQJvRwCfQjcFuBDOGOeEX86hqtsXSea1pbsAoJH5 I/n8ZbzEHQnJpqme/AKOwVMo =XT3/ -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Sun Jun 15 17:28:28 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA11331 for ; Sun, 15 Jun 2003 17:28:27 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FLBGrb035118 for ; Sun, 15 Jun 2003 14:11:16 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5FLBGGv035117 for ietf-openpgp-bks; Sun, 15 Jun 2003 14:11:16 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FLBFrb035108 for ; Sun, 15 Jun 2003 14:11:15 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5FLBCb10813 for ietf-openpgp@imc.org; Sun, 15 Jun 2003 17:11:12 -0400 Date: Sun, 15 Jun 2003 17:11:11 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: key flag for authentication Message-ID: <20030615211111.GA7586@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <87ptlrtxa5.fsf@alberti.g10code.de> <200306151208.42675@fortytwo.ch> <20030615131946.GE28548@jabberwocky.com> <003901c33356$4e3e0fc0$c23fa8c0@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <003901c33356$4e3e0fc0$c23fa8c0@transarc.ibm.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (98% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Jun 15, 2003 at 11:53:44AM -0400, Michael Young wrote: > But, new flags can be structured to disambiguate new revisions > from old. For example, here we can add two bits: > 0x20 - This key may be used for authentication. > 0x40 - (Bit 0x20 is explicitly set.) > Old signatures would have a zero in 0x40, so a new application > can apply its own default (rather than having one imposed by > the specification). New signatures that actively decide on the > value for the 0x20 bit must set 0x40. (A new signer could also > choose to accept the viewer's default by leaving 0x40 zero.) I don't think this is really necessary. The lack of a given flag being set doesn't necessarily mean that the key *isn't* used for the respective action. The draft even uses the phrase "...stating a preference...". If anyone cares enough, they can certainly re-issue the signature with the flag set. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7ODv4mZch0nhy8kRAjvYAJ9JLGOSm0IBYq8sOQks5UGpRLBJYACgg2VF CPgCU3u+sVAk9/AoIoC8L88= =ex0m -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Mon Jun 16 03:59:24 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA04791 for ; Mon, 16 Jun 2003 03:59:24 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5G7efrb068305 for ; Mon, 16 Jun 2003 00:40:41 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5G7ef02068304 for ietf-openpgp-bks; Mon, 16 Jun 2003 00:40:41 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5G7ecrb068257 for ; Mon, 16 Jun 2003 00:40:39 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-08-25.cyberia.net.lb ([195.112.205.26]) by sand.cyberia.net.lb with SMTP id <20030616073607.LXSZ3447.sand@ppp-08-25.cyberia.net.lb> for ; Mon, 16 Jun 2003 10:36:07 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 10:21:57 +0200 Message-ID: References: <87ptlrtxa5.fsf@alberti.g10code.de> In-Reply-To: <87ptlrtxa5.fsf@alberti.g10code.de> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5G7eerb068297 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 06 Jun 2003 10:39:30 +0200, you wrote: > >Hi! > >I know that we are short of releasing a new RFC and bis-08 looks >really good. Due to the project I am currently working on I'd like to >suggest a small enhancement: > > 5.2.3.21. Key Flags > > [...] > > 0x20 - This key may be used for authentication. > >Usage notes are not necessary and it should be left to an >implementation on how to handle this key flag. > >There are drafts and actual implementations to use OpenPGP keys with >TLS and ssh. Thus, having a subkey specially for this purpose seems >to be a good idea. A key with key flag 0x02 (sign data) could be used >for authentication too but this has the problem than there would be no >easy way to select the appropriate subkey for data signing or >authentication purposes. As a workaround an implementation could use >notation data but this would be implementation dependend and a kind of >hack. > >What do you think? > Hello Werner, This is what I think:- Why not just create a key dedicated for the purposes of TLS or SSH. I would like to propose that signing sub keys be disallowed in OpenPGP. While an encryption key concerns the key holder, a signing key is of concern to others. PGP users identify keys and publicize theirs by the master key ID and fingerprint. These are also the primary keys used by key servers. As I understand it, sub keys are only justified in the following circumstances:- 1) When the public key algorithm does not support encryption (e.g. DSA). 2) In agreement with a school of thought, which recommends that it is good practice not to use the same key for signing and encryption. Any other arguments beyond the above, are just eccentricities, and will be better addressed by creating another key. Therefore, for the sake of simplicity, please permit me to propose that an OpenPGP key be a Master Key of an OpenPGP public key algorithm suitable for signing, and ONE optional encryption sub key of an OpenPGP public key algorithm suitable for encryption PERIOD. It is evident that sub keys seem to be evolving beyond their intended use. Let's clean up that mess before it is too late. What do you think? > > Werner Best Regards Imad R. Faiad -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu19vrzDFxiDPxutAQJ7rQf/Z085Fotrl/uroZ80pO/OwAHZ3fcABG06 azvmdXfnW1Z7/fWfV7vHixzzLaUdXhFEm9m+Nj0XTSQ7a5QU8M0hZQJNRiv3cSbb QWWDN93AHUkdZLUXClcNfBy+ipUpwWbutMDMNuhKOEOSwMDH/+db2DfF+++ixpqa PeAEEdKU7UtteaD6gpqfiCvJsU9gda8XKA65m0/9BF1RngX/OBV4rkkb98EVE5IH RiQI+tXl8WECAi0wQw0y7dLixlIpBase78KXN6LFGLt0I4ojD4URUX6XE6Afz8Ko 5mpYFkTJkdoobbGoNFbA1c7op76ixKNnbgsq4oDZ+5n2C2TyTpij6g== =efDu -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Mon Jun 16 04:32:59 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA05450 for ; Mon, 16 Jun 2003 04:32:59 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5G8IIrb076772 for ; Mon, 16 Jun 2003 01:18:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5G8IIWj076771 for ietf-openpgp-bks; Mon, 16 Jun 2003 01:18:18 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5G8IGrb076763 for ; Mon, 16 Jun 2003 01:18:17 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Mon, 16 Jun 2003 09:18:12 +0100 From: Ian Brown To: "'Imad R. Faiad'" , ietf-openpgp Subject: RE: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 09:18:09 +0100 Message-ID: <003901c333df$d2b95230$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5G8IHrb076766 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit Imad R. Faiad wrote: > I would like to propose that signing sub keys be disallowed > in OpenPGP. This would stop people keeping their master signing key on a more secure offline machine, and using it to sign shorter-lifetime signing subkeys which can be used on a day-to-day basis to sign messages :( > As I understand it, sub keys are only justified in the following > circumstances:- > 1) When the public key algorithm does not support encryption > (e.g. DSA). > 2) In agreement with a school of thought, which recommends that > it is good practice not to use the same key for signing and > encryption. (2) is vital in countries where decryption but not signature keys can be seized by law enforcement agencies and others: http://www.acsac.org/2000/papers/47.pdf > Any other arguments beyond the above, are just > eccentricities, and will be better addressed by creating another key. Another "eccentricity" I am fond of is short-lifetime encryption subkeys that can be deleted once they have expired, reducing the impact of the above-mentioned key seizure powers. I currently (manually) generate such keys valid for one month; if I ever got round to automating this, I would go for a week or less... http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA127BBD5 From owner-ietf-openpgp@mail.imc.org Mon Jun 16 06:13:40 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA07303 for ; Mon, 16 Jun 2003 06:13:39 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5G9vxrb088361 for ; Mon, 16 Jun 2003 02:57:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5G9vw7R088360 for ietf-openpgp-bks; Mon, 16 Jun 2003 02:57:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5G9vurb088355 for ; Mon, 16 Jun 2003 02:57:57 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19Rqed-0006hS-00 for ; Mon, 16 Jun 2003 11:51:59 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19Rqii-0000Jy-00; Mon, 16 Jun 2003 11:56:12 +0200 To: Ian Brown Cc: "'Imad R. Faiad'" , ietf-openpgp Subject: Re: OpenPGP Sub Keys References: <003901c333df$d2b95230$39632352@happy> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Mon, 16 Jun 2003 11:56:08 +0200 In-Reply-To: <003901c333df$d2b95230$39632352@happy> (Ian Brown's message of "Mon, 16 Jun 2003 09:18:09 +0100") Message-ID: <87vfv6tkg7.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Mon, 16 Jun 2003 09:18:09 +0100, Ian Brown said: > This would stop people keeping their master signing key on a more secure > offline machine, and using it to sign shorter-lifetime signing subkeys > which can be used on a day-to-day basis to sign messages :( That is exactly what I would like to do. Today I still use a separate certification key but it is a problem WoT wise and annoying to tell people how to send me encrypted mail, because they usually have problems with the sign-only certification key. -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From owner-ietf-openpgp@mail.imc.org Mon Jun 16 08:01:24 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA09398 for ; Mon, 16 Jun 2003 08:01:24 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GBeZrb094436 for ; Mon, 16 Jun 2003 04:40:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GBeZgm094435 for ietf-openpgp-bks; Mon, 16 Jun 2003 04:40:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb ([195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GBeXrb094398 for ; Mon, 16 Jun 2003 04:40:34 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-14-93.cyberia.net.lb ([195.112.197.159]) by sand.cyberia.net.lb with SMTP id <20030616113453.MHUS3447.sand@ppp-14-93.cyberia.net.lb> for ; Mon, 16 Jun 2003 14:34:53 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 14:20:42 +0200 Message-ID: References: <003901c333df$d2b95230$39632352@happy> In-Reply-To: <003901c333df$d2b95230$39632352@happy> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5GBeYrb094431 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, On Mon, 16 Jun 2003 09:18:09 +0100, you wrote: >Imad R. Faiad wrote: >> I would like to propose that signing sub keys be disallowed >> in OpenPGP. > >This would stop people keeping their master signing key on a more secure >offline machine, and using it to sign shorter-lifetime signing subkeys >which can be used on a day-to-day basis to sign messages :( > If you are so paranoid, why don't you keep all your PGP keys in a "more secure offline machine" and use PGP solely on it? Should you have a need for shorter-lifetime signing keys, just generate master keys explicitly for that purpose. >> As I understand it, sub keys are only justified in the following >> circumstances:- >> 1) When the public key algorithm does not support encryption >> (e.g. DSA). >> 2) In agreement with a school of thought, which recommends that >> it is good practice not to use the same key for signing and >> encryption. > >(2) is vital in countries where decryption but not signature keys can be >seized by law enforcement agencies and others: >http://www.acsac.org/2000/papers/47.pdf > If indeed you have such needs, there is nothing to preclude from generating two distinct keys, one for signing and the other for encryption. >> Any other arguments beyond the above, are just >> eccentricities, and will be better addressed by creating another key. > >Another "eccentricity" I am fond of is short-lifetime encryption subkeys >that can be deleted once they have expired, reducing the impact of the >above-mentioned key seizure powers. I currently (manually) generate such >keys valid for one month; if I ever got round to automating this, I >would go for a week or less... >http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA127BBD5 > I think there is a very serious flaw in the OpenPGP WOT when it comes to v4 keys, sub keys literally have blown a hole in it, and created a nice backdoor resulting in what I call a Web of Mistrust... Whatever one feels about sub keys, I think that this WOT issue ought to be addressed. my 2c Best Regards Imad R. Faiad -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu2zebzDFxiDPxutAQIQngf9GB9yLk1k1MzwdFUWQe31MlTeVyO24pQh VXzKv4OGOsswa2eKJzSnCfNVapHEjKIWKeqaAQVifEP6Ifk6yav6lzxT9PlwWNn7 abmUmfuWK9oybzl/eknCiZ6BjwNIlhLwawrVMlSpSWpDoAWstIMzehi4egi85w7f Ytmi9VCqxG+KfLyf0rwWygSpO/N1N/HKevLlx3tpr6HTXeRh+5TIa2n3G9P9hAKr ZL8Fs4g++YWqju3YA4f8/c7nfPGqSd69JsgvXkhfPJ/Hm8rG3rMCaRkuQxaDCIUk ut4zypqmjK2PXnAah7HC8INX9Fq2mlR36ymB0Um6C13Qo3fX1hujNw== =wTgt -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Mon Jun 16 08:08:04 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA09697 for ; Mon, 16 Jun 2003 08:08:03 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GBmkrb095027 for ; Mon, 16 Jun 2003 04:48:46 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GBmkIr095026 for ietf-openpgp-bks; Mon, 16 Jun 2003 04:48:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GBmirb095021 for ; Mon, 16 Jun 2003 04:48:45 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-14-93.cyberia.net.lb ([195.112.197.159]) by sand.cyberia.net.lb with SMTP id <20030616114419.MIDN3447.sand@ppp-14-93.cyberia.net.lb> for ; Mon, 16 Jun 2003 14:44:19 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 14:30:08 +0200 Message-ID: <1kdrevo6nqm19h8fdcc1bd0ag6gle92jj1@4ax.com> References: <003901c333df$d2b95230$39632352@happy> In-Reply-To: <003901c333df$d2b95230$39632352@happy> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5GBmjrb095022 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Ian, On Mon, 16 Jun 2003 09:18:09 +0100, you wrote: >Imad R. Faiad wrote: >> I would like to propose that signing sub keys be disallowed >> in OpenPGP. > >This would stop people keeping their master signing key on a more secure >offline machine, and using it to sign shorter-lifetime signing subkeys >which can be used on a day-to-day basis to sign messages :( > Let me add, and no offence of course, from the fact that you are relegating those short-lifetime signing sub keys to a less secure environment, I infer that you have no confidence in them, so how do you expect others to trust such keys, or signatures generated by them for that matter? You might as well not sign at all. my 2c Best Regards Imad R. Faiad -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu24HrzDFxiDPxutAQKFHQf9GdGwv8ghOX5v1vNjLQqfA+k31m1POKu9 v65xCLzscw7tkkdtlshecypvSFnAtpgx3ih/XCWkpic00wwOcqN7paqi/LNSsJLS tju/1OTSLhL47MDJND1XK8CoGo4cv0id70y9Uo344BoR6Z7pQStLzkK7wTA9yeQb KEWQu75H/HUnARCpmjVcjpcasqeYqEnyowra9T5xIElEC1KSyAkqE2cbN+UTvLoa Nz3BPQb9k2ZMD6GslzpHx3yS4S2dpEmd8isu6bTksjljF9g2g4iK1W/1idM3gdAx sBb1ZHAbjt+7kucya4aDgJnf5O6PdtaKR3o5hUF5W5jgyx4lIQuAfQ== =AIA0 -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Mon Jun 16 08:55:19 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA12320 for ; Mon, 16 Jun 2003 08:55:18 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GCZPrb096274 for ; Mon, 16 Jun 2003 05:35:25 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GCZO4m096273 for ietf-openpgp-bks; Mon, 16 Jun 2003 05:35:24 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5GCZNrb096268 for ; Mon, 16 Jun 2003 05:35:23 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Mon, 16 Jun 2003 13:35:21 +0100 From: Ian Brown To: "'Imad R. Faiad'" , ietf-openpgp Subject: RE: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 13:35:21 +0100 Message-ID: <006201c33403$c11263e0$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit > If you are so paranoid, why don't you keep all your PGP keys > in a "more secure offline machine" and use PGP solely on it? Because for the vast majority of messages that I send, the increased security would not be worth the extra effort. Whereas the compromise of a key used to certify other keys has a much greater effect, and so to many people it would. > Should you have a need for shorter-lifetime signing keys, > just generate master keys explicitly for that purpose. The point of the master key/subkey structure is that you shouldn't have to do this, with the Web of Trust complications it introduces -- as Werner said. > If indeed you have such needs, there is nothing to preclude > from generating two distinct keys, one for signing and the > other for encryption. Nor is there anything to preclude me using the existing master key/subkey structure to do this. > Let me add, and no offence of course, from the fact that you > are relegating those short-lifetime signing sub keys to a > less secure environment, I infer that you have no confidence > in them, Confidence is not a binary issue. I trust the environment they are used in less; therefore I would give them a shorter lifetime, so that their compromise would have a smaller impact. Ian. From owner-ietf-openpgp@mail.imc.org Mon Jun 16 09:47:59 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA13792 for ; Mon, 16 Jun 2003 09:47:58 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDRbrb099444 for ; Mon, 16 Jun 2003 06:27:37 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GDRbXw099443 for ietf-openpgp-bks; Mon, 16 Jun 2003 06:27:37 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail1.wiktel.com (mail1.wiktel.com [204.221.145.7]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDRZrb099438 for ; Mon, 16 Jun 2003 06:27:36 -0700 (PDT) (envelope-from rlaager@wiktel.com) Received: from NB1131 (unverified [206.9.80.4]) by wiktel.com (Rockliffe SMTPRA 5.3.4) with ESMTP id ; Mon, 16 Jun 2003 08:27:41 -0500 From: "Richard Laager" To: "'Imad R. Faiad'" Cc: Subject: RE: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 08:27:40 -0500 Organization: Wikstrom Telecom Internet Message-ID: <000601c3340b$0fc81000$b3000a0a@umcrookston.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 In-Reply-To: <1kdrevo6nqm19h8fdcc1bd0ag6gle92jj1@4ax.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Let me add, and no offence of course, from the fact that you are > relegating those short-lifetime signing sub keys to a less secure > environment, I infer that you have no confidence in them, so how > do you expect others to trust such keys, or signatures generated > by them for that matter? You might as well not sign at all. Less secure = less confidence != no confidence. Here's an example (fictional, but this is what I would do if I could): I store my long term primary key on a floppy. When I need the primary key (to create a new subkey or to sign another key), I do that signing on a secure stand-alone workstation. When I'm not using that floppy, I store the key off-site in a safe-deposit box. The less secure subkeys are stored on a laptop. Now, I believe my laptop is secure, but it's subject to theft. If it's stolen, I can simply revoke that signing subkey. Now, what happens if I leave for a lunch break and someone steals my signing subkey? If I notice it, I can revoke the subkey. By having short-term subkeys, I can limit the number of legitimate signatures that are invalidated by this. Also, if the subkey expires in a week or month, the attacker will have to repeat the subkey theft. This increases their chances of getting caught. This is no worse than people who keep their primary key on said laptop and use it for signing. It's quite obviously more secure. Richard Laager -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ iQA/AwUBPu3Fym31OrleHxvOEQJI1gCgseinuSwV8uDA3hYuQiVOmKT8VXcAoObj ddCi+kWnU3Z6TvvsOBeZrmB9 =KM1m -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Mon Jun 16 09:49:54 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA13881 for ; Mon, 16 Jun 2003 09:49:53 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDVZrb099678 for ; Mon, 16 Jun 2003 06:31:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GDVZBt099677 for ietf-openpgp-bks; Mon, 16 Jun 2003 06:31:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDVXrb099672 for ; Mon, 16 Jun 2003 06:31:34 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h5GDVSbu027513; Mon, 16 Jun 2003 09:31:28 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by central-city-carrier-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5GDVR8S011123; Mon, 16 Jun 2003 09:31:27 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h5GDVQU8011893; Mon, 16 Jun 2003 09:31:26 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id JAA12913; Mon, 16 Jun 2003 09:31:26 -0400 (EDT) To: Ian Brown Cc: "'Imad R. Faiad'" , ietf-openpgp Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) References: <003901c333df$d2b95230$39632352@happy> From: Derek Atkins Date: 16 Jun 2003 09:31:26 -0400 In-Reply-To: <003901c333df$d2b95230$39632352@happy> Message-ID: Lines: 17 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ian Brown writes: > Another "eccentricity" I am fond of is short-lifetime encryption subkeys > that can be deleted once they have expired, reducing the impact of the > above-mentioned key seizure powers. I currently (manually) generate such > keys valid for one month; if I ever got round to automating this, I > would go for a week or less... > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA127BBD5 You clearly don't archive your encrypted email... -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available From owner-ietf-openpgp@mail.imc.org Mon Jun 16 09:51:32 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA13930 for ; Mon, 16 Jun 2003 09:51:31 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDcdrb099848 for ; Mon, 16 Jun 2003 06:38:39 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GDcd2b099847 for ietf-openpgp-bks; Mon, 16 Jun 2003 06:38:39 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5GDccrb099841 for ; Mon, 16 Jun 2003 06:38:38 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Mon, 16 Jun 2003 14:38:25 +0100 From: Ian Brown To: "'Derek Atkins'" Cc: "'Imad R. Faiad'" , "'ietf-openpgp'" Subject: RE: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 14:38:25 +0100 Message-ID: <008b01c3340c$9070cf70$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit > You clearly don't archive your encrypted email... Indeed -- I decrypt messages before saving them (and use separate storage encryption to protect the mail store.) Nor do I save every message sent and received (which I know some people do). From owner-ietf-openpgp@mail.imc.org Mon Jun 16 10:22:11 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA15709 for ; Mon, 16 Jun 2003 10:22:10 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDvurb001169 for ; Mon, 16 Jun 2003 06:57:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GDvuJP001168 for ietf-openpgp-bks; Mon, 16 Jun 2003 06:57:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDvrrb001160 for ; Mon, 16 Jun 2003 06:57:54 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19RuOw-0000Qu-00 for ; Mon, 16 Jun 2003 15:52:02 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19RuVQ-0001ES-00; Mon, 16 Jun 2003 15:58:44 +0200 To: "Imad R. Faiad" Cc: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys References: <003901c333df$d2b95230$39632352@happy> <1kdrevo6nqm19h8fdcc1bd0ag6gle92jj1@4ax.com> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Mon, 16 Jun 2003 15:58:40 +0200 In-Reply-To: <1kdrevo6nqm19h8fdcc1bd0ag6gle92jj1@4ax.com> (Imad R. Faiad's message of "Mon, 16 Jun 2003 14:30:08 +0200") Message-ID: <87adcit97z.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Mon, 16 Jun 2003 14:30:08 +0200, Imad R Faiad said: > Let me add, and no offence of course, from the fact that you are > relegating those short-lifetime signing sub keys to a less secure > environment, I infer that you have no confidence in them, so how There is a huge difference in chances to get compromised between a networked and daily used box and a non-networked box somewhere else used only for certification. You can't remotely attack that certification box as long as you take simple precautions like transferring the data on a floppy etc. All software has bugs and there are almost always known or not yet known exploits. Cutting the connection between a possible attacker by manually transferring data is a sound precaution against most exploits - it would be a bit annoying for the bulk of everydays work, though. -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From owner-ietf-openpgp@mail.imc.org Mon Jun 16 10:42:24 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA16621 for ; Mon, 16 Jun 2003 10:42:23 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GEMCrb004935 for ; Mon, 16 Jun 2003 07:22:12 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GEMCsf004934 for ietf-openpgp-bks; Mon, 16 Jun 2003 07:22:12 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GEMArb004926 for ; Mon, 16 Jun 2003 07:22:11 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h5GEM5bu012975; Mon, 16 Jun 2003 10:22:05 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5GEM4qA008041; Mon, 16 Jun 2003 10:22:04 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h5GELvFJ009655; Mon, 16 Jun 2003 10:22:04 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id KAA12999; Mon, 16 Jun 2003 10:21:57 -0400 (EDT) To: Ian Brown Cc: "'Imad R. Faiad'" , "'ietf-openpgp'" Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) References: <008b01c3340c$9070cf70$39632352@happy> From: Derek Atkins Date: 16 Jun 2003 10:21:57 -0400 In-Reply-To: <008b01c3340c$9070cf70$39632352@happy> Message-ID: Lines: 22 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ian Brown writes: > > You clearly don't archive your encrypted email... > > Indeed -- I decrypt messages before saving them (and use separate > storage encryption to protect the mail store.) Nor do I save every > message sent and received (which I know some people do). I've still got messages encrypted with PGP 2.0 sitting in my mail storage. The pgp encryption is better than any disk encryption I could get -- especially considering that I dont maintain my disk storage or backups myself. ;) The wonders of "distributed computing"... -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available From owner-ietf-openpgp@mail.imc.org Mon Jun 16 11:33:00 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA17967 for ; Mon, 16 Jun 2003 11:32:59 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFCqrb007248 for ; Mon, 16 Jun 2003 08:12:52 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GFCqdq007247 for ietf-openpgp-bks; Mon, 16 Jun 2003 08:12:52 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFCorb007227 for ; Mon, 16 Jun 2003 08:12:51 -0700 (PDT) (envelope-from A.Back@exeter.ac.uk) Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.14) id 19Rvf4-00Zk4I-Dy; Mon, 16 Jun 2003 16:12:46 +0100 Date: Mon, 16 Jun 2003 16:12:35 +0100 From: Adam Back To: Derek Atkins Cc: Ian Brown , "'ietf-openpgp'" , Adam Back Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) Message-ID: <20030616161235.A11815740@exeter.ac.uk> References: <008b01c3340c$9070cf70$39632352@happy> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: ; from warlord@MIT.EDU on Mon, Jun 16, 2003 at 10:21:57AM -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: The format of your mail storage encryption is an orthoganl issue. (If you prefer it there is nothing stopping you protecting your mailbox as a whole, or mails within it with pgp formats). Just decrypt with the communications private key and re-encrypt with the storage public key, or symmetric key (it is after all a message to your self where public key is not necessarily needed). In this way you have separated the key management of storage keys vs communications keys vs signing keys. Storage keys and signing keys it is usually convenient to have long lived. Encryption keys it is more secure to have short lived. (Think forward secrecy.) The fact that your storage key is necesarrily long lived presents a much leser risk: to make use of storage decryption keys, the attacker first has to seize your machine (or in your case ask the university / ISP for the encrypted mailbox). Encrypted emails on the other hand can be eavesdropped by the ISP, hackers and law-enforcement. There are many people who use their PGP keys only on systems they control. There are at least 3 different ways to achieve storage encryption: store the mailbox in an encrypted filesystem (convenient on linux, windows etc); decrypt and re-encrypt (with a storage key) each mail as you read it storing the modified re-encrypted mail back in the mailbox; find or patch a mail client to automatically work from PGP (or otherwise) storage key encrypted mail box. If on the other hand you rely on message encryption to protect your mail, you have to retain the corresponding private key esentially indefinately which is a long term security risk. Were the key you have since 2.0 days compromised and someone were out to get you, they'd get every mail you ever received since 91 or 92. I'd argue that this is a bad idea, but I guess it depends on your perceived threats. For me at least I intentionally revoked and deleted the private key of my older key to achieve forward secrecy. (First I had to re-encrypt a few things encrypted with it). Adam On Mon, Jun 16, 2003 at 10:21:57AM -0400, Derek Atkins wrote: > > Ian Brown writes: > > > > You clearly don't archive your encrypted email... > > > > Indeed -- I decrypt messages before saving them (and use separate > > storage encryption to protect the mail store.) Nor do I save every > > message sent and received (which I know some people do). > > I've still got messages encrypted with PGP 2.0 sitting in my > mail storage. The pgp encryption is better than any disk > encryption I could get -- especially considering that I dont > maintain my disk storage or backups myself. ;) > > The wonders of "distributed computing"... From owner-ietf-openpgp@mail.imc.org Mon Jun 16 12:06:02 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA19205 for ; Mon, 16 Jun 2003 12:06:01 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFnDrb008304 for ; Mon, 16 Jun 2003 08:49:13 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GFnDZH008303 for ietf-openpgp-bks; Mon, 16 Jun 2003 08:49:13 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb ([195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFnBrb008249 for ; Mon, 16 Jun 2003 08:49:11 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-12-71.cyberia.net.lb ([195.112.203.72]) by sand.cyberia.net.lb with SMTP id <20030616154356.MQTN3447.sand@ppp-12-71.cyberia.net.lb> for ; Mon, 16 Jun 2003 18:43:56 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 18:29:46 +0200 Message-ID: References: <008b01c3340c$9070cf70$39632352@happy> In-Reply-To: <008b01c3340c$9070cf70$39632352@happy> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5GFnCrb008296 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Ian, Now, this defeats the purpose of your "short-lifetime encryption subkeys"! You are assuming that law enforcers are inept morons! This is a false sense of security. Unless you can outsmart them, which very few can indeed, never contemplate to circumvent the law by resorting to such naive tricks. The mere fact that they are being discussed in a public forum such as this makes them useless. I am sure that those authorized to seize Keys would have been trained to spot all sorts of techniques that a key holder will resort to in order to frustrate their effort. Do yourself a favor, and don't ever use this technique again, it is now public knowledge! my 2c Best Regards Imad R. Faiad On Mon, 16 Jun 2003 14:38:25 +0100, you wrote: > >> You clearly don't archive your encrypted email... > >Indeed -- I decrypt messages before saving them (and use separate >storage encryption to protect the mail store.) Nor do I save every >message sent and received (which I know some people do). > -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu3v47zDFxiDPxutAQIdtwf/ZRLQZCpo3G8D46kuzPvckfU4DRKZey8M /iMz2yCsaj3rZHa4wqy9O6/11pSXnv+DfQ7MbfJGiNyEpQOotEpjstiyNhmX/5/7 ZjVyFaFu0wMUZvAAoTa+INJstuNa0PI9+MA18lQw4zEAGw7aUdFKkZbPhQpgnQd3 AaQPwvauaH1/TPAOdHlXmqrGNMX5sb+qCVmgI878r3HoIB1YxkHKwIxMYcY1DQUe 3DM1e+3UoguXcNb868sQeDQU6Ew2CMbJ1fwMn22xV6Rq/mUJFWoDKNUBLwyr1UcL QEaFV5fAfnOCdb7IEWKnc8TXX71FKgHHJ0SPZNVGM4gv3MhRgCpMUg== =msEn -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Mon Jun 16 12:06:32 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA19276 for ; Mon, 16 Jun 2003 12:06:32 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFmwrb008277 for ; Mon, 16 Jun 2003 08:48:58 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GFmwrc008276 for ietf-openpgp-bks; Mon, 16 Jun 2003 08:48:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb ([195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFmurb008238 for ; Mon, 16 Jun 2003 08:48:56 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-12-71.cyberia.net.lb ([195.112.203.72]) by sand.cyberia.net.lb with SMTP id <20030616154317.MQTF3447.sand@ppp-12-71.cyberia.net.lb> for ; Mon, 16 Jun 2003 18:43:17 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 18:29:06 +0200 Message-ID: <5mqrev4fp1iu1uttgthqjmt8eacs91n37k@4ax.com> References: <008b01c3340c$9070cf70$39632352@happy> In-Reply-To: <008b01c3340c$9070cf70$39632352@happy> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5GFmvrb008272 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Ian, Now, this defeats the purpose of your "short-lifetime encryption subkeys"! You are assuming that law enforcers are inept morons! This is a false sense of security. Unless you can outsmart them, which very few can indeed, never contemplate to circumvent the law by resorting to such naive tricks. The mere fact that they are being discussed in a public forum such as this makes them useless. I am sure that those authorized to seize Keys would have been trained to spot all sorts of techniques that a key holder will resort to in order to frustrate their effort. Do yourself a favor, and don't ever use this technique again, it is now public knowledge! my 2c Best Regards Imad R. Faiad On Mon, 16 Jun 2003 14:38:25 +0100, you wrote: > >> You clearly don't archive your encrypted email... > >Indeed -- I decrypt messages before saving them (and use separate >storage encryption to protect the mail store.) Nor do I save every >message sent and received (which I know some people do). > -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu3v47zDFxiDPxutAQIdtwf/ZRLQZCpo3G8D46kuzPvckfU4DRKZey8M /iMz2yCsaj3rZHa4wqy9O6/11pSXnv+DfQ7MbfJGiNyEpQOotEpjstiyNhmX/5/7 ZjVyFaFu0wMUZvAAoTa+INJstuNa0PI9+MA18lQw4zEAGw7aUdFKkZbPhQpgnQd3 AaQPwvauaH1/TPAOdHlXmqrGNMX5sb+qCVmgI878r3HoIB1YxkHKwIxMYcY1DQUe 3DM1e+3UoguXcNb868sQeDQU6Ew2CMbJ1fwMn22xV6Rq/mUJFWoDKNUBLwyr1UcL QEaFV5fAfnOCdb7IEWKnc8TXX71FKgHHJ0SPZNVGM4gv3MhRgCpMUg== =msEn -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Mon Jun 16 12:32:23 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA20040 for ; Mon, 16 Jun 2003 12:32:23 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GGD6rb009211 for ; Mon, 16 Jun 2003 09:13:06 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GGD6LD009210 for ietf-openpgp-bks; Mon, 16 Jun 2003 09:13:06 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5GGD4rb009200 for ; Mon, 16 Jun 2003 09:13:05 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Mon, 16 Jun 2003 17:12:56 +0100 From: Ian Brown To: "'Imad R. Faiad'" Cc: ietf-openpgp Subject: RE: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 17:12:57 +0100 Message-ID: <00cc01c33422$26d791a0$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit > You are assuming that law enforcers are inept morons! Nope. But if you no longer have a specific private key yourself, it can't be seized no matter what rubber-hose cryptanalysis is applied. Therefore any ciphertext that has previously been captured on-the-wire cannot be decrypted. Any message that you still have stored can be requisitioned. As I said, I don't keep the majority of messages for any length of time. >The mere fact that they are being discussed in a public forum >such as this makes them useless. You obviously didn't read them carefully enough. From owner-ietf-openpgp@mail.imc.org Mon Jun 16 12:56:45 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA20869 for ; Mon, 16 Jun 2003 12:56:45 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GGbsrb012861 for ; Mon, 16 Jun 2003 09:37:54 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GGbsWr012859 for ietf-openpgp-bks; Mon, 16 Jun 2003 09:37:54 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GGbprb012850 for ; Mon, 16 Jun 2003 09:37:52 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19Rwtk-0005X6-00 for ; Mon, 16 Jun 2003 18:32:00 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19Rwzg-0001RU-00; Mon, 16 Jun 2003 18:38:08 +0200 To: "Imad R. Faiad" Cc: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys References: <008b01c3340c$9070cf70$39632352@happy> <5mqrev4fp1iu1uttgthqjmt8eacs91n37k@4ax.com> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Mon, 16 Jun 2003 18:38:08 +0200 In-Reply-To: <5mqrev4fp1iu1uttgthqjmt8eacs91n37k@4ax.com> (Imad R. Faiad's message of "Mon, 16 Jun 2003 18:29:06 +0200") Message-ID: <87of0yrn9r.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Mon, 16 Jun 2003 18:29:06 +0200, Imad R Faiad said: > You are assuming that law enforcers are inept morons! It is a matter of the law and the loopholes it has. IIRC, the British RIP act does not allow to seize a computer but allow a police officer to demand the decryption key for a message they have intercepted of somehow else got access to. There is even no need to pass them the entire PGP key over including the passphrase, there must be simply a mechanism to decrypt a message they "own". This is also the reason GnuPG provides the --{show,override}-session-key options. > Do yourself a favor, and don't ever use this technique > again, it is now public knowledge! I am pretty sure that Ian - who is FIPR director and co-author of the PFS draft - knows very well what is doing. Salam-Shalom, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From owner-ietf-openpgp@mail.imc.org Mon Jun 16 17:52:28 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA04449 for ; Mon, 16 Jun 2003 17:52:27 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GLYerb024405 for ; Mon, 16 Jun 2003 14:34:40 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GLYeOI024404 for ietf-openpgp-bks; Mon, 16 Jun 2003 14:34:40 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.116]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GLYdrb024397 for ; Mon, 16 Jun 2003 14:34:39 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGL00ICPFXGMA@mtaout01.icomcast.net> for ietf-openpgp@imc.org; Mon, 16 Jun 2003 17:34:29 -0400 (EDT) Date: Mon, 16 Jun 2003 14:34:26 -0700 From: Trevor Perrin Subject: PoP & Signer's User ID subpacket? X-Sender: trevp00@pop.comcast.net To: ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7BIT I could be wrong, but it seems like PGP keysigning often happens without Proof-of-Possession of the corresponding private key. For example, at PGP keysigning parties, I think it's common for people to attest that a fingerprint really belongs to them, but not have to produce signatures with the corresponding private key. Is there a risk that Alice could trick someone into certifying that Bob's public key belongs to her? Then someone receiving a signed message from Bob might incorrectly think it came from Alice. Maybe, as a Security Consideration, the "Signer's User ID" subpacket should always be included in signatures. If Bob always included this subpacket in his signatures, then no-one could be tricked into thinking Bob's signed messages really came from Alice. Trevor From owner-ietf-openpgp@mail.imc.org Mon Jun 16 18:24:34 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA06618 for ; Mon, 16 Jun 2003 18:24:33 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GM8Srb025039 for ; Mon, 16 Jun 2003 15:08:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GM8Sk4025036 for ietf-openpgp-bks; Mon, 16 Jun 2003 15:08:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GM8Rrb025030 for ; Mon, 16 Jun 2003 15:08:27 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5GM8Ng22853 for ietf-openpgp@imc.org; Mon, 16 Jun 2003 18:08:23 -0400 Date: Mon, 16 Jun 2003 18:08:23 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030616220823.GD20267@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 16, 2003 at 02:34:26PM -0700, Trevor Perrin wrote: > I could be wrong, but it seems like PGP keysigning often happens without > Proof-of-Possession of the corresponding private key. For example, at PGP > keysigning parties, I think it's common for people to attest that a > fingerprint really belongs to them, but not have to produce signatures with > the corresponding private key. That is true. Some people (like me) send a challenge to the email address in the user ID, and require that the key owner sign the challenge before I'll sign the key. There are a few variations on this basic idea, some more rigorous than others. > Is there a risk that Alice could trick someone into certifying that Bob's > public key belongs to her? Then someone receiving a signed message from > Bob might incorrectly think it came from Alice. Not really, since when Charlie certifies key X, he isn't certifying that it belongs to anyone other than the string in the user ID. Assuming Bob doesn't have a user ID "A-L-I-C-E", this shouldn't be a problem ;) Of course, it is possible for Alice to attach her own name to Bob's key as a second user ID, but that user ID wouldn't be selfsigned and so it would be difficult to get someone else to sign it. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7j/X4mZch0nhy8kRAiDvAJ4z56NpKT36kiqPTwt7emS63xxJOACeOfpN NR6yO0oWFrs032JQjE4E1As= =z0lH -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Mon Jun 16 19:12:50 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA08099 for ; Mon, 16 Jun 2003 19:12:49 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GMrtrb026520 for ; Mon, 16 Jun 2003 15:53:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GMrtla026519 for ietf-openpgp-bks; Mon, 16 Jun 2003 15:53:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.116]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GMrrrb026512 for ; Mon, 16 Jun 2003 15:53:53 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGL00JGSJKPJY@mtaout01.icomcast.net> for ietf-openpgp@imc.org; Mon, 16 Jun 2003 18:53:14 -0400 (EDT) Date: Mon, 16 Jun 2003 15:53:11 -0700 From: Trevor Perrin Subject: Re: PoP & Signer's User ID subpacket? In-reply-to: <20030616220823.GD20267@jabberwocky.com> X-Sender: trevp00@pop.comcast.net To: David Shaw , ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7BIT At 06:08 PM 6/16/2003 -0400, David Shaw wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Mon, Jun 16, 2003 at 02:34:26PM -0700, Trevor Perrin wrote: > > > I could be wrong, but it seems like PGP keysigning often happens without > > Proof-of-Possession of the corresponding private key. For example, at PGP > > keysigning parties, I think it's common for people to attest that a > > fingerprint really belongs to them, but not have to produce signatures > with > > the corresponding private key. > >That is true. Some people (like me) send a challenge to the email >address in the user ID, and require that the key owner sign the >challenge before I'll sign the key. There are a few variations on >this basic idea, some more rigorous than others. > > > Is there a risk that Alice could trick someone into certifying that Bob's > > public key belongs to her? Then someone receiving a signed message from > > Bob might incorrectly think it came from Alice. > >Not really, since when Charlie certifies key X, he isn't certifying >that it belongs to anyone other than the string in the user ID. >Assuming Bob doesn't have a user ID "A-L-I-C-E", this shouldn't be a >problem ;) > >Of course, it is possible for Alice to attach her own name to Bob's >key as a second user ID, but that user ID wouldn't be selfsigned and >so it would be difficult to get someone else to sign it. Probably Alice would first ditch Bob's self-signed user ID, then add her own name as an unsigned user ID. How software would display that, and whether users would recognize the danger signs and not sign that, I dunno. But here's another angle: suppose Alice gets someone to sign her legitimate primary signing key. Then she signs Bob's public key as a subkey of her primary key. So even if you've done a Proof-of-Possession check on Alice's primary key, she can possibly evade that by introducing a subkey. I'm too lazy to spend a nice summer day testing this, but from the draft it seems like it might work. So I still like encouraging use of the "Signer's User ID" subpacket in the Security Considerations. Trevor From owner-ietf-openpgp@mail.imc.org Mon Jun 16 19:41:01 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA08787 for ; Mon, 16 Jun 2003 19:41:00 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GNNqrb027336 for ; Mon, 16 Jun 2003 16:23:52 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GNNqRT027335 for ietf-openpgp-bks; Mon, 16 Jun 2003 16:23:52 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GNNprb027329 for ; Mon, 16 Jun 2003 16:23:51 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h5GNMi411651 for ietf-openpgp@imc.org; Mon, 16 Jun 2003 16:22:44 -0700 Date: Mon, 16 Jun 2003 16:22:44 -0700 From: "Hal Finney" Message-Id: <200306162322.h5GNMi411651@finney.org> To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: How bad is it to make someone else think that a key is yours, when it actually is not? I.e. you have no idea what the private part is. As Trevor points out, with subkeys especially, that's exactly the situation. The only key/person vouching for the ownership of the subkey(s) is the master key and its owner. Third-party certification doesn't cover subkeys, and in fact subkeys can be added even after third parties sign and certify the master key. So what can you do with this? If you claim someone else's encryption key as your own, it would mean (A) you can't decrypt messages sent to that key, and (B) someone else could. (The important point is that it does not allow the obvious attack of letting you read messages intended for that person.) I suppose this could be damaging to the sender in some contrived scenarios: if the government monitored his outgoing email, they might find him sending a message encrypted to Osama bin Laden's public key. He would be the victim of a prank; someone else gave him a key which had a match to ObL's encryption key on it. But that's pretty far-fetched. For signatures, it would mean that (A) you could not sign messages with that key, and (B) someone else could. This could mean that a message signed by someone else might appear to be signed by you. But that's not so significant, as you could have achieved the same effect just by copying the plaintext of the message to be signed and signing it with one of your own keys. And this also might work to your detriment, as you could be harmed by some signed statement issued by someone else, on a key you claimed as your own. So I don't think that either of these attacks is all that serious, as long as people understand what they mean and don't draw unwarranted conclusions. Hal Finney From owner-ietf-openpgp@mail.imc.org Mon Jun 16 22:09:33 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA12769 for ; Mon, 16 Jun 2003 22:09:32 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H1oqrb030220 for ; Mon, 16 Jun 2003 18:50:52 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H1oqRD030219 for ietf-openpgp-bks; Mon, 16 Jun 2003 18:50:52 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.109]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H1oorb030212 for ; Mon, 16 Jun 2003 18:50:51 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout05.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGL00BC3RSFCN@mtaout05.icomcast.net> for ietf-openpgp@imc.org; Mon, 16 Jun 2003 21:50:39 -0400 (EDT) Date: Mon, 16 Jun 2003 18:50:36 -0700 From: Trevor Perrin Subject: Re: PoP & Signer's User ID subpacket? In-reply-to: <200306162322.h5GNMi411651@finney.org> X-Sender: trevp00@pop.comcast.net To: ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7BIT At 04:22 PM 6/16/2003 -0700, Hal Finney wrote: >How bad is it to make someone else think that a key is yours, when it >actually is not? I.e. you have no idea what the private part is. >[...] >This could mean that a message signed by someone else might appear to be >signed by you. But that's not so significant, as you could have achieved >the same effect just by copying the plaintext of the message to be signed >and signing it with one of your own keys. If you have access to the plaintext - but if Bob sends Charlie a signed and encrypted message, and Charlie receives what looks like a signed and encrypted message from Alice, that's a neat trick on Alice's part, since she'll have effectively signed something she never saw. For example, Charlie says "I'll give twenty bucks to whoever answers my riddle". Alice doesn't know the answer, but makes Bob's signed and encrypted answer appear to come from her. Something similar: what if Alice's signature subkey belongs to a primary key that also has an encryption subkey? Suppose the signature subkey is really Bob's key, but the encryption subkey is legitimately Alice's. Then if Charlie receives a message signed by Bob's signature key and containing corroborating info, so Charlie is convinced it really came from Bob, Charlie might leap to the false conclusion that Alice's encryption public key is also associated with Bob. I.e.: Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did you bury that treasure we stole?" Charlie replies "If you're really Bob, what's our codeword? And send it to me signed and encrypted, so I'll know which public key is yours." So Bob does. But Alice now slips Charlie a primary key that has Bob's public key as a signing subkey, and Alice's public key as an encryption subkey. Charlie decrypts and verifies the message, and is satisfied that the owner of this primary key knows the codeword, and is "Bob". So he encrypts the treasure map to Alice's public key. In the "riddle" case, Charlie assumed a relation between the signing key and Alice's name which Alice could falsify. In the "treasure" case, Charlie assumed a relation between the signing subkey and encryption subkey which Alice could falsify. Before, I suggested adding the "Signer's User ID" subpacket into message signatures. This would work in the "riddle" case, where Alice falsifies the name, but not in the "treasure" case, where Alice falsifies the relation between subkeys. Maybe a message signature produced by a subkey should also contain a subpacket that gives the primary key ID, so an attacker can't present his primary key and someone else's subkey to verify someone else's signature. Haven't really thought this through, though.. Trevor From owner-ietf-openpgp@mail.imc.org Mon Jun 16 22:55:18 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA13763 for ; Mon, 16 Jun 2003 22:55:17 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H2axrb031112 for ; Mon, 16 Jun 2003 19:36:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H2ax0I031111 for ietf-openpgp-bks; Mon, 16 Jun 2003 19:36:59 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H2awrb031104 for ; Mon, 16 Jun 2003 19:36:58 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5H2b0rT007216; Mon, 16 Jun 2003 22:37:00 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by central-city-carrier-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5H2axhH024498; Mon, 16 Jun 2003 22:36:59 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h5H2awU8028930; Mon, 16 Jun 2003 22:36:58 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id WAA16026; Mon, 16 Jun 2003 22:36:58 -0400 (EDT) To: Trevor Perrin Cc: ietf-openpgp@imc.org From: Derek Atkins Subject: Re: PoP & Signer's User ID subpacket? References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> Date: 16 Jun 2003 22:36:58 -0400 In-Reply-To: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> Message-ID: Lines: 43 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Trevor Perrin writes: > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did > you bury that treasure we stole?" Charlie replies "If you're really > Bob, what's our codeword? And send it to me signed and encrypted, so > I'll know which public key is yours." So Bob does. But Alice now > slips Charlie a primary key that has Bob's public key as a signing > subkey, and Alice's public key as an encryption subkey. Charlie > decrypts and verifies the message, and is satisfied that the owner of > this primary key knows the codeword, and is "Bob". So he encrypts the > treasure map to Alice's public key. Except that Alice's subkey wouldn't have a self-signature by Bob's primary key, so it shouldn't be accepted by Charlie as a valid subkey. > In the "riddle" case, Charlie assumed a relation between the signing > key and Alice's name which Alice could falsify. In the "treasure" > case, Charlie assumed a relation between the signing subkey and > encryption subkey which Alice could falsify. Except Alice cannot falsify without the help of Bob. Why would bob sign Alice's subkey as her own? > Before, I suggested adding the "Signer's User ID" subpacket into > message signatures. This would work in the "riddle" case, where Alice > falsifies the name, but not in the "treasure" case, where Alice > falsifies the relation between subkeys. Maybe a message signature > produced by a subkey should also contain a subpacket that gives the > primary key ID, so an attacker can't present his primary key and > someone else's subkey to verify someone else's signature. Haven't > really thought this through, though.. Without a self-signature on the subkey, how would ie be accepted as valid? > Trevor -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant From owner-ietf-openpgp@mail.imc.org Mon Jun 16 23:36:04 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA14977 for ; Mon, 16 Jun 2003 23:36:03 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3FVrb032521 for ; Mon, 16 Jun 2003 20:15:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H3FV16032520 for ietf-openpgp-bks; Mon, 16 Jun 2003 20:15:31 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.116]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3FTrb032515 for ; Mon, 16 Jun 2003 20:15:30 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout04.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGL00F97VKYE6@mtaout04.icomcast.net> for ietf-openpgp@imc.org; Mon, 16 Jun 2003 23:12:35 -0400 (EDT) Date: Mon, 16 Jun 2003 20:12:32 -0700 From: Trevor Perrin Subject: Re: PoP & Signer's User ID subpacket? In-reply-to: X-Sender: trevp00@pop.comcast.net To: Derek Atkins Cc: ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030616194039.03bdbab8@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7BIT At 10:36 PM 6/16/2003 -0400, Derek Atkins wrote: >Trevor Perrin writes: > > > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did > > you bury that treasure we stole?" Charlie replies "If you're really > > Bob, what's our codeword? And send it to me signed and encrypted, so > > I'll know which public key is yours." So Bob does. But Alice now > > slips Charlie a primary key that has Bob's public key as a signing > > subkey, and Alice's public key as an encryption subkey. Charlie > > decrypts and verifies the message, and is satisfied that the owner of > > this primary key knows the codeword, and is "Bob". So he encrypts the > > treasure map to Alice's public key. > >Except that Alice's subkey wouldn't have a self-signature by Bob's >primary key, so it shouldn't be accepted by Charlie as a valid subkey. It would have a self-signature by Alice's primary key, but Charlie wouldn't know this was Alice's primary key and not Bob's. In this example, I was assuming there's no web of trust, and Charlie doesn't otherwise know Bob's primary key. Charlie is trying to authenticate Bob and determine Bob's keys, and knows that if Bob sends him (Charlie) a signed and encrypted message containing a "codeword" they both know, then the signing key must belong to Bob. Charlie then makes the reasonable but wrong assumption that the primary key and the encryption subkey that he found associated with this signing subkey must also belong to Bob. If the signature on the actual message contained the primary key ID, as a hashed subpacket, then an attacker wouldn't be able to associate her own primary key with Bob's signing key, so then Charlie's assumption would be correct. I think. Trevor From owner-ietf-openpgp@mail.imc.org Mon Jun 16 23:40:23 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA15051 for ; Mon, 16 Jun 2003 23:40:22 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3NHrb032709 for ; Mon, 16 Jun 2003 20:23:17 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H3NHZ2032708 for ietf-openpgp-bks; Mon, 16 Jun 2003 20:23:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3NDrb032702 for ; Mon, 16 Jun 2003 20:23:16 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h5H3M7T12804 for ietf-openpgp@imc.org; Mon, 16 Jun 2003 20:22:07 -0700 Date: Mon, 16 Jun 2003 20:22:07 -0700 From: "Hal Finney" Message-Id: <200306170322.h5H3M7T12804@finney.org> To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Trevor Perrin wrote: > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did you > bury that treasure we stole?" Charlie replies "If you're really Bob, > what's our codeword? And send it to me signed and encrypted, so I'll know > which public key is yours." So Bob does. But Alice now slips Charlie a > primary key that has Bob's public key as a signing subkey, and Alice's > public key as an encryption subkey. Charlie decrypts and verifies the > message, and is satisfied that the owner of this primary key knows the > codeword, and is "Bob". So he encrypts the treasure map to Alice's public key. This illustrates a problem with signature subkeys. When a top-level key is used to sign a message, it is also used to sign the encryption subkeys. So your message is signed by the same key that said "use one of these subkeys to encrypt to me". You have assurance in that case that you are encrypting the reply to a key endorsed by the person who signed the original message. But with signature subkeys, there is no such guarantee. The subkey is just dangling. It isn't making any statements about the other encryption subkeys or the top-level master key. That is why this fraud works in that case. I seem to recall that many years ago we discussed this problem, or something similar. We talked about requiring signature subkeys to sign the top level key. That way the two keys, master key and subkey, would each sign the other. They would in effect endorse each other as belonging to the same key holder. Doing this would eliminate your fraud, as there would be no signature from Bob's "stolen" key on Alice's master key where she planted it. This would indicate that the subkey did not belong there, hence that the encryption subkeys didn't go with it. Hal Finney From owner-ietf-openpgp@mail.imc.org Tue Jun 17 00:07:01 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA15778 for ; Tue, 17 Jun 2003 00:07:01 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3aFrb033007 for ; Mon, 16 Jun 2003 20:36:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H3aFLb033006 for ietf-openpgp-bks; Mon, 16 Jun 2003 20:36:15 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3aErb033001 for ; Mon, 16 Jun 2003 20:36:14 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5H3aBW25369 for ietf-openpgp@imc.org; Mon, 16 Jun 2003 23:36:11 -0400 Date: Mon, 16 Jun 2003 23:36:11 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617033611.GF20267@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 16, 2003 at 03:53:11PM -0700, Trevor Perrin wrote: > >> Is there a risk that Alice could trick someone into certifying > >> that Bob's public key belongs to her? Then someone receiving a > >> signed message from Bob might incorrectly think it came from > >> Alice. > > > >Not really, since when Charlie certifies key X, he isn't certifying > >that it belongs to anyone other than the string in the user ID. > >Assuming Bob doesn't have a user ID "A-L-I-C-E", this shouldn't be > >a problem ;) > > > >Of course, it is possible for Alice to attach her own name to Bob's > >key as a second user ID, but that user ID wouldn't be selfsigned > >and so it would be difficult to get someone else to sign it. > > Probably Alice would first ditch Bob's self-signed user ID, then add > her own name as an unsigned user ID. How software would display > that, and whether users would recognize the danger signs and not > sign that, I dunno. PGP shows such user IDs as revoked (not sure why) and refuses to sign them. GnuPG shows such user IDs as unsigned, and warns the user before signing them. I may go ahead and make the warning even stronger or just flat out refuse to sign like PGP. This raises a 2440bis question: given all the recent deprecation of PGP 2.x stuff, is it worth requiring self-signatures on user IDs now? If I recall, the only reason that user ID self-signatures are not currently required was for 2.x compatibility. Certainly every modern implementation (5.0+, any GnuPG) generates user ID self-signatures automatically when a user ID is created. > But here's another angle: suppose Alice gets someone to sign her > legitimate primary signing key. Then she signs Bob's public key as > a subkey of her primary key. So even if you've done a > Proof-of-Possession check on Alice's primary key, she can possibly > evade that by introducing a subkey. At least one of the challenge policies (mine) requires that the challenge response comes from the primary key. The primary is the one that I got a fingerprint for, and the primary is the one I'm signing when I certify the key, so the primary is the one I require the challenge response from. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7oyr4mZch0nhy8kRAl49AKCuSJGc0CJnC6sNYxXvOhzW/xgYcQCgkErK k1+VB8LIaS1cDV/VFKSkmSc= =xm/X -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Jun 17 00:26:48 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA16483 for ; Tue, 17 Jun 2003 00:26:47 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3Kcrb032653 for ; Mon, 16 Jun 2003 20:20:38 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H3Kc1Z032652 for ietf-openpgp-bks; Mon, 16 Jun 2003 20:20:38 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3Kbrb032617 for ; Mon, 16 Jun 2003 20:20:38 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5H3KZ725249; Mon, 16 Jun 2003 23:20:35 -0400 Date: Mon, 16 Jun 2003 23:20:35 -0400 From: David Shaw To: ietf-openpgp@imc.org Cc: Derek Atkins Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617032035.GE20267@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org, Derek Atkins References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 16, 2003 at 10:36:58PM -0400, Derek Atkins wrote: > > Trevor Perrin writes: > > > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did > > you bury that treasure we stole?" Charlie replies "If you're really > > Bob, what's our codeword? And send it to me signed and encrypted, so > > I'll know which public key is yours." So Bob does. But Alice now > > slips Charlie a primary key that has Bob's public key as a signing > > subkey, and Alice's public key as an encryption subkey. Charlie > > decrypts and verifies the message, and is satisfied that the owner of > > this primary key knows the codeword, and is "Bob". So he encrypts the > > treasure map to Alice's public key. > > Except that Alice's subkey wouldn't have a self-signature by Bob's > primary key, so it shouldn't be accepted by Charlie as a valid subkey. I think Trevor was referring to Alice generating a brand new primary signing key and encryption subkey, and then using the new primary to self-sign Bob's signing subkey (or transform Bob's primary into a subkey and self-sign that). Alice then is in posession of a key that will correctly verify Bob's signatures, but someone encrypting to the key will encrypt to Alice. Alice can't issue signatures as Bob, but can attempt to claim existing Bob signatures as her own. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7okD4mZch0nhy8kRAjwwAKCJRJ3Ni/jNYBuHGTNxw9xn0rrAYACfSINB +2KqhU9KoX+/HInAzyMnH40= =nh7Z -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Jun 17 01:11:04 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA17129 for ; Tue, 17 Jun 2003 01:11:03 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H4oQrb034665 for ; Mon, 16 Jun 2003 21:50:26 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H4oQDg034664 for ietf-openpgp-bks; Mon, 16 Jun 2003 21:50:26 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.115]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H4oOrb034657 for ; Mon, 16 Jun 2003 21:50:24 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout02.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGM00300001GJ@mtaout02.icomcast.net> for ietf-openpgp@imc.org; Tue, 17 Jun 2003 00:48:02 -0400 (EDT) Date: Mon, 16 Jun 2003 21:47:59 -0700 From: Trevor Perrin Subject: Re: PoP & Signer's User ID subpacket? In-reply-to: <20030617033611.GF20267@jabberwocky.com> X-Sender: trevp00@pop.comcast.net To: David Shaw , ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030616211831.0289e480@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7BIT At 11:36 PM 6/16/2003 -0400, David Shaw wrote: >On Mon, Jun 16, 2003 at 03:53:11PM -0700, Trevor Perrin wrote: > > But here's another angle: suppose Alice gets someone to sign her > > legitimate primary signing key. Then she signs Bob's public key as > > a subkey of her primary key. So even if you've done a > > Proof-of-Possession check on Alice's primary key, she can possibly > > evade that by introducing a subkey. > >At least one of the challenge policies (mine) requires that the >challenge response comes from the primary key. The primary is the one >that I got a fingerprint for, and the primary is the one I'm signing >when I certify the key, so the primary is the one I require the >challenge response from. Right, but after you've done this, and checked that Alice really possesses her primary private key, Alice can certify a subkey whose private key she doesn't really possess. The problem is that there's a forward-linkage from a primary key to a subkey, but no back-linkage from a signing subkey to the primary key. Hal suggested having the signing subkey also certify the primary key. I suggested having the signatures produced by the signing subkey have the primary key's ID as a hashed subpacket. Trevor From owner-ietf-openpgp@mail.imc.org Tue Jun 17 08:49:11 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA11816 for ; Tue, 17 Jun 2003 08:49:10 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HCU4rb081369 for ; Tue, 17 Jun 2003 05:30:04 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HCU48l081368 for ietf-openpgp-bks; Tue, 17 Jun 2003 05:30:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HCU2rb081362 for ; Tue, 17 Jun 2003 05:30:03 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5HCU2Q29822 for ietf-openpgp@imc.org; Tue, 17 Jun 2003 08:30:02 -0400 Date: Tue, 17 Jun 2003 08:30:02 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617123002.GG20267@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> <5.2.0.9.0.20030616211831.0289e480@pop.comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030616211831.0289e480@pop.comcast.net> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 16, 2003 at 09:47:59PM -0700, Trevor Perrin wrote: > > At 11:36 PM 6/16/2003 -0400, David Shaw wrote: > > >On Mon, Jun 16, 2003 at 03:53:11PM -0700, Trevor Perrin wrote: > >> But here's another angle: suppose Alice gets someone to sign her > >> legitimate primary signing key. Then she signs Bob's public key as > >> a subkey of her primary key. So even if you've done a > >> Proof-of-Possession check on Alice's primary key, she can possibly > >> evade that by introducing a subkey. > > > >At least one of the challenge policies (mine) requires that the > >challenge response comes from the primary key. The primary is the one > >that I got a fingerprint for, and the primary is the one I'm signing > >when I certify the key, so the primary is the one I require the > >challenge response from. > > Right, but after you've done this, and checked that Alice really possesses > her primary private key, Alice can certify a subkey whose private key she > doesn't really possess. Right, but if/when we fix this problem, then all of the certifications I've made already are still correct (as I ensured it was a primary that signed the challenge). > The problem is that there's a forward-linkage from a primary key to a > subkey, but no back-linkage from a signing subkey to the primary key. Hal > suggested having the signing subkey also certify the primary key. I > suggested having the signatures produced by the signing subkey have the > primary key's ID as a hashed subpacket. Yes. There are pros and cons, but on balance I like Hal's solution a bit better as it only needs to be done once, presumably at key generation time. The subpacket solution needs to be done every time the signing subkey issues a signature. The subpacket solution does have a nice side effect in that it becomes possible to always know the primary key when looking at a subkey signature. Since most keyservers don't support search-by-subkey yet, this could be handy. Still, having the subkey sign the primary seems cleaner. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7wnK4mZch0nhy8kRAi9KAJ98oRmHWim4+r27sGD6Mdf9YaTVOwCguBY5 AtOlPtttUTQ60/RjK3NEI6Y= =ug92 -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Jun 17 10:06:16 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA16885 for ; Tue, 17 Jun 2003 10:06:15 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HDmYrb085344 for ; Tue, 17 Jun 2003 06:48:34 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HDmYmv085343 for ietf-openpgp-bks; Tue, 17 Jun 2003 06:48:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HDmXrb085336 for ; Tue, 17 Jun 2003 06:48:33 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h5HDmXY7000641; Tue, 17 Jun 2003 09:48:33 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5HDmWwU004925; Tue, 17 Jun 2003 09:48:32 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h5HDmVFJ009236; Tue, 17 Jun 2003 09:48:32 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id JAA17314; Tue, 17 Jun 2003 09:48:31 -0400 (EDT) To: David Shaw Cc: ietf-openpgp@imc.org From: Derek Atkins Subject: Re: PoP & Signer's User ID subpacket? References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> Date: 17 Jun 2003 09:48:31 -0400 In-Reply-To: <20030617032035.GE20267@jabberwocky.com> Message-ID: Lines: 47 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: David Shaw writes: > On Mon, Jun 16, 2003 at 10:36:58PM -0400, Derek Atkins wrote: > > > > Trevor Perrin writes: > > > > > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did > > > you bury that treasure we stole?" Charlie replies "If you're really > > > Bob, what's our codeword? And send it to me signed and encrypted, so > > > I'll know which public key is yours." So Bob does. But Alice now > > > slips Charlie a primary key that has Bob's public key as a signing > > > subkey, and Alice's public key as an encryption subkey. Charlie > > > decrypts and verifies the message, and is satisfied that the owner of > > > this primary key knows the codeword, and is "Bob". So he encrypts the > > > treasure map to Alice's public key. > > > > Except that Alice's subkey wouldn't have a self-signature by Bob's > > primary key, so it shouldn't be accepted by Charlie as a valid subkey. > > I think Trevor was referring to Alice generating a brand new primary > signing key and encryption subkey, and then using the new primary to > self-sign Bob's signing subkey (or transform Bob's primary into a > subkey and self-sign that). Alice then is in posession of a key that > will correctly verify Bob's signatures, but someone encrypting to the > key will encrypt to Alice. > > Alice can't issue signatures as Bob, but can attempt to claim existing > Bob signatures as her own. Well, the obvious fix for this attack is to require all signing keys to be authoritative. If we're going to allow signature subkeys (as opposed to just encryption subkeys), then the self-signature on that subkey should be a two-factor signature, requiring BOTH secret keys. It was unclear from the proposed attack that this was using signature sub-keys. I personally believe that signature subkeys are a bad idea, but if the working group seems to feel otherwise I think we should put some strong language about the pitfalls. > David -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant From owner-ietf-openpgp@mail.imc.org Tue Jun 17 10:21:53 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA18789 for ; Tue, 17 Jun 2003 10:21:52 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HE5arb087746 for ; Tue, 17 Jun 2003 07:05:36 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HE5a79087745 for ietf-openpgp-bks; Tue, 17 Jun 2003 07:05:36 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HE5Zrb087725 for ; Tue, 17 Jun 2003 07:05:35 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5HE5U630629; Tue, 17 Jun 2003 10:05:30 -0400 Date: Tue, 17 Jun 2003 10:05:30 -0400 From: David Shaw To: warlord@mit.edu Cc: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617140530.GA30488@jabberwocky.com> Mail-Followup-To: warlord@mit.edu, ietf-openpgp@imc.org References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (87% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 17, 2003 at 09:48:31AM -0400, Derek Atkins wrote: > David Shaw writes: > > > On Mon, Jun 16, 2003 at 10:36:58PM -0400, Derek Atkins wrote: > > > > > > Trevor Perrin writes: > > > > > > > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did > > > > you bury that treasure we stole?" Charlie replies "If you're really > > > > Bob, what's our codeword? And send it to me signed and encrypted, so > > > > I'll know which public key is yours." So Bob does. But Alice now > > > > slips Charlie a primary key that has Bob's public key as a signing > > > > subkey, and Alice's public key as an encryption subkey. Charlie > > > > decrypts and verifies the message, and is satisfied that the owner of > > > > this primary key knows the codeword, and is "Bob". So he encrypts the > > > > treasure map to Alice's public key. > > > > > > Except that Alice's subkey wouldn't have a self-signature by Bob's > > > primary key, so it shouldn't be accepted by Charlie as a valid subkey. > > > > I think Trevor was referring to Alice generating a brand new primary > > signing key and encryption subkey, and then using the new primary to > > self-sign Bob's signing subkey (or transform Bob's primary into a > > subkey and self-sign that). Alice then is in posession of a key that > > will correctly verify Bob's signatures, but someone encrypting to the > > key will encrypt to Alice. > > > > Alice can't issue signatures as Bob, but can attempt to claim existing > > Bob signatures as her own. > > Well, the obvious fix for this attack is to require all signing keys > to be authoritative. If we're going to allow signature subkeys (as > opposed to just encryption subkeys), then the self-signature on that > subkey should be a two-factor signature, requiring BOTH secret keys. Yes. Hal suggested something similar, but to have the signing subkey certify the primary. Does anyone have any thoughts on the details of this? We already have all the parts needed to have a signing subkey certify the primary (just have the subkey issue a 1F signature). I like your suggestion to put it in the subkey self-signature since that will avoid the inevitable messiness when a subkey is deleted, but leaves behind the 1F signature. Putting it in the subkey self-signature keeps things neat. With regards to signing subkeys in general, I'd much rather fix the problem than drop signing subkeys. 2440 defined signing subkeys years ago, and they are already in use today (this message is signed by one). They are very useful in a good number of situations. To remove them now seems like a step backwards. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7yAq4mZch0nhy8kRAvMdAKCsBsZK5LITnlFr4m/enwqUdmruUACgy/Dc RzWq73rYII43Mabr7S0QNO4= =RBrQ -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Jun 17 10:27:19 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA19309 for ; Tue, 17 Jun 2003 10:27:18 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HEE1rb089012 for ; Tue, 17 Jun 2003 07:14:01 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HEE186089011 for ietf-openpgp-bks; Tue, 17 Jun 2003 07:14:01 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HEDxrb089001 for ; Tue, 17 Jun 2003 07:13:59 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5HEDxGU013680; Tue, 17 Jun 2003 10:13:59 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5HEDxwU008478; Tue, 17 Jun 2003 10:13:59 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h5HEDwU8022168; Tue, 17 Jun 2003 10:13:59 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id KAA17367; Tue, 17 Jun 2003 10:13:58 -0400 (EDT) To: David Shaw Cc: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> <20030617140530.GA30488@jabberwocky.com> From: Derek Atkins Date: 17 Jun 2003 10:13:58 -0400 In-Reply-To: <20030617140530.GA30488@jabberwocky.com> Message-ID: Lines: 39 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: David Shaw writes: > Yes. Hal suggested something similar, but to have the signing subkey > certify the primary. That's not sufficient.. We need both signature keys to cross-certify. The attack without cross-certification is that I could generate a signing key and then certify that it's a signing subkey of president@whitehouse.gov. > Does anyone have any thoughts on the details of this? We already have > all the parts needed to have a signing subkey certify the primary > (just have the subkey issue a 1F signature). I like your suggestion > to put it in the subkey self-signature since that will avoid the > inevitable messiness when a subkey is deleted, but leaves behind the > 1F signature. Putting it in the subkey self-signature keeps things > neat. I think this is exactly where a notary-style double-signature is useful (and should be required as a MUST). > With regards to signing subkeys in general, I'd much rather fix the > problem than drop signing subkeys. 2440 defined signing subkeys years > ago, and they are already in use today (this message is signed by > one). They are very useful in a good number of situations. To remove > them now seems like a step backwards. Fair enough.. I don't like it, but we can at least fix the certification problems. > David -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available From owner-ietf-openpgp@mail.imc.org Tue Jun 17 10:53:02 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA20614 for ; Tue, 17 Jun 2003 10:53:01 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HEcLrb091604 for ; Tue, 17 Jun 2003 07:38:21 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HEcLFK091603 for ietf-openpgp-bks; Tue, 17 Jun 2003 07:38:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HEcJrb091598 for ; Tue, 17 Jun 2003 07:38:20 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5HEbFb30975; Tue, 17 Jun 2003 10:37:15 -0400 Date: Tue, 17 Jun 2003 10:37:15 -0400 From: David Shaw To: Derek Atkins Cc: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617143715.GH20267@jabberwocky.com> Mail-Followup-To: Derek Atkins , ietf-openpgp@imc.org References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> <20030617140530.GA30488@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 17, 2003 at 10:13:58AM -0400, Derek Atkins wrote: > David Shaw writes: > > > Yes. Hal suggested something similar, but to have the signing subkey > > certify the primary. > > That's not sufficient.. We need both signature keys to cross-certify. > The attack without cross-certification is that I could generate a > signing key and then certify that it's a signing subkey of > president@whitehouse.gov. Sorry, I wasn't clear. I should have said "... in addition to the current subkey certification from the primary". > > Does anyone have any thoughts on the details of this? We already have > > all the parts needed to have a signing subkey certify the primary > > (just have the subkey issue a 1F signature). I like your suggestion > > to put it in the subkey self-signature since that will avoid the > > inevitable messiness when a subkey is deleted, but leaves behind the > > 1F signature. Putting it in the subkey self-signature keeps things > > neat. > > I think this is exactly where a notary-style double-signature is > useful (and should be required as a MUST). So, the primary signs the subkey as before and then the subkey notarizes (0x50 sig) this signature? That sounds good, but we'll end up with two signature packets after the signing subkey. I'm afraid it would be likely to confuse pre-2440bis implementations which don't expect to see that extra signature there. If we put the subkey-on-primary signature IN the original primary-on-subkey signature (as a new subpacket), then it won't break older implementations. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7yeb4mZch0nhy8kRAlA5AJ4/ISSYODKaqfddnrTshij3wdCIwgCgkDlv nJ7Tnd18mVYhmWpeltpcE1M= =6y3m -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Jun 17 11:21:38 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA22307 for ; Tue, 17 Jun 2003 11:21:37 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HF2Hrb092136 for ; Tue, 17 Jun 2003 08:02:17 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HF2HKM092135 for ietf-openpgp-bks; Tue, 17 Jun 2003 08:02:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HF2Frb092130 for ; Tue, 17 Jun 2003 08:02:15 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5HF2GZf002289; Tue, 17 Jun 2003 11:02:16 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5HF2Ftb016184; Tue, 17 Jun 2003 11:02:15 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h5HF2FFJ011904; Tue, 17 Jun 2003 11:02:15 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id LAA17450; Tue, 17 Jun 2003 11:02:15 -0400 (EDT) To: David Shaw Cc: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> <20030617140530.GA30488@jabberwocky.com> <20030617143715.GH20267@jabberwocky.com> From: Derek Atkins Date: 17 Jun 2003 11:02:15 -0400 In-Reply-To: <20030617143715.GH20267@jabberwocky.com> Message-ID: Lines: 28 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Sure, this is fine... Theoretically the real key owner should have access to both private keys at the same time, so this shouldn't be an issue. Using a subpacket is fine. I still belive this is a MUST ;) -derek David Shaw writes: > > I think this is exactly where a notary-style double-signature is > > useful (and should be required as a MUST). > > So, the primary signs the subkey as before and then the subkey > notarizes (0x50 sig) this signature? That sounds good, but we'll end > up with two signature packets after the signing subkey. I'm afraid it > would be likely to confuse pre-2440bis implementations which don't > expect to see that extra signature there. > > If we put the subkey-on-primary signature IN the original > primary-on-subkey signature (as a new subpacket), then it won't break > older implementations. > > David -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available From owner-ietf-openpgp@mail.imc.org Tue Jun 17 13:06:12 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA26467 for ; Tue, 17 Jun 2003 13:06:12 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HGj5rb096979 for ; Tue, 17 Jun 2003 09:45:05 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HGj5wY096978 for ietf-openpgp-bks; Tue, 17 Jun 2003 09:45:05 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HGj2rb096967 for ; Tue, 17 Jun 2003 09:45:03 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-13-97.cyberia.net.lb ([195.112.203.195]) by sand.cyberia.net.lb with SMTP id <20030617164035.NXYR3447.sand@ppp-13-97.cyberia.net.lb> for ; Tue, 17 Jun 2003 19:40:35 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Date: Tue, 17 Jun 2003 19:26:24 +0200 Message-ID: References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> <20030617140530.GA30488@jabberwocky.com> In-Reply-To: <20030617140530.GA30488@jabberwocky.com> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5HGj4rb096974 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 17 Jun 2003 10:05:30 -0400, you wrote: > >[2F17AC17]*** PGP SIGNATURE VERIFICATION *** >[2F17AC17]*** Hash: SHA1 >[2F17AC17]*** Status: Signing Algorithm Not Supported >[2F17AC17]*** Signer: David M. Shaw >*** Note: Signing Key is a Sub-Key! >[2F17AC17]*** Key ID: 0xE2665C8749E1CBC9 >[2F17AC17]*** Fingerprint: FC2A 0E9B 5122 7D7B 5923 2CE6 E266 5C87 49E1 >CBC9 [2F17AC17]*** Signed: 6/17/2003 4:05:30 PM >[2F17AC17]*** Verified: 6/17/2003 6:55:28 PM >[2F17AC17]*** BEGIN PGP VERIFIED MESSAGE *** > > >With regards to signing subkeys in general, I'd much rather fix the >problem than drop signing subkeys. 2440 defined signing subkeys years >ago, and they are already in use today (this message is signed by >one). They are very useful in a good number of situations. To remove >them now seems like a step backwards. > David, I don't think that signing subkeys are a good idea. Please look at the above verification block. Furthermore, I had problems retrieving the signing key from the servers. So, I grabbed all the keys out there with "David Shaw" as UID. You probably consider me thick, but there are OpenPGP users out there who are a lot thicker than I am. The irony is that, you can achieve the same thing with a signing master key if you think about it. I am afraid that signing subkeys are going to be very expensive to implement. The whole of the keyserver infrastructure needs to retro fitted to deal with them. You are right that 2440 defined signing master keys years ago, however, to be honest with you, this is my second encounter with them, and I consider myself a heavy PGP user. TIGER192, SHA1x, & HAVAL-5-160, had more widespread use than signing subkeys, if you ask me. Yet, we had no qualms about dropping them. The same should be done for signing subkeys. The less, the simpler the better. >David > Best Regards Imad R. Faiad >[2F17AC17]*** END PGP VERIFIED MESSAGE *** -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu9ON7zDFxiDPxutAQJOyAf+PpxUIz5qsgStFfgHFthYo1SgcjOmPtwu EJ48Rj1P8qhvf7Mh/vh59hMwJQmnKVlG2tY2diyFTChLH4X0PODqXpRsqIp3ILVp WtM8R4RMJPtpV6mvKfUNPSTJhHNSRuQWrtSXF6k8FS0ngnPrY3niJ9klqp8Wv8j/ 7coxKOR6cRANYcRgGCfhHIzJk7ZaK7gTiDOVRAXKHnDpR+kIFqirdczJAhq7+srR gbt9dekTPS4/08NvkWlOGk/burQoFI971/0haSyI+xGYUcMk2f+hBN5IEMt2wXAo NoOq04qyWhyNgtAo68KZ4t+ui/YNoFN77+85WSZmrmMHp+6a4RU48A== =AIlF -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Jun 17 16:05:54 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA08404 for ; Tue, 17 Jun 2003 16:05:53 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HJWVrb005966 for ; Tue, 17 Jun 2003 12:32:31 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HJWVxC005965 for ietf-openpgp-bks; Tue, 17 Jun 2003 12:32:31 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HJWUrb005960 for ; Tue, 17 Jun 2003 12:32:30 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5HJWN500946; Tue, 17 Jun 2003 15:32:23 -0400 Date: Tue, 17 Jun 2003 15:32:23 -0400 From: David Shaw To: "Imad R. Faiad" Cc: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617193223.GJ20267@jabberwocky.com> Mail-Followup-To: "Imad R. Faiad" , ietf-openpgp@imc.org References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> <20030617140530.GA30488@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 17, 2003 at 07:26:24PM +0200, Imad R. Faiad wrote: > I am afraid that signing subkeys are going to be very > expensive to implement. The whole of the keyserver > infrastructure needs to retro fitted to deal with them. > You are right that 2440 defined signing master keys years > ago, however, to be honest with you, this is my second > encounter with them, and I consider myself a heavy > PGP user. TIGER192, SHA1x, & HAVAL-5-160, had more > widespread use than signing subkeys, if you ask me. > Yet, we had no qualms about dropping them. Yes, and I agreed with dropping them, but I don't see a real inconsistency here. There is a substantial difference between dropping hash algorithms that were either unused (MD2), or unusable (TIGER192 and HAVAL-5-160 had no OID, double-SHA was experimental), and dropping a used feature from a widely deployed implementation. As it happens, some keyservers (the LDAP ones) support subkey searches today. The newer HKP servers (SKS, ONAK) plan to add support soon. To be sure, PKS doesn't support it, but frankly, PKS also eats keys on a regular basis. If we were going to restrict OpenPGP based on what some of the PKSes out there could handle without choking, we'd have to throw away v4 RSA and any key with more than one subkey as well. ;) I think it is poor practice to restrict OpenPGP based on what a single broken keyserver can handle, especially since there are many alternatives, including a few fixed versions of PKS. If you are very concerned about old keyservers not being able to retrieve a key given a subkey ID, then I would certainly support an (optional) subpacket or signature notation to be used on signatures issued by a signing subkey. The subpacket would contain the keyid of the primary key, just to make it easier to find on a keyserver. (I saw you were unable to verify my message with PGP 8. For some reason, signing subkeys only work with the "pgpmail" interface and not the plugins in PGP 8. I assume it's a bug, and hopefully it'll be fixed in the next update.) David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+72zH4mZch0nhy8kRAoGtAJ4hsDLiw3JRhkaOxpBxzlcEz7uO/gCbBDp0 K4zZxXopEhEHLYnYNf6TUiE= =HzJv -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Jun 17 16:26:30 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA09333 for ; Tue, 17 Jun 2003 16:26:30 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HK7Xrb008037 for ; Tue, 17 Jun 2003 13:07:33 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HK7WhB008033 for ietf-openpgp-bks; Tue, 17 Jun 2003 13:07:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.115]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HK7Vrb008025 for ; Tue, 17 Jun 2003 13:07:31 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout02.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGN00FPP6GKPD@mtaout02.icomcast.net> for ietf-openpgp@imc.org; Tue, 17 Jun 2003 16:05:09 -0400 (EDT) Date: Tue, 17 Jun 2003 13:05:04 -0700 From: Trevor Perrin Subject: Re: PoP & Signer's User ID subpacket? In-reply-to: <20030617123002.GG20267@jabberwocky.com> X-Sender: trevp00@pop.comcast.net To: David Shaw , ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030617120640.028e0ce8@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <5.2.0.9.0.20030616211831.0289e480@pop.comcast.net> <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> <5.2.0.9.0.20030616211831.0289e480@pop.comcast.net> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7BIT At 08:30 AM 6/17/2003 -0400, David Shaw wrote: >On Mon, Jun 16, 2003 at 09:47:59PM -0700, Trevor Perrin wrote: > > [...] > > The problem is that there's a forward-linkage from a primary key to a > > subkey, but no back-linkage from a signing subkey to the primary key. Hal > > suggested having the signing subkey also certify the primary key. I > > suggested having the signatures produced by the signing subkey have the > > primary key's ID as a hashed subpacket. > >Yes. There are pros and cons, but on balance I like Hal's solution a >bit better as it only needs to be done once, presumably at key >generation time. The subpacket solution needs to be done every time >the signing subkey issues a signature. > >The subpacket solution does have a nice side effect in that it becomes >possible to always know the primary key when looking at a subkey >signature. Since most keyservers don't support search-by-subkey yet, >this could be handy. [...] Another slight advantage is that the relying party doesn't have to verify an extra signature. Also, pre-existing keys with signing subkeys wouldn't have to be modified, they could just start issuing signatures with this new subpacket. (On the other hand, with the solution you and Hal advocate, if you *do* modify the key by adding a back-signature, then pre-existing message signatures can take advantage of it, so maybe this is a wash). Either solution seems fine. You also mentioned requiring self-signatures on user IDs, which seems like a good thing to insist on, and pretty much takes care of the proof-of-possession concern I was raising, I think. Trevor From owner-ietf-openpgp@mail.imc.org Tue Jun 17 16:30:14 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA09563 for ; Tue, 17 Jun 2003 16:30:13 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HK3nrb007916 for ; Tue, 17 Jun 2003 13:03:49 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HK3nJi007915 for ietf-openpgp-bks; Tue, 17 Jun 2003 13:03:49 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HK3lrb007902 for ; Tue, 17 Jun 2003 13:03:47 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-13-25.cyberia.net.lb ([195.112.203.123]) by sand.cyberia.net.lb with SMTP id <20030617195919.OBUE3447.sand@ppp-13-25.cyberia.net.lb> for ; Tue, 17 Jun 2003 22:59:19 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys Date: Tue, 17 Jun 2003 22:45:07 +0200 Message-ID: References: <008b01c3340c$9070cf70$39632352@happy> <5mqrev4fp1iu1uttgthqjmt8eacs91n37k@4ax.com> <87of0yrn9r.fsf@alberti.g10code.de> In-Reply-To: <87of0yrn9r.fsf@alberti.g10code.de> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5HK3mrb007910 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Werner, On Mon, 16 Jun 2003 18:38:08 +0200, you wrote: > >On Mon, 16 Jun 2003 18:29:06 +0200, Imad R Faiad said: > >> You are assuming that law enforcers are inept morons! > >It is a matter of the law and the loopholes it has. IIRC, the British >RIP act does not allow to seize a computer but allow a police officer >to demand the decryption key for a message they have intercepted of >somehow else got access to. There is even no need to pass them the >entire PGP key over including the passphrase, there must be simply a >mechanism to decrypt a message they "own". This is also the reason >GnuPG provides the --{show,override}-session-key options. > >> Do yourself a favor, and don't ever use this technique >> again, it is now public knowledge! > >I am pretty sure that Ian - who is FIPR director and co-author of the >PFS draft - knows very well what is doing. > I think you are need of some education, so I am going to take some time to broaden your perspective... Haven't you ever heard of the following:- We are all sprung from the same stock, partakers of the same nature, and sharers in the same hope; and although distinctions among men are necessary to preserve subordination, yet ought no eminence of situation make us forget that we are all in the same boat, for he who is placed on the lowest spoke of fortune's wheel is equally entitled to our regards, as time will come, and wisest of us knows not how soon, when all distinctions, save those of goodness and virtue, shall cease, and death, the grand leveler of all human greatness, reduce us to the same state. I do sincerely hope that you will be inspired by the above and apply it forthwith ;) Best regards Imad R. Faiad > >Salam-Shalom, > > Werner -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu99DLzDFxiDPxutAQL1XwgAo0SdFItVzb89RUGt1Gog8QflAYGpope6 YZ/NIuuyEWzicsPmmMPZcMLy10Bo2xeopCYzGSWoGFLjkCFZkNd23Dw28qr43rbv t0cV/tc4WSdfSjY0l7yWCChrvWNtztVuD8yPF0BcXEHUdBG6CeFqWEPnH0Xs7t5D 7o4vTdQ/NltKmBE8ug4jv2yoIHCzi9CAnrzEAUEmZTBnaIKUFNwC3EjlhQ9n/2CK xy3KpZw4+XOfpunBjz7z4zxk1DWaSgJKm5+EtwYMsIeUa81gRDYpRvPyj9z54/ZL NGbBVDD7CoRq54vAOMHanHJirk6HSrQOuwrDkOUPvJBaTtWVsqskVA== =Mzm4 -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Tue Jun 17 19:27:10 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA16049 for ; Tue, 17 Jun 2003 19:27:09 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HNBKrb015319 for ; Tue, 17 Jun 2003 16:11:20 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HNBKIT015317 for ietf-openpgp-bks; Tue, 17 Jun 2003 16:11:20 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.116]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HNBIrb015306 for ; Tue, 17 Jun 2003 16:11:19 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout04.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGN006IEEWUE0@mtaout04.icomcast.net> for ietf-openpgp@imc.org; Tue, 17 Jun 2003 19:07:43 -0400 (EDT) Date: Tue, 17 Jun 2003 16:07:38 -0700 From: Trevor Perrin Subject: augmenting subkeys X-Sender: trevp00@pop.comcast.net To: ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030617160045.03b91c20@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7BIT People were discussing the value of subkeys. I'm kind of a newcomer here, and I'm not an implementor, so my opinion doesn't count for much. But I think subkeys are cool. In fact, PGP could add features to support some advanced uses of subkeys. A few arguments in favor of subkeys, and of extending them in a couple ways: An obvious use of subkeys is to keep the primary key in a more secure/less convenient environment, and the subkeys in a less secure/more convenient environment, but give them short validity periods to mitigate compromise. Also, if PGP keys are used for things besides email (TLS, SSH, etc..), then the user may want to use his key with multiple devices and applications (laptops, desktops, PDAs, cellphones, etc.), so by getting his primary key certified, or by giving someone his primary key fingerprint, he can then certify subkeys in all these different devices. This is more convenient that getting all his subkeys certified individually, and is more secure than sharing the same key with all these devices, since transferring keys is risky, using the same key with different protocols isn't a good idea, and a compromise/revocation of one subkey won't affect the others. PKIX is looking at a similar thing with "Proxy Certificates"[1]. So in a sense, both PKIX and PGP are exploring a 2-tiered system, where the first tier uses TTP certificates to convince Alice of Bob's "primary" key, and the second tier is short-lived certificates that Bob issues from his primary key to different devices, applications, and services, so he can manage validity intervals, limit compromises, and keep the primary key in a safer place. This safer place might be a smartcard, a USB token, the user's main computer, or even a network service. You could imagine some elaborate things. For example, you might split your primary key into shares for use with some "proactive threshold signature scheme" and store these shares in different places around your home. Periodically you would bring the shares together, "refresh them", so that an attacker would have to steal the shares within a single period, and sign your subkeys. Or you could bring the shares together (say once a week or month) and sign a subkey possessed by an intermediary server. Then every day when your fire up your email client, cellphone, etc., you could authenticate to the server and get a sub-subkey with, say, an 8 hour lifetime. Maybe you could even give your primary key shares to different online servers, which you would choose to be independent so it's unlikely they would all be compromised simultaneously. They would automatically contact each other and refresh their shares once a week, and certify the intermediary's subkey. Anyways, not that anyone should start designing protocols for this, or that this should go in the next draft. But a few additions to the OpenPGP format might allow someone to do these types of things, if they wanted to: - a better way of binding a subkey to an application protocol, to compartmentalize the damage from a compromise - so if your OpenPGP/TLS key is compromised, the attacker couldn't turn around and use this key for OpenPGP/SSH. Discussed a bit here [2]. - sub-subkeys (and sub-sub-subkeys, etc.). So you can have "intermediaries" like above. Just curious if people think that would be an interesting direction for PGP to grow in.. Trevor [1] http://www.ietf.org/internet-drafts/draft-ietf-pkix-proxy-06.txt [2] http://www.imc.org/ietf-openpgp/mail-archive/msg05092.html From owner-ietf-openpgp@mail.imc.org Tue Jun 17 19:32:45 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA16119 for ; Tue, 17 Jun 2003 19:32:44 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HNL0rb015647 for ; Tue, 17 Jun 2003 16:21:00 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HNL0t5015643 for ietf-openpgp-bks; Tue, 17 Jun 2003 16:21:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from thetis.deor.org (thetis.deor.org [207.106.86.210]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HNKwrb015628 for ; Tue, 17 Jun 2003 16:20:58 -0700 (PDT) (envelope-from rabbi@abditum.com) Received: by thetis.deor.org (Postfix, from userid 500) id 59D43450A7; Tue, 17 Jun 2003 16:20:57 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by thetis.deor.org (Postfix) with ESMTP id 461B248024; Tue, 17 Jun 2003 16:20:57 -0700 (PDT) Date: Tue, 17 Jun 2003 16:20:57 -0700 (PDT) From: Len Sassaman X-Sender: To: David Shaw Cc: Subject: Re: key flag for authentication In-Reply-To: <20030615131946.GE28548@jabberwocky.com> Message-ID: X-AIM: Elom777 X-icq: 10735603 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Sun, 15 Jun 2003, David Shaw wrote: > It doesn't need much documentation. This is similar to the "This key > may be used to encrypt communications" or "This key may be used to > encrypt storage" flags: a usage hint. > > I think the proposed flag is a good idea. Agreed. From owner-ietf-openpgp@mail.imc.org Tue Jun 24 17:26:22 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA11797 for ; Tue, 24 Jun 2003 17:26:21 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5OKtLrb093006 for ; Tue, 24 Jun 2003 13:55:21 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5OKtLwO093005 for ietf-openpgp-bks; Tue, 24 Jun 2003 13:55:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.infoseccorp.com ([12.2.121.3]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5OKtJrb092999 for ; Tue, 24 Jun 2003 13:55:20 -0700 (PDT) (envelope-from markowitz@infoseccorp.com) Received: from mjm340.infoseccorp.com (mjm [12.2.121.12]) by mail.infoseccorp.com (AIX4.3/8.9.3/8.9.3) with ESMTP id PAA18558; Tue, 24 Jun 2003 15:56:53 -0500 Message-Id: <5.2.0.9.2.20030624154647.0338c8e8@12.2.121.3> X-Sender: mjm@12.2.121.3 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 24 Jun 2003 15:54:49 -0500 To: moeller@cdc.informatik.tu-darmstadt.de (Bodo Moeller) From: Mike Markowitz Subject: Re: AES-256 vs AES-128 Cc: ietf-openpgp@imc.org In-Reply-To: References: <87r86f5vvb.fsf_-_@alberti.g10code.de> <3ED7EDD2.4050105@attbi.com> <87r86f5vvb.fsf_-_@alberti.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 03:10 PM 5/31/2003 +0200, Bodo Moeller wrote: >Of course arguably 128 bits are by far enough so that you don't really >have to worry about anything of this -- unless you think that quantum >attacks might become realistic. Just when you thought this thread was dead... Here NSA's current view of the matter (from the recent "CNSS Policy No. 15, FS-1" document: http://csrc.nist.gov/cryptval/CNSS15FS.pdf): "(6) The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths." -mjm From owner-ietf-openpgp@mail.imc.org Tue Jun 24 23:18:13 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA04668 for ; Tue, 24 Jun 2003 23:18:12 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5P2v7rb003630 for ; Tue, 24 Jun 2003 19:57:07 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5P2v7w7003629 for ietf-openpgp-bks; Tue, 24 Jun 2003 19:57:07 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from walrus.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5P2v5rb003623 for ; Tue, 24 Jun 2003 19:57:06 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from claude.jabberwocky.com (pcp04280640pcs.union01.nj.comcast.net [68.39.105.184]) by walrus.jabberwocky.com (8.11.6/8.11.6) with ESMTP id h5P2v5415847 for ; Tue, 24 Jun 2003 22:57:05 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5P2v3b11351 for ietf-openpgp@imc.org; Tue, 24 Jun 2003 22:57:03 -0400 Date: Tue, 24 Jun 2003 22:57:03 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Suggestion for the signing subkey problem Message-ID: <20030625025703.GL4469@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (30% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi everyone, I was thinking about the "stolen signing subkey" problem, and a slightly different solution popped up: What if we create a new "signature in a signature" subpacket that is defined as a regular signature contained in a subpacket? All signing subkeys MUST contain such a subpacket in their binding self-signature. The "subpacket signature" in this case is made by the signing subkey, and on the primary key, hashed as if for a 1F signature. The end result is that the signing subkey has a binding self-signature issued by the primary key as we do now, and that binding self-signature has an embedded 1F signature on the primary key data issued by the signing subkey itself. One of the nice benefits of using a subpacket here, rather than some other scheme is that we can set the critical bit of the subpacket if we want to "break" the signing subkey on older implementations, but at the same time, we don't have to. I was considering suggesting a single-purpose subpacket that could only be used for making a back-signature from a signing subkey on the primary key data, but it started to look like reinventing the wheel. We have a good, working, signature format. If we just stick it in a subpacket, we can leverage all that work. Yes, it is a little odd to contemplate the idea that a subpacket can contain a signature that contains subpackets which contains a signature... "Great fleas have little fleas upon their backs to bite 'em, And little fleas have lesser fleas, and so ad infinitum." Is this overkill for the exact problem at hand? Probably. On the brighter side, is certainly a more general solution that could be useful elsewhere. For example, it might replace the (as yet unused) signature target subpacket: since we can just stick the target signature in this proposed subpacket, we don't need the current target subpacket anymore. It also enables interesting possibilities for the notary signature. David From owner-ietf-openpgp@mail.imc.org Wed Jun 25 15:01:33 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA25636 for ; Wed, 25 Jun 2003 15:01:31 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PITurb080615 for ; Wed, 25 Jun 2003 11:29:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5PITtqu080614 for ietf-openpgp-bks; Wed, 25 Jun 2003 11:29:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PITdrb080479 for ; Wed, 25 Jun 2003 11:29:40 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5PITerM025738; Wed, 25 Jun 2003 14:29:41 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by central-city-carrier-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5PITerO006314; Wed, 25 Jun 2003 14:29:40 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h5PITbFJ014592; Wed, 25 Jun 2003 14:29:40 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.12.9) id h5PITb5m019426; Wed, 25 Jun 2003 14:29:37 -0400 (EDT) To: David Shaw Cc: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem References: <20030625025703.GL4469@jabberwocky.com> From: Derek Atkins Date: 25 Jun 2003 14:29:37 -0400 In-Reply-To: <20030625025703.GL4469@jabberwocky.com> Message-ID: Lines: 52 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hmm, can subkeys have subkeys? -derek David Shaw writes: > Hi everyone, > > I was thinking about the "stolen signing subkey" problem, and a > slightly different solution popped up: > > What if we create a new "signature in a signature" subpacket that is > defined as a regular signature contained in a subpacket? All signing > subkeys MUST contain such a subpacket in their binding self-signature. > The "subpacket signature" in this case is made by the signing subkey, > and on the primary key, hashed as if for a 1F signature. The end > result is that the signing subkey has a binding self-signature issued > by the primary key as we do now, and that binding self-signature has > an embedded 1F signature on the primary key data issued by the signing > subkey itself. > > One of the nice benefits of using a subpacket here, rather than some > other scheme is that we can set the critical bit of the subpacket if > we want to "break" the signing subkey on older implementations, but at > the same time, we don't have to. > > I was considering suggesting a single-purpose subpacket that could > only be used for making a back-signature from a signing subkey on the > primary key data, but it started to look like reinventing the wheel. > We have a good, working, signature format. If we just stick it in a > subpacket, we can leverage all that work. > > Yes, it is a little odd to contemplate the idea that a subpacket can > contain a signature that contains subpackets which contains a > signature... "Great fleas have little fleas upon their backs to bite > 'em, And little fleas have lesser fleas, and so ad infinitum." > > Is this overkill for the exact problem at hand? Probably. On the > brighter side, is certainly a more general solution that could be > useful elsewhere. For example, it might replace the (as yet unused) > signature target subpacket: since we can just stick the target > signature in this proposed subpacket, we don't need the current target > subpacket anymore. It also enables interesting possibilities for the > notary signature. > > David -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available From owner-ietf-openpgp@mail.imc.org Wed Jun 25 15:43:58 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28205 for ; Wed, 25 Jun 2003 15:43:57 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PJS9rb082212 for ; Wed, 25 Jun 2003 12:28:09 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5PJS9Rt082211 for ietf-openpgp-bks; Wed, 25 Jun 2003 12:28:09 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PJS8rb082206 for ; Wed, 25 Jun 2003 12:28:08 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h5PJQbI29743 for ietf-openpgp@imc.org; Wed, 25 Jun 2003 12:26:37 -0700 Date: Wed, 25 Jun 2003 12:26:37 -0700 From: "Hal Finney" Message-Id: <200306251926.h5PJQbI29743@finney.org> To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: One other point, although I hesitate to mention it, is that we could consider using this sign-the-topkey trick for encryption subkeys as well as signature subkeys. Now, there are two immediate objections to this. First, as discussed earlier, the fraud does not seem nearly as serious for encryption subkeys, amounting to tricking someone into encrypting a message to someone else's key instead of your own. And second, it seems impossible anyway, as encryption subkeys can't issue signatures, so they can't sign the top level key. However, the impossibility is actually not so bad: RSA encryption subkeys can issue signatures just fine, even if they don't usually do so; and the same with ElGamal encryption subkeys. We have loaded up the spec with warnings about ElGamal signatures, but in fact those warnings mostly relate to chosen plaintext attacks. In this case it is the key owner who is choosing what to sign, hence those attacks don't apply. It should be perfectly safe for an ElGamal or RSA encryption subkey to issue an appropriate signature on its top-level key. The first objection still holds, that all this work may not be worth it (and it is a lot of work for those implementations which don't support ElGamal signatures) since we don't seem to be able to come up with much of a fraud by putting someone else's subkey under your own topkey. Nevertheless there is considerable appeal to being able to verify that all master-slave key-to-key relationships were fully consensual. Hal Finney From owner-ietf-openpgp@mail.imc.org Wed Jun 25 15:46:48 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA28294 for ; Wed, 25 Jun 2003 15:46:48 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PJQ6rb082171 for ; Wed, 25 Jun 2003 12:26:06 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5PJQ6H1082170 for ietf-openpgp-bks; Wed, 25 Jun 2003 12:26:06 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PJQ5rb082165 for ; Wed, 25 Jun 2003 12:26:05 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h5PJOY429735 for ietf-openpgp@imc.org; Wed, 25 Jun 2003 12:24:34 -0700 Date: Wed, 25 Jun 2003 12:24:34 -0700 From: "Hal Finney" Message-Id: <200306251924.h5PJOY429735@finney.org> To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Derek Atkins writes: > Hmm, can subkeys have subkeys? Subkeys, unlike David's fleas, are not presently afflicted in this way. However, if they ever suffered such a transformation, we could probably link each top and child key in the same way we are proposing to link our single level of parenthood. As far as David's proposal, as I understand it, when a new subkey is created, it signs the main key, along the lines we have been discussing. However, rather than putting that signature on the main key, we instead put it into a subpacket of the subkey binding signature issued by the main key. Since the subkey creation process has access to the private parts of both keys, there is of course no difficulty in creating the signatures in this order and putting them in these places. The main advantage I see would be that we would not have a new signature sitting on the main key, which some old software might choke on if it were particularly particular. Instead we have a new kind of subpacket in the subkey binding signature, which hopefully most software will ignore if it is non-critical. David suggests that it could in fact be made critical, but I don't see any advantage to doing that. It would not stop the fraud from being perpetrated on old software, since of course the fraudster would not be in a position to create the new subpacket and certainly would not create a bogus one and mark it critical, since that would defeat his purpose. For a good subkey, all marking it critical would accomplish is to create an artificial backwards incompatibility, so that this very valid subkey was spuriously rejected by old software, which would not accomplish anything useful that I can see. This proposal does depend on old software ignoring non-critical subpackets, in order for newly created subkeys to still be used by old software (at least, old software that allowed the use of signing subkeys). One concern I have is the rather generic "1F" signature type proposed for the subkey-on-key signatures. It would probably be better to use a new signature type specific for this purpose. We use "18" for the topkey-on-subkey signature, so maybe we could use "19" for the subkey-on-topkey. That would reduce the possibility of an existing "1F" signature somehow being put to a new and malicious use. Introducing a new signature type would increase the chance of an implementation choking when it finds the signature on the top level key, which would be another point in favor of David's suggestion to hide the new sig in a subpacket of the topkey-on-subkey. Hal Finney David Shaw writes: > Hi everyone, > > I was thinking about the "stolen signing subkey" problem, and a > slightly different solution popped up: > > What if we create a new "signature in a signature" subpacket that is > defined as a regular signature contained in a subpacket? All signing > subkeys MUST contain such a subpacket in their binding self-signature. > The "subpacket signature" in this case is made by the signing subkey, > and on the primary key, hashed as if for a 1F signature. The end > result is that the signing subkey has a binding self-signature issued > by the primary key as we do now, and that binding self-signature has > an embedded 1F signature on the primary key data issued by the signing > subkey itself. > > One of the nice benefits of using a subpacket here, rather than some > other scheme is that we can set the critical bit of the subpacket if > we want to "break" the signing subkey on older implementations, but at > the same time, we don't have to. > > I was considering suggesting a single-purpose subpacket that could > only be used for making a back-signature from a signing subkey on the > primary key data, but it started to look like reinventing the wheel. > We have a good, working, signature format. If we just stick it in a > subpacket, we can leverage all that work. > > Yes, it is a little odd to contemplate the idea that a subpacket can > contain a signature that contains subpackets which contains a > signature... "Great fleas have little fleas upon their backs to bite > 'em, And little fleas have lesser fleas, and so ad infinitum." > > Is this overkill for the exact problem at hand? Probably. On the > brighter side, is certainly a more general solution that could be > useful elsewhere. For example, it might replace the (as yet unused) > signature target subpacket: since we can just stick the target > signature in this proposed subpacket, we don't need the current target > subpacket anymore. It also enables interesting possibilities for the > notary signature. > > David From owner-ietf-openpgp@mail.imc.org Wed Jun 25 16:56:30 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA01910 for ; Wed, 25 Jun 2003 16:56:29 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PKZorb085475 for ; Wed, 25 Jun 2003 13:35:50 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5PKZocA085473 for ietf-openpgp-bks; Wed, 25 Jun 2003 13:35:50 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.115]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PKZmrb085456 for ; Wed, 25 Jun 2003 13:35:49 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (c-67-160-217-89.client.comcast.net [67.160.217.89]) by mtaout02.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HH200HOV14YI7@mtaout02.icomcast.net> for ietf-openpgp@imc.org; Wed, 25 Jun 2003 16:34:11 -0400 (EDT) Date: Wed, 25 Jun 2003 13:34:03 -0700 From: Trevor Perrin Subject: Re: Suggestion for the signing subkey problem In-reply-to: <200306251924.h5PJOY429735@finney.org> X-Sender: trevp00@pop.comcast.net To: Hal Finney , ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030625130659.028f4e98@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7BIT At 12:24 PM 6/25/2003 -0700, Hal Finney wrote: >Derek Atkins writes: > > Hmm, can subkeys have subkeys? > >Subkeys, unlike David's fleas, are not presently afflicted in this way. >However, if they ever suffered such a transformation, we could probably >link each top and child key in the same way we are proposing to link >our single level of parenthood. With a chain of N subkeys, this requires N back-signatures (so 2N total signatures). You could do it with zero or one back-signatures. Since PGP only has N=1, this may not be useful, but I'll point it out anyways: An alternative to back-signatures was to include the primary key ID as a hashed subpacket in a signature produced by the subkey. David didn't like this for subkeys because it would have to be repeated for every signature the subkey produced. But if you have a chain of subkeys, for every subkey except the last, you *have* a signature that the subkey produced. So if you added the primary key ID into subkey-on-subkey signatures, you'd only have to do something different for the last key, such as a back-signature, or adding the primary key ID into the signatures it produced. On a separate point, I think subkeys having subkeys could be useful[1]. For example, Alice is going on vacation for a month, and doesn't want to bring her primary key. However, she doesn't want to give her cellphone a month-long subkey, in case it gets stolen. So she issues a month-long subkey to an online service that she trusts, and then every day uses her cellphone to authenticate to the service and get an 8-hour subkey under the service's subkey. [1] http://www.imc.org/ietf-openpgp/mail-archive/msg05262.html Trevor From owner-ietf-openpgp@mail.imc.org Thu Jun 26 01:07:27 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA26193 for ; Thu, 26 Jun 2003 01:07:26 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5Q4k8rb097032 for ; Wed, 25 Jun 2003 21:46:08 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5Q4k8QB097031 for ietf-openpgp-bks; Wed, 25 Jun 2003 21:46:08 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from walrus.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5Q4k6rb097026 for ; Wed, 25 Jun 2003 21:46:07 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from claude.jabberwocky.com (pcp04279182pcs.union01.nj.comcast.net [68.39.100.3]) by walrus.jabberwocky.com (8.11.6/8.11.6) with ESMTP id h5Q4k6421788 for ; Thu, 26 Jun 2003 00:46:07 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5Q4dSi03976 for ietf-openpgp@imc.org; Thu, 26 Jun 2003 00:39:28 -0400 Date: Thu, 26 Jun 2003 00:39:28 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Message-ID: <20030626043928.GF2867@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200306251924.h5PJOY429735@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200306251924.h5PJOY429735@finney.org> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (12% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jun 25, 2003 at 12:24:34PM -0700, Hal Finney wrote: > As far as David's proposal, as I understand it, when a new subkey is > created, it signs the main key, along the lines we have been > discussing. However, rather than putting that signature on the main > key, we instead put it into a subpacket of the subkey binding > signature issued by the main key. Since the subkey creation process > has access to the private parts of both keys, there is of course no > difficulty in creating the signatures in this order and putting them > in these places. Exactly. Note, however, that there is no need for the subkey generation process to have access to the private part of the primary key. Since this subkey-on-primary signature does not need to be part of (i.e. hashed into) the subkey binding signature, and is just located on the binding signature for convenience, there is no reason why it can't be in the unhashed section of the binding signature. The subpacket should work equally well in either the hashed or unhashed section. > The main advantage I see would be that we would not have a new > signature sitting on the main key, which some old software might > choke on if it were particularly particular. Instead we have a new > kind of subpacket in the subkey binding signature, which hopefully > most software will ignore if it is non-critical. [..] > This proposal does depend on old software ignoring non-critical > subpackets, in order for newly created subkeys to still be used by > old software (at least, old software that allowed the use of signing > subkeys). Yes. I suppose it comes down to which is less likely to cause a problem: a new signature subpacket, or a new signature class (as suggested below). I lean towards a signature subpacket for the various reasons given in this thread thus far. There is also a minor advantage in key maintenance. If a subkey is deleted, the back-signature goes with it automatically, and the implementation doesn't have to search for and delete back signatures elsewhere on the key. > One concern I have is the rather generic "1F" signature type proposed > for the subkey-on-key signatures. It would probably be better to > use a new signature type specific for this purpose. We use "18" > for the topkey-on-subkey signature, so maybe we could use "19" for the > subkey-on-topkey. That would reduce the possibility of an existing "1F" > signature somehow being put to a new and malicious use. Introducing a > new signature type would increase the chance of an implementation choking > when it finds the signature on the top level key, which would be another > point in favor of David's suggestion to hide the new sig in a subpacket > of the topkey-on-subkey. I think this is an excellent suggestion. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc1 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE++nj/4mZch0nhy8kRAltcAJ95z1bANc5YDF8aRYgcGzt8EaYWMACgsDiV oeYvphw5d+8uOTMouL3bVdY= =uaZ9 -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Thu Jun 26 02:33:03 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA10069 for ; Thu, 26 Jun 2003 02:33:03 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5Q6HZrb005070 for ; Wed, 25 Jun 2003 23:17:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5Q6HZjP005069 for ietf-openpgp-bks; Wed, 25 Jun 2003 23:17:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5Q6HXrb005008 for ; Wed, 25 Jun 2003 23:17:33 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19VPyd-0005Eo-00 for ; Thu, 26 Jun 2003 08:11:23 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19VQ5X-0008R7-00; Thu, 26 Jun 2003 08:18:31 +0200 To: "Hal Finney" Cc: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem References: <200306251926.h5PJQbI29743@finney.org> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Thu, 26 Jun 2003 08:18:30 +0200 In-Reply-To: <200306251926.h5PJQbI29743@finney.org> (Hal Finney's message of "Wed, 25 Jun 2003 12:26:37 -0700") Message-ID: <87of0lbbux.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Wed, 25 Jun 2003 12:26:37 -0700, Hal Finney said: > can issue signatures just fine, even if they don't usually do so; and the > same with ElGamal encryption subkeys. We have loaded up the spec with > warnings about ElGamal signatures, but in fact those warnings mostly > relate to chosen plaintext attacks. In this case it is the key owner A practical problem with ElGamal signatures is that verification is really slow. -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From owner-ietf-openpgp@mail.imc.org Thu Jun 26 10:51:07 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA28890 for ; Thu, 26 Jun 2003 10:51:06 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QEFUrb051242 for ; Thu, 26 Jun 2003 07:15:30 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5QEFUew051241 for ietf-openpgp-bks; Thu, 26 Jun 2003 07:15:30 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QEFRrb051235 for ; Thu, 26 Jun 2003 07:15:28 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-11-1.cyberia.net.lb ([195.112.214.2]) by sand.cyberia.net.lb with SMTP id <20030626141053.XDBY3447.sand@ppp-11-1.cyberia.net.lb> for ; Thu, 26 Jun 2003 17:10:53 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Date: Thu, 26 Jun 2003 16:56:43 +0200 Message-ID: <6d2mfv43ub2scnpjmth8parb7d7c8582hg@4ax.com> References: <20030625025703.GL4469@jabberwocky.com> In-Reply-To: <20030625025703.GL4469@jabberwocky.com> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5QEFTrb051237 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello David, We are opening a can of worms, and there will be many more in the future as a result. Please let me re-iterate:- As I understand it, sub keys are only justified in the following circumstances:- 1) When the public key algorithm does not support encryption (e.g. DSA). 2) In agreement with a school of thought, which recommends that it is good practice not to use the same key for signing and encryption. Any other arguments beyond the above, are just eccentricities, and will be better addressed by creating another key. Therefore, for the sake of simplicity, please permit me to propose that an OpenPGP key be a Master Key of an OpenPGP public key algorithm suitable for signing, and ONE optional encryption sub key of an OpenPGP public key algorithm suitable for encryption (and / or signing if the owner so desires), PERIOD. Should the above not be adopted, then, I would like to propose that subkeys be treated just like any other key. That is, they ought to be signed by their consumer(s). After all, when you sign a check, you state the amount, among other things, no one signs a blank check! Also, when one signs a contract, one signs the pages containing the terms of that contract, one does not append to the later signed blank pages (to use the analogy of signing OpenPGP v4 keys, a Power or Attorney to append as many pages), to be filled in by the other the other party, as, when, and with whatever, he deems fit. What you suggested below maybe an acceptable solution as far as the key owner is concerned, but, what about the consumer? - From what I could gather, subkeys are attractive, because they inherit the trust/validity of the master key. But, isn't that inheritance in breach of the OpenPGP trust model? my 2c, Best regards Imad R. Faiad On Tue, 24 Jun 2003 22:57:03 -0400, you wrote: > >Hi everyone, > >I was thinking about the "stolen signing subkey" problem, and a >slightly different solution popped up: > >What if we create a new "signature in a signature" subpacket that is >defined as a regular signature contained in a subpacket? All signing >subkeys MUST contain such a subpacket in their binding self-signature. >The "subpacket signature" in this case is made by the signing subkey, >and on the primary key, hashed as if for a 1F signature. The end >result is that the signing subkey has a binding self-signature issued >by the primary key as we do now, and that binding self-signature has >an embedded 1F signature on the primary key data issued by the signing >subkey itself. > >One of the nice benefits of using a subpacket here, rather than some >other scheme is that we can set the critical bit of the subpacket if >we want to "break" the signing subkey on older implementations, but at >the same time, we don't have to. > >I was considering suggesting a single-purpose subpacket that could >only be used for making a back-signature from a signing subkey on the >primary key data, but it started to look like reinventing the wheel. >We have a good, working, signature format. If we just stick it in a >subpacket, we can leverage all that work. > >Yes, it is a little odd to contemplate the idea that a subpacket can >contain a signature that contains subpackets which contains a >signature... "Great fleas have little fleas upon their backs to bite >'em, And little fleas have lesser fleas, and so ad infinitum." > >Is this overkill for the exact problem at hand? Probably. On the >brighter side, is certainly a more general solution that could be >useful elsewhere. For example, it might replace the (as yet unused) >signature target subpacket: since we can just stick the target >signature in this proposed subpacket, we don't need the current target >subpacket anymore. It also enables interesting possibilities for the >notary signature. > >David -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPvsJH7zDFxiDPxutAQLFcgf+Ja5FEwLiAEEpNZW4+rGN3K9Z+pl1qHHi yCZa9CpoLStqKmwiLr968TqawiSXD0/K3u1ivLJcw2EXnIoOmgeexcME1qhqU+Ty 2wqCcFB2WdesVYpC3hedy3JTSnnTEfZwbUJdK2bn2NKHjq3oGDqE7sqo90gnGomI cEKgkkrcfNaPrZwfFM9H9Lrpb64as1BmfClfw9TIB33hrZ94C6GIPI8ycO0ENCvA JQWnEbTd1d8cm6xrPbme5Q7AvSscEltL5m2IOy+/6v6e1b/Qsan/p2Ie53Tt//sG qfRjIVvLWAM5iMKxRMZ7YBIbS481u9PvaP41P/Z/Hny4phZazF7n+g== =trTX -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Thu Jun 26 11:05:10 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA29914 for ; Thu, 26 Jun 2003 11:05:08 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QEbGrb051778 for ; Thu, 26 Jun 2003 07:37:16 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5QEbGRM051777 for ietf-openpgp-bks; Thu, 26 Jun 2003 07:37:16 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp1.kodak.com (smtp1.kodak.com [192.232.121.200]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QEbErb051770 for ; Thu, 26 Jun 2003 07:37:15 -0700 (PDT) (envelope-from john.dlugosz@kodak.com) Received: from knotes3.kodak.com (knotes3.kp.kodak.com [150.103.137.52]) by smtp1.kodak.com (8.11.3/8.11.1) with ESMTP id h5QEb8m01014; Thu, 26 Jun 2003 10:37:08 -0400 (EDT) Subject: Re: AES-256 vs AES-128 To: markowitz@infoseccorp.com Cc: ietf-openpgp@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: From: john.dlugosz@kodak.com Date: Thu, 26 Jun 2003 09:37:05 -0500 X-MIMETrack: Serialize by Router on KNOTES3/ISBP/EKC(Release 5.0.11 |July 24, 2002) at 06/26/2003 10:36:45 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: And, I just picked up Bruce Schnier's new book, and he recomends AES-256 to get 128-bit actual strength in light of birthday attacks and meet-in-the-middle attacks. Mike Markowitz cc: ietf-openpgp@imc.org Sent by: Subject: Re: AES-256 vs AES-128 owner-ietf-openpgp@m ail.imc.org 06/24/2003 03:54 PM At 03:10 PM 5/31/2003 +0200, Bodo Moeller wrote: >Of course arguably 128 bits are by far enough so that you don't really >have to worry about anything of this -- unless you think that quantum >attacks might become realistic. Just when you thought this thread was dead... Here NSA's current view of the matter (from the recent "CNSS Policy No. 15, FS-1" document: http://csrc.nist.gov/cryptval/CNSS15FS.pdf): "(6) The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths." -mjm From owner-ietf-openpgp@mail.imc.org Thu Jun 26 17:05:18 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA21624 for ; Thu, 26 Jun 2003 17:05:18 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QKlVrb072873 for ; Thu, 26 Jun 2003 13:47:31 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5QKlV6t072872 for ietf-openpgp-bks; Thu, 26 Jun 2003 13:47:31 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from walrus.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QKlUrb072866 for ; Thu, 26 Jun 2003 13:47:30 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from claude.jabberwocky.com (pcp04279613pcs.union01.nj.comcast.net [68.39.101.178]) by walrus.jabberwocky.com (8.11.6/8.11.6) with ESMTP id h5QKlS424881 for ; Thu, 26 Jun 2003 16:47:28 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5QKlMM08221 for ietf-openpgp@imc.org; Thu, 26 Jun 2003 16:47:22 -0400 Date: Thu, 26 Jun 2003 16:47:22 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Message-ID: <20030626204722.GI2867@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200306251926.h5PJQbI29743@finney.org> <87of0lbbux.fsf@alberti.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <87of0lbbux.fsf@alberti.g10code.de> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (12% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Jun 26, 2003 at 08:18:30AM +0200, Werner Koch wrote: > > On Wed, 25 Jun 2003 12:26:37 -0700, Hal Finney said: > > > can issue signatures just fine, even if they don't usually do so; and the > > same with ElGamal encryption subkeys. We have loaded up the spec with > > warnings about ElGamal signatures, but in fact those warnings mostly > > relate to chosen plaintext attacks. In this case it is the key owner > > A practical problem with ElGamal signatures is that verification is > really slow. True. I rather like Hal's suggestion to do back-signatures for all keys, but I wouldn't make it a requirement. We MUST do it for signing subkeys to avoid the security problem, but why not make it a MAY for any other key that someone cares to use it on. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc1 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE++1va4mZch0nhy8kRAn9jAKCtNSxqdxZ61ggMBjQ69F+oDZSR2wCg0okU RMRmR5m8aqMUsrAZpz9YyfU= =JCN2 -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Fri Jun 27 10:28:17 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA00678 for ; Fri, 27 Jun 2003 10:28:16 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5RE4Grb041661 for ; Fri, 27 Jun 2003 07:04:16 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5RE4GbV041660 for ietf-openpgp-bks; Fri, 27 Jun 2003 07:04:16 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from walrus.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5RE4Frb041635 for ; Fri, 27 Jun 2003 07:04:15 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from claude.jabberwocky.com (pcp04030795pcs.union01.nj.comcast.net [68.36.47.61]) by walrus.jabberwocky.com (8.11.6/8.11.6) with ESMTP id h5RE4A427645 for ; Fri, 27 Jun 2003 10:04:10 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5RE3wi12240 for ietf-openpgp@imc.org; Fri, 27 Jun 2003 10:03:58 -0400 Date: Fri, 27 Jun 2003 10:03:58 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Message-ID: <20030627140358.GC11762@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20030625025703.GL4469@jabberwocky.com> <6d2mfv43ub2scnpjmth8parb7d7c8582hg@4ax.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <6d2mfv43ub2scnpjmth8parb7d7c8582hg@4ax.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (12% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Jun 26, 2003 at 04:56:43PM +0200, Imad R. Faiad wrote: > As I understand it, sub keys are only justified in the following > circumstances:- > 1) When the public key algorithm does not support encryption (e.g. DSA). > 2) In agreement with a school of thought, which recommends that > it is good practice not to use the same key for signing and > encryption. > > Any other arguments beyond the above, are just eccentricities, > and will be better addressed by creating another key. One person's eccentricity is another person's operational requirement. OpenPGP should be flexible enough to accomodate both. > Therefore, for the sake of simplicity, please permit me to propose > that an OpenPGP key be a Master Key of an OpenPGP public key algorithm > suitable for signing, and ONE optional encryption sub key of an > OpenPGP public key algorithm suitable for encryption (and / or signing > if the owner so desires), PERIOD. I guess I don't really see how this helps. Remember that both multiple subkeys and signing subkeys are from 2440. These are not new inventions in 2440bis, and are already widely supported in the field. All versions of PGP (5+) and GnuPG support multiple subkeys. All versions of GnuPG and PGP 8 support signing subkeys. What is under discussion here is a simple fix for a design weakness in signing subkeys. Forcing all v4 keys to have one and only one subkey would effectively declare every current OpenPGP implementation noncompliant, and even then not solve the problem at hand with sign+encrypt subkeys. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc1 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+/E7O4mZch0nhy8kRAqrTAJwP/CHJbTIWGvyytLg5W+m6P+d3CwCeK/Vs 1xXVZNUeHnkTcqn549cflDc= =/D3j -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Fri Jun 27 19:24:41 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA25655 for ; Fri, 27 Jun 2003 19:24:40 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5RN4nrb067587 for ; Fri, 27 Jun 2003 16:04:49 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5RN4nk1067586 for ietf-openpgp-bks; Fri, 27 Jun 2003 16:04:49 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5RN4krb067578 for ; Fri, 27 Jun 2003 16:04:47 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-09-58.cyberia.net.lb ([195.112.204.156]) by sand.cyberia.net.lb with SMTP id <20030627230009.YMBJ3447.sand@ppp-09-58.cyberia.net.lb> for ; Sat, 28 Jun 2003 02:00:09 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Date: Sat, 28 Jun 2003 01:45:46 +0200 Message-ID: <8olpfvooukihld6812a3tsthlqte2ebe6c@4ax.com> References: <20030625025703.GL4469@jabberwocky.com> <6d2mfv43ub2scnpjmth8parb7d7c8582hg@4ax.com> <20030627140358.GC11762@jabberwocky.com> In-Reply-To: <20030627140358.GC11762@jabberwocky.com> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5RN4mrb067582 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello David, On Fri, 27 Jun 2003 10:03:58 -0400, you wrote: > >[818D9699]*** PGP SIGNATURE VERIFICATION *** >[818D9699]*** Hash: SHA1 >[818D9699]*** Status: Good Signature from Invalid Key >[818D9699]*** Alert: NEVER TRUST A V4 KEY. >[818D9699]*** Signer: David M. Shaw >[818D9699]*** Note: Signing Key is a Sub-Key! >[818D9699]*** Key ID: 0xE2665C8749E1CBC9 >[818D9699]*** Fingerprint: FC2A 0E9B 5122 7D7B 5923 2CE6 E266 5C87 49E1 >CBC9 [818D9699]*** Signed: 6/27/2003 4:03:58 PM >[818D9699]*** Verified: 6/27/2003 11:58:15 PM >[818D9699]*** BEGIN PGP VERIFIED MESSAGE *** > >On Thu, Jun 26, 2003 at 04:56:43PM +0200, Imad R. Faiad wrote: > >> As I understand it, sub keys are only justified in the following >> circumstances:- >> 1) When the public key algorithm does not support encryption (e.g. DSA). >> 2) In agreement with a school of thought, which recommends that >> it is good practice not to use the same key for signing and >> encryption. >> >> Any other arguments beyond the above, are just eccentricities, >> and will be better addressed by creating another key. > >One person's eccentricity is another person's operational requirement. >OpenPGP should be flexible enough to accomodate both. > Exactly, it's an operational requirement, therefore, please by all means exclude such requirements from a standard, which as I understand it, defines OpenPGP packet formats. Operational requirement, depends on one's taste. And needless to say, tastes differ, so please do not burden that standard with one's groups view of what these operational requirement should be... I am sure, with some thoughts, you or anyone for that matter can come up with something, to meet those requirements, with just the humblest of OpenPGP keys. If on the other hand you feel that these operational requirement are the best thing since sliced bread, than by all means, spawn another RFC to standardize them. I do not share your view that OpenPGP should be flexible when that flexibility leads to complexity. OpenPGP should be as simple as possible, without compromising security that is, it should be easily implemented, unambiguous, and understood by it's users. A lot of users have a hard time as it is, understanding the concepts of Public Key Encryption. We are creating barriers for users, and implementors. As I understand it, OpenPGP is supposed to be a standard whose end users are supposed to be the masses. I cannot see how the masses can be served with the operational requirements of paranoids, I mean those of us who feel impelled to have off and on line boxes, super duper master keys to be used in a super duper secure environments, with lesser sub keys which expire on the hour... Hey what are you guys protecting? Nukes? If that is the case, maybe you guys need something more that Pretty Good Privacy... >> Therefore, for the sake of simplicity, please permit me to propose >> that an OpenPGP key be a Master Key of an OpenPGP public key algorithm >> suitable for signing, and ONE optional encryption sub key of an >> OpenPGP public key algorithm suitable for encryption (and / or signing >> if the owner so desires), PERIOD. > >I guess I don't really see how this helps. Remember that both >multiple subkeys and signing subkeys are from 2440. These are not new >inventions in 2440bis, and are already widely supported in the field. >All versions of PGP (5+) and GnuPG support multiple subkeys. All >versions of GnuPG and PGP 8 support signing subkeys. > The reason that I have proposed the above, is because I am very concerned about v4 keys in general, and in particular sub keys. Also, I do believe in the principle that less is better, especially so for crypto software. >What is under discussion here is a simple fix for a design weakness in >signing subkeys. Forcing all v4 keys to have one and only one subkey >would effectively declare every current OpenPGP implementation >noncompliant, and even then not solve the problem at hand with >sign+encrypt subkeys. > The problem is a lot more than that. V4 keys are flowed to begin with. Please re-read what I stated in my previous message, in particular the sections which you sniped. I think, that this is an problem which should be addressed. >David > No offense, and with all respect, Best Regards Imad R. Faiad >[818D9699]*** END PGP VERIFIED MESSAGE *** -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPvzIqbzDFxiDPxutAQIqAQgAjkRMqXuNRWGycNNd8g4yh0tS88TQMsbC VGLkiwi1qcYZPzH5OvEaoG549jXLn+/N609OkSmS71CRsCDr/mUrmKclLVfdeHCw XqCE1qFNzq9bUFb7HXzVzWAPDpebmN9Ys/WdOj8Fbe3/1+t9iOZHxiuQLFY1RPzt W+JOBdUE5em4g867OKdQrY6ShWHmbZJICmObuWDTJWwRPIAEeR1L/jHgV9Pvascr N/voRsxQ+jXTR91p6QuzYiJk9cnMHXVI1XUtg+tF8nUIsQP/B0s7j6wywqkjtPDZ rjmeWcnn8DtQbREa1pPMbWFaZ46dZUotzhO6xc4A68Ws40F4WWu5hA== =MwPc -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Fri Jun 27 19:45:52 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA26493 for ; Fri, 27 Jun 2003 19:45:52 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5RNUJrb068720 for ; Fri, 27 Jun 2003 16:30:19 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5RNUJgK068719 for ietf-openpgp-bks; Fri, 27 Jun 2003 16:30:19 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5RNUHrb068714 for ; Fri, 27 Jun 2003 16:30:18 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Sat, 28 Jun 2003 00:30:12 +0100 From: Ian Brown To: "'Imad R. Faiad'" Cc: ietf-openpgp Subject: RE: Suggestion for the signing subkey problem Date: Sat, 28 Jun 2003 00:30:08 +0100 Message-ID: <03d601c33d04$0c42e520$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <8olpfvooukihld6812a3tsthlqte2ebe6c@4ax.com> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5RNUIrb068715 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit I am amazed that this thread is still running several weeks after you started it, with virtually every response refuting your arguments... >>One person's eccentricity is another person's operational requirement. >>OpenPGP should be flexible enough to accomodate both. >> >Exactly, it's an operational requirement, therefore, please >by all means exclude such requirements from a standard, You seem unable to understand the difference between enabling functionality through a standard and mandating it. RFC 2440 has allowed subkeys for several years now. You need to make the case to remove this functionality better than you have done so far. > If on the other hand you feel that these operational > requirement are the best thing since sliced bread, than by > all means, spawn another RFC to standardize them. RFC 2440 was published five years ago. I look forward to your draft removing multiple subkey capability from it. From owner-ietf-openpgp@mail.imc.org Sun Jun 29 13:36:55 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA02731 for ; Sun, 29 Jun 2003 13:36:54 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5THEtFK029657 for ; Sun, 29 Jun 2003 10:14:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5THEtKM029656 for ietf-openpgp-bks; Sun, 29 Jun 2003 10:14:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5THEqFK029649 for ; Sun, 29 Jun 2003 10:14:53 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-11-28.cyberia.net.lb ([195.112.214.29]) by sand.cyberia.net.lb with SMTP id <20030629171016.ZEGY3447.sand@ppp-11-28.cyberia.net.lb> for ; Sun, 29 Jun 2003 20:10:16 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Date: Sun, 29 Jun 2003 19:14:36 +0200 Message-ID: References: <8olpfvooukihld6812a3tsthlqte2ebe6c@4ax.com> <03d601c33d04$0c42e520$39632352@happy> In-Reply-To: <03d601c33d04$0c42e520$39632352@happy> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5THEsFK029652 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Ian, On Sat, 28 Jun 2003 00:30:08 +0100, you wrote: > >I am amazed that this thread is still running several weeks after you >started it, with virtually every response refuting your arguments... > And what amazes me, is that you have yet to grasp what we are talking about! Please re-read the thread, some issues have been addressed. I sincerely hope that you re-read each and every message in that thread, because, you are taylor made for the kind of attacks which can be inflicted to your OpenPGP keys. >>>One person's eccentricity is another person's operational requirement. > >>>OpenPGP should be flexible enough to accomodate both. >>> >>Exactly, it's an operational requirement, therefore, please >>by all means exclude such requirements from a standard, > >You seem unable to understand the difference between enabling >functionality through a standard and mandating it. RFC 2440 has allowed >subkeys for several years now. You need to make the case to remove this >functionality better than you have done so far. > No problems, I mean what can I say??? >> If on the other hand you feel that these operational >> requirement are the best thing since sliced bread, than by >> all means, spawn another RFC to standardize them. > >RFC 2440 was published five years ago. I look forward to your draft >removing multiple subkey capability from it. I am no paper pusher, and do not have the funding or time/ability to publish RFC's And no offence, Best Regards Imad R. Faiad -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPv8ea7zDFxiDPxutAQItUAf+OPJV0E9nqAS+FdL9blF77rjp78FuLMRc PLHLVJJtP6bXUx2kCK0N72JeCdb7300+elekoKbRkbQ4gHOA/MRioZDpQdSp2Dpi 9tdjyBKJVy/RiGy0j2j/EuP9RyxIIZ8drdpyw+omenIUEWlj6s82NfVpZZNqLlos EjDkhmICgJSQU2AKZMY5lNE4zBVLZIUGMWyvSx0uz8fppP+pJ7ScP8gSJJXb4LCH +go3sioEjG/zSn2jpgQPEIEOcAtystdqfzeVopnl4Qm9CLSwzWvftjIXkRdkUFZK ygk/1efgfdB0K79AePkP2aQK4Cilupm6FWTk6a3j/J4FT6s/IzF64g== =Zgqk -----END PGP SIGNATURE----- From owner-ietf-openpgp@mail.imc.org Sun Jun 29 18:18:47 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA09787 for ; Sun, 29 Jun 2003 18:18:46 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5TM1oFK036847 for ; Sun, 29 Jun 2003 15:01:50 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5TM1oVD036846 for ietf-openpgp-bks; Sun, 29 Jun 2003 15:01:50 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5TM1eFK036832 for ; Sun, 29 Jun 2003 15:01:40 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Sun, 29 Jun 2003 23:01:39 +0100 From: Ian Brown To: "'Imad R. Faiad'" , ietf-openpgp Subject: RE: Suggestion for the signing subkey problem Date: Sun, 29 Jun 2003 23:01:26 +0100 Message-ID: <047b01c33e89$fd852930$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5TM1fFK036834 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit > >I am amazed that this thread is still running several weeks > after you > >started it, with virtually every response refuting your arguments... > > > And what amazes me, is that you have yet to grasp what we are > talking about! Please re-read the thread, some issues have > been addressed. I sincerely hope that you re-read each and > every message in that thread, because, you are taylor made > for the kind of attacks which can be inflicted to your OpenPGP keys. I've read all the messages. Your request that subkey capability be essentially removed has been rejected by all of them. > >RFC 2440 was published five years ago. I look forward to your draft > >removing multiple subkey capability from it. > I am no paper pusher, and do not have the funding or > time/ability to publish RFC's So I guess this thread is at an end then, with the capability remaining. From owner-ietf-openpgp@mail.imc.org Mon Jun 30 22:19:09 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA26782 for ; Mon, 30 Jun 2003 22:19:09 -0400 (EDT) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h611vOFK090484 for ; Mon, 30 Jun 2003 18:57:24 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h611vNNb090483 for ietf-openpgp-bks; Mon, 30 Jun 2003 18:57:23 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h611vMFK090478 for ; Mon, 30 Jun 2003 18:57:23 -0700 (PDT) (envelope-from frantz@pwpconsult.com) Received: from h-69-3-191-238.snvacaid.covad.net ([69.3.191.238] helo=[192.168.1.5]) by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19XAOZ-0004fQ-01; Mon, 30 Jun 2003 18:57:23 -0700 X-Sender: frantz%pwpconsult.com@pop.business.earthlink.net Message-Id: In-Reply-To: <200306251926.h5PJQbI29743@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 30 Jun 2003 18:57:14 -0700 To: "Hal Finney" , ietf-openpgp@imc.org From: Bill Frantz Subject: Re: Suggestion for the signing subkey problem Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 12:26 PM -0700 6/25/03, Hal Finney wrote: >... since we don't seem to be able to come up with >much of a fraud by putting someone else's subkey under your own topkey. There doesn't seem to be much difference operationally between putting someone else's subkey under your topkey, and giving away the secret component of your own subkey. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "A Jobless Recovery is | Periwinkle -- Consulting (408)356-8506 | like a Breadless Sand- | 16345 Englewood Ave. frantz@pwpconsult.com | wich." -- Steve Schear | Los Gatos, CA 95032, USA Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h611vOFK090484 for ; Mon, 30 Jun 2003 18:57:24 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h611vNNb090483 for ietf-openpgp-bks; Mon, 30 Jun 2003 18:57:23 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h611vMFK090478 for ; Mon, 30 Jun 2003 18:57:23 -0700 (PDT) (envelope-from frantz@pwpconsult.com) Received: from h-69-3-191-238.snvacaid.covad.net ([69.3.191.238] helo=[192.168.1.5]) by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19XAOZ-0004fQ-01; Mon, 30 Jun 2003 18:57:23 -0700 X-Sender: frantz%pwpconsult.com@pop.business.earthlink.net Message-Id: In-Reply-To: <200306251926.h5PJQbI29743@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 30 Jun 2003 18:57:14 -0700 To: "Hal Finney" , ietf-openpgp@imc.org From: Bill Frantz Subject: Re: Suggestion for the signing subkey problem Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 12:26 PM -0700 6/25/03, Hal Finney wrote: >... since we don't seem to be able to come up with >much of a fraud by putting someone else's subkey under your own topkey. There doesn't seem to be much difference operationally between putting someone else's subkey under your topkey, and giving away the secret component of your own subkey. Cheers - Bill ------------------------------------------------------------------------- Bill Frantz | "A Jobless Recovery is | Periwinkle -- Consulting (408)356-8506 | like a Breadless Sand- | 16345 Englewood Ave. frantz@pwpconsult.com | wich." -- Steve Schear | Los Gatos, CA 95032, USA Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5TM1oFK036847 for ; Sun, 29 Jun 2003 15:01:50 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5TM1oVD036846 for ietf-openpgp-bks; Sun, 29 Jun 2003 15:01:50 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5TM1eFK036832 for ; Sun, 29 Jun 2003 15:01:40 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Sun, 29 Jun 2003 23:01:39 +0100 From: Ian Brown To: "'Imad R. Faiad'" , ietf-openpgp Subject: RE: Suggestion for the signing subkey problem Date: Sun, 29 Jun 2003 23:01:26 +0100 Message-ID: <047b01c33e89$fd852930$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5TM1fFK036834 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: > >I am amazed that this thread is still running several weeks > after you > >started it, with virtually every response refuting your arguments... > > > And what amazes me, is that you have yet to grasp what we are > talking about! Please re-read the thread, some issues have > been addressed. I sincerely hope that you re-read each and > every message in that thread, because, you are taylor made > for the kind of attacks which can be inflicted to your OpenPGP keys. I've read all the messages. Your request that subkey capability be essentially removed has been rejected by all of them. > >RFC 2440 was published five years ago. I look forward to your draft > >removing multiple subkey capability from it. > I am no paper pusher, and do not have the funding or > time/ability to publish RFC's So I guess this thread is at an end then, with the capability remaining. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5THEtFK029657 for ; Sun, 29 Jun 2003 10:14:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5THEtKM029656 for ietf-openpgp-bks; Sun, 29 Jun 2003 10:14:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5THEqFK029649 for ; Sun, 29 Jun 2003 10:14:53 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-11-28.cyberia.net.lb ([195.112.214.29]) by sand.cyberia.net.lb with SMTP id <20030629171016.ZEGY3447.sand@ppp-11-28.cyberia.net.lb> for ; Sun, 29 Jun 2003 20:10:16 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Date: Sun, 29 Jun 2003 19:14:36 +0200 Message-ID: References: <8olpfvooukihld6812a3tsthlqte2ebe6c@4ax.com> <03d601c33d04$0c42e520$39632352@happy> In-Reply-To: <03d601c33d04$0c42e520$39632352@happy> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5THEsFK029652 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Ian, On Sat, 28 Jun 2003 00:30:08 +0100, you wrote: > >I am amazed that this thread is still running several weeks after you >started it, with virtually every response refuting your arguments... > And what amazes me, is that you have yet to grasp what we are talking about! Please re-read the thread, some issues have been addressed. I sincerely hope that you re-read each and every message in that thread, because, you are taylor made for the kind of attacks which can be inflicted to your OpenPGP keys. >>>One person's eccentricity is another person's operational requirement. > >>>OpenPGP should be flexible enough to accomodate both. >>> >>Exactly, it's an operational requirement, therefore, please >>by all means exclude such requirements from a standard, > >You seem unable to understand the difference between enabling >functionality through a standard and mandating it. RFC 2440 has allowed >subkeys for several years now. You need to make the case to remove this >functionality better than you have done so far. > No problems, I mean what can I say??? >> If on the other hand you feel that these operational >> requirement are the best thing since sliced bread, than by >> all means, spawn another RFC to standardize them. > >RFC 2440 was published five years ago. I look forward to your draft >removing multiple subkey capability from it. I am no paper pusher, and do not have the funding or time/ability to publish RFC's And no offence, Best Regards Imad R. Faiad -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPv8ea7zDFxiDPxutAQItUAf+OPJV0E9nqAS+FdL9blF77rjp78FuLMRc PLHLVJJtP6bXUx2kCK0N72JeCdb7300+elekoKbRkbQ4gHOA/MRioZDpQdSp2Dpi 9tdjyBKJVy/RiGy0j2j/EuP9RyxIIZ8drdpyw+omenIUEWlj6s82NfVpZZNqLlos EjDkhmICgJSQU2AKZMY5lNE4zBVLZIUGMWyvSx0uz8fppP+pJ7ScP8gSJJXb4LCH +go3sioEjG/zSn2jpgQPEIEOcAtystdqfzeVopnl4Qm9CLSwzWvftjIXkRdkUFZK ygk/1efgfdB0K79AePkP2aQK4Cilupm6FWTk6a3j/J4FT6s/IzF64g== =Zgqk -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5RNUJrb068720 for ; Fri, 27 Jun 2003 16:30:19 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5RNUJgK068719 for ietf-openpgp-bks; Fri, 27 Jun 2003 16:30:19 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5RNUHrb068714 for ; Fri, 27 Jun 2003 16:30:18 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Sat, 28 Jun 2003 00:30:12 +0100 From: Ian Brown To: "'Imad R. Faiad'" Cc: ietf-openpgp Subject: RE: Suggestion for the signing subkey problem Date: Sat, 28 Jun 2003 00:30:08 +0100 Message-ID: <03d601c33d04$0c42e520$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <8olpfvooukihld6812a3tsthlqte2ebe6c@4ax.com> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5RNUIrb068715 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I am amazed that this thread is still running several weeks after you started it, with virtually every response refuting your arguments... >>One person's eccentricity is another person's operational requirement. >>OpenPGP should be flexible enough to accomodate both. >> >Exactly, it's an operational requirement, therefore, please >by all means exclude such requirements from a standard, You seem unable to understand the difference between enabling functionality through a standard and mandating it. RFC 2440 has allowed subkeys for several years now. You need to make the case to remove this functionality better than you have done so far. > If on the other hand you feel that these operational > requirement are the best thing since sliced bread, than by > all means, spawn another RFC to standardize them. RFC 2440 was published five years ago. I look forward to your draft removing multiple subkey capability from it. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5RN4nrb067587 for ; Fri, 27 Jun 2003 16:04:49 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5RN4nk1067586 for ietf-openpgp-bks; Fri, 27 Jun 2003 16:04:49 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5RN4krb067578 for ; Fri, 27 Jun 2003 16:04:47 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-09-58.cyberia.net.lb ([195.112.204.156]) by sand.cyberia.net.lb with SMTP id <20030627230009.YMBJ3447.sand@ppp-09-58.cyberia.net.lb> for ; Sat, 28 Jun 2003 02:00:09 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Date: Sat, 28 Jun 2003 01:45:46 +0200 Message-ID: <8olpfvooukihld6812a3tsthlqte2ebe6c@4ax.com> References: <20030625025703.GL4469@jabberwocky.com> <6d2mfv43ub2scnpjmth8parb7d7c8582hg@4ax.com> <20030627140358.GC11762@jabberwocky.com> In-Reply-To: <20030627140358.GC11762@jabberwocky.com> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5RN4mrb067582 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello David, On Fri, 27 Jun 2003 10:03:58 -0400, you wrote: > >[818D9699]*** PGP SIGNATURE VERIFICATION *** >[818D9699]*** Hash: SHA1 >[818D9699]*** Status: Good Signature from Invalid Key >[818D9699]*** Alert: NEVER TRUST A V4 KEY. >[818D9699]*** Signer: David M. Shaw >[818D9699]*** Note: Signing Key is a Sub-Key! >[818D9699]*** Key ID: 0xE2665C8749E1CBC9 >[818D9699]*** Fingerprint: FC2A 0E9B 5122 7D7B 5923 2CE6 E266 5C87 49E1 >CBC9 [818D9699]*** Signed: 6/27/2003 4:03:58 PM >[818D9699]*** Verified: 6/27/2003 11:58:15 PM >[818D9699]*** BEGIN PGP VERIFIED MESSAGE *** > >On Thu, Jun 26, 2003 at 04:56:43PM +0200, Imad R. Faiad wrote: > >> As I understand it, sub keys are only justified in the following >> circumstances:- >> 1) When the public key algorithm does not support encryption (e.g. DSA). >> 2) In agreement with a school of thought, which recommends that >> it is good practice not to use the same key for signing and >> encryption. >> >> Any other arguments beyond the above, are just eccentricities, >> and will be better addressed by creating another key. > >One person's eccentricity is another person's operational requirement. >OpenPGP should be flexible enough to accomodate both. > Exactly, it's an operational requirement, therefore, please by all means exclude such requirements from a standard, which as I understand it, defines OpenPGP packet formats. Operational requirement, depends on one's taste. And needless to say, tastes differ, so please do not burden that standard with one's groups view of what these operational requirement should be... I am sure, with some thoughts, you or anyone for that matter can come up with something, to meet those requirements, with just the humblest of OpenPGP keys. If on the other hand you feel that these operational requirement are the best thing since sliced bread, than by all means, spawn another RFC to standardize them. I do not share your view that OpenPGP should be flexible when that flexibility leads to complexity. OpenPGP should be as simple as possible, without compromising security that is, it should be easily implemented, unambiguous, and understood by it's users. A lot of users have a hard time as it is, understanding the concepts of Public Key Encryption. We are creating barriers for users, and implementors. As I understand it, OpenPGP is supposed to be a standard whose end users are supposed to be the masses. I cannot see how the masses can be served with the operational requirements of paranoids, I mean those of us who feel impelled to have off and on line boxes, super duper master keys to be used in a super duper secure environments, with lesser sub keys which expire on the hour... Hey what are you guys protecting? Nukes? If that is the case, maybe you guys need something more that Pretty Good Privacy... >> Therefore, for the sake of simplicity, please permit me to propose >> that an OpenPGP key be a Master Key of an OpenPGP public key algorithm >> suitable for signing, and ONE optional encryption sub key of an >> OpenPGP public key algorithm suitable for encryption (and / or signing >> if the owner so desires), PERIOD. > >I guess I don't really see how this helps. Remember that both >multiple subkeys and signing subkeys are from 2440. These are not new >inventions in 2440bis, and are already widely supported in the field. >All versions of PGP (5+) and GnuPG support multiple subkeys. All >versions of GnuPG and PGP 8 support signing subkeys. > The reason that I have proposed the above, is because I am very concerned about v4 keys in general, and in particular sub keys. Also, I do believe in the principle that less is better, especially so for crypto software. >What is under discussion here is a simple fix for a design weakness in >signing subkeys. Forcing all v4 keys to have one and only one subkey >would effectively declare every current OpenPGP implementation >noncompliant, and even then not solve the problem at hand with >sign+encrypt subkeys. > The problem is a lot more than that. V4 keys are flowed to begin with. Please re-read what I stated in my previous message, in particular the sections which you sniped. I think, that this is an problem which should be addressed. >David > No offense, and with all respect, Best Regards Imad R. Faiad >[818D9699]*** END PGP VERIFIED MESSAGE *** -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPvzIqbzDFxiDPxutAQIqAQgAjkRMqXuNRWGycNNd8g4yh0tS88TQMsbC VGLkiwi1qcYZPzH5OvEaoG549jXLn+/N609OkSmS71CRsCDr/mUrmKclLVfdeHCw XqCE1qFNzq9bUFb7HXzVzWAPDpebmN9Ys/WdOj8Fbe3/1+t9iOZHxiuQLFY1RPzt W+JOBdUE5em4g867OKdQrY6ShWHmbZJICmObuWDTJWwRPIAEeR1L/jHgV9Pvascr N/voRsxQ+jXTR91p6QuzYiJk9cnMHXVI1XUtg+tF8nUIsQP/B0s7j6wywqkjtPDZ rjmeWcnn8DtQbREa1pPMbWFaZ46dZUotzhO6xc4A68Ws40F4WWu5hA== =MwPc -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5RE4Grb041661 for ; Fri, 27 Jun 2003 07:04:16 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5RE4GbV041660 for ietf-openpgp-bks; Fri, 27 Jun 2003 07:04:16 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from walrus.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5RE4Frb041635 for ; Fri, 27 Jun 2003 07:04:15 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from claude.jabberwocky.com (pcp04030795pcs.union01.nj.comcast.net [68.36.47.61]) by walrus.jabberwocky.com (8.11.6/8.11.6) with ESMTP id h5RE4A427645 for ; Fri, 27 Jun 2003 10:04:10 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5RE3wi12240 for ietf-openpgp@imc.org; Fri, 27 Jun 2003 10:03:58 -0400 Date: Fri, 27 Jun 2003 10:03:58 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Message-ID: <20030627140358.GC11762@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20030625025703.GL4469@jabberwocky.com> <6d2mfv43ub2scnpjmth8parb7d7c8582hg@4ax.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <6d2mfv43ub2scnpjmth8parb7d7c8582hg@4ax.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (12% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Jun 26, 2003 at 04:56:43PM +0200, Imad R. Faiad wrote: > As I understand it, sub keys are only justified in the following > circumstances:- > 1) When the public key algorithm does not support encryption (e.g. DSA). > 2) In agreement with a school of thought, which recommends that > it is good practice not to use the same key for signing and > encryption. > > Any other arguments beyond the above, are just eccentricities, > and will be better addressed by creating another key. One person's eccentricity is another person's operational requirement. OpenPGP should be flexible enough to accomodate both. > Therefore, for the sake of simplicity, please permit me to propose > that an OpenPGP key be a Master Key of an OpenPGP public key algorithm > suitable for signing, and ONE optional encryption sub key of an > OpenPGP public key algorithm suitable for encryption (and / or signing > if the owner so desires), PERIOD. I guess I don't really see how this helps. Remember that both multiple subkeys and signing subkeys are from 2440. These are not new inventions in 2440bis, and are already widely supported in the field. All versions of PGP (5+) and GnuPG support multiple subkeys. All versions of GnuPG and PGP 8 support signing subkeys. What is under discussion here is a simple fix for a design weakness in signing subkeys. Forcing all v4 keys to have one and only one subkey would effectively declare every current OpenPGP implementation noncompliant, and even then not solve the problem at hand with sign+encrypt subkeys. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc1 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+/E7O4mZch0nhy8kRAqrTAJwP/CHJbTIWGvyytLg5W+m6P+d3CwCeK/Vs 1xXVZNUeHnkTcqn549cflDc= =/D3j -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QKlVrb072873 for ; Thu, 26 Jun 2003 13:47:31 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5QKlV6t072872 for ietf-openpgp-bks; Thu, 26 Jun 2003 13:47:31 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from walrus.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QKlUrb072866 for ; Thu, 26 Jun 2003 13:47:30 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from claude.jabberwocky.com (pcp04279613pcs.union01.nj.comcast.net [68.39.101.178]) by walrus.jabberwocky.com (8.11.6/8.11.6) with ESMTP id h5QKlS424881 for ; Thu, 26 Jun 2003 16:47:28 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5QKlMM08221 for ietf-openpgp@imc.org; Thu, 26 Jun 2003 16:47:22 -0400 Date: Thu, 26 Jun 2003 16:47:22 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Message-ID: <20030626204722.GI2867@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200306251926.h5PJQbI29743@finney.org> <87of0lbbux.fsf@alberti.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <87of0lbbux.fsf@alberti.g10code.de> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (12% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Jun 26, 2003 at 08:18:30AM +0200, Werner Koch wrote: > > On Wed, 25 Jun 2003 12:26:37 -0700, Hal Finney said: > > > can issue signatures just fine, even if they don't usually do so; and the > > same with ElGamal encryption subkeys. We have loaded up the spec with > > warnings about ElGamal signatures, but in fact those warnings mostly > > relate to chosen plaintext attacks. In this case it is the key owner > > A practical problem with ElGamal signatures is that verification is > really slow. True. I rather like Hal's suggestion to do back-signatures for all keys, but I wouldn't make it a requirement. We MUST do it for signing subkeys to avoid the security problem, but why not make it a MAY for any other key that someone cares to use it on. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc1 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE++1va4mZch0nhy8kRAn9jAKCtNSxqdxZ61ggMBjQ69F+oDZSR2wCg0okU RMRmR5m8aqMUsrAZpz9YyfU= =JCN2 -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QEbGrb051778 for ; Thu, 26 Jun 2003 07:37:16 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5QEbGRM051777 for ietf-openpgp-bks; Thu, 26 Jun 2003 07:37:16 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp1.kodak.com (smtp1.kodak.com [192.232.121.200]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QEbErb051770 for ; Thu, 26 Jun 2003 07:37:15 -0700 (PDT) (envelope-from john.dlugosz@kodak.com) Received: from knotes3.kodak.com (knotes3.kp.kodak.com [150.103.137.52]) by smtp1.kodak.com (8.11.3/8.11.1) with ESMTP id h5QEb8m01014; Thu, 26 Jun 2003 10:37:08 -0400 (EDT) Subject: Re: AES-256 vs AES-128 To: markowitz@infoseccorp.com Cc: ietf-openpgp@imc.org X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: From: john.dlugosz@kodak.com Date: Thu, 26 Jun 2003 09:37:05 -0500 X-MIMETrack: Serialize by Router on KNOTES3/ISBP/EKC(Release 5.0.11 |July 24, 2002) at 06/26/2003 10:36:45 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: And, I just picked up Bruce Schnier's new book, and he recomends AES-256 to get 128-bit actual strength in light of birthday attacks and meet-in-the-middle attacks. Mike Markowitz cc: ietf-openpgp@imc.org Sent by: Subject: Re: AES-256 vs AES-128 owner-ietf-openpgp@m ail.imc.org 06/24/2003 03:54 PM At 03:10 PM 5/31/2003 +0200, Bodo Moeller wrote: >Of course arguably 128 bits are by far enough so that you don't really >have to worry about anything of this -- unless you think that quantum >attacks might become realistic. Just when you thought this thread was dead... Here NSA's current view of the matter (from the recent "CNSS Policy No. 15, FS-1" document: http://csrc.nist.gov/cryptval/CNSS15FS.pdf): "(6) The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths." -mjm Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QEFUrb051242 for ; Thu, 26 Jun 2003 07:15:30 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5QEFUew051241 for ietf-openpgp-bks; Thu, 26 Jun 2003 07:15:30 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5QEFRrb051235 for ; Thu, 26 Jun 2003 07:15:28 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-11-1.cyberia.net.lb ([195.112.214.2]) by sand.cyberia.net.lb with SMTP id <20030626141053.XDBY3447.sand@ppp-11-1.cyberia.net.lb> for ; Thu, 26 Jun 2003 17:10:53 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Date: Thu, 26 Jun 2003 16:56:43 +0200 Message-ID: <6d2mfv43ub2scnpjmth8parb7d7c8582hg@4ax.com> References: <20030625025703.GL4469@jabberwocky.com> In-Reply-To: <20030625025703.GL4469@jabberwocky.com> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5QEFTrb051237 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello David, We are opening a can of worms, and there will be many more in the future as a result. Please let me re-iterate:- As I understand it, sub keys are only justified in the following circumstances:- 1) When the public key algorithm does not support encryption (e.g. DSA). 2) In agreement with a school of thought, which recommends that it is good practice not to use the same key for signing and encryption. Any other arguments beyond the above, are just eccentricities, and will be better addressed by creating another key. Therefore, for the sake of simplicity, please permit me to propose that an OpenPGP key be a Master Key of an OpenPGP public key algorithm suitable for signing, and ONE optional encryption sub key of an OpenPGP public key algorithm suitable for encryption (and / or signing if the owner so desires), PERIOD. Should the above not be adopted, then, I would like to propose that subkeys be treated just like any other key. That is, they ought to be signed by their consumer(s). After all, when you sign a check, you state the amount, among other things, no one signs a blank check! Also, when one signs a contract, one signs the pages containing the terms of that contract, one does not append to the later signed blank pages (to use the analogy of signing OpenPGP v4 keys, a Power or Attorney to append as many pages), to be filled in by the other the other party, as, when, and with whatever, he deems fit. What you suggested below maybe an acceptable solution as far as the key owner is concerned, but, what about the consumer? - From what I could gather, subkeys are attractive, because they inherit the trust/validity of the master key. But, isn't that inheritance in breach of the OpenPGP trust model? my 2c, Best regards Imad R. Faiad On Tue, 24 Jun 2003 22:57:03 -0400, you wrote: > >Hi everyone, > >I was thinking about the "stolen signing subkey" problem, and a >slightly different solution popped up: > >What if we create a new "signature in a signature" subpacket that is >defined as a regular signature contained in a subpacket? All signing >subkeys MUST contain such a subpacket in their binding self-signature. >The "subpacket signature" in this case is made by the signing subkey, >and on the primary key, hashed as if for a 1F signature. The end >result is that the signing subkey has a binding self-signature issued >by the primary key as we do now, and that binding self-signature has >an embedded 1F signature on the primary key data issued by the signing >subkey itself. > >One of the nice benefits of using a subpacket here, rather than some >other scheme is that we can set the critical bit of the subpacket if >we want to "break" the signing subkey on older implementations, but at >the same time, we don't have to. > >I was considering suggesting a single-purpose subpacket that could >only be used for making a back-signature from a signing subkey on the >primary key data, but it started to look like reinventing the wheel. >We have a good, working, signature format. If we just stick it in a >subpacket, we can leverage all that work. > >Yes, it is a little odd to contemplate the idea that a subpacket can >contain a signature that contains subpackets which contains a >signature... "Great fleas have little fleas upon their backs to bite >'em, And little fleas have lesser fleas, and so ad infinitum." > >Is this overkill for the exact problem at hand? Probably. On the >brighter side, is certainly a more general solution that could be >useful elsewhere. For example, it might replace the (as yet unused) >signature target subpacket: since we can just stick the target >signature in this proposed subpacket, we don't need the current target >subpacket anymore. It also enables interesting possibilities for the >notary signature. > >David -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPvsJH7zDFxiDPxutAQLFcgf+Ja5FEwLiAEEpNZW4+rGN3K9Z+pl1qHHi yCZa9CpoLStqKmwiLr968TqawiSXD0/K3u1ivLJcw2EXnIoOmgeexcME1qhqU+Ty 2wqCcFB2WdesVYpC3hedy3JTSnnTEfZwbUJdK2bn2NKHjq3oGDqE7sqo90gnGomI cEKgkkrcfNaPrZwfFM9H9Lrpb64as1BmfClfw9TIB33hrZ94C6GIPI8ycO0ENCvA JQWnEbTd1d8cm6xrPbme5Q7AvSscEltL5m2IOy+/6v6e1b/Qsan/p2Ie53Tt//sG qfRjIVvLWAM5iMKxRMZ7YBIbS481u9PvaP41P/Z/Hny4phZazF7n+g== =trTX -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5Q6HZrb005070 for ; Wed, 25 Jun 2003 23:17:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5Q6HZjP005069 for ietf-openpgp-bks; Wed, 25 Jun 2003 23:17:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5Q6HXrb005008 for ; Wed, 25 Jun 2003 23:17:33 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19VPyd-0005Eo-00 for ; Thu, 26 Jun 2003 08:11:23 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19VQ5X-0008R7-00; Thu, 26 Jun 2003 08:18:31 +0200 To: "Hal Finney" Cc: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem References: <200306251926.h5PJQbI29743@finney.org> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Thu, 26 Jun 2003 08:18:30 +0200 In-Reply-To: <200306251926.h5PJQbI29743@finney.org> (Hal Finney's message of "Wed, 25 Jun 2003 12:26:37 -0700") Message-ID: <87of0lbbux.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Wed, 25 Jun 2003 12:26:37 -0700, Hal Finney said: > can issue signatures just fine, even if they don't usually do so; and the > same with ElGamal encryption subkeys. We have loaded up the spec with > warnings about ElGamal signatures, but in fact those warnings mostly > relate to chosen plaintext attacks. In this case it is the key owner A practical problem with ElGamal signatures is that verification is really slow. -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5Q4k8rb097032 for ; Wed, 25 Jun 2003 21:46:08 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5Q4k8QB097031 for ietf-openpgp-bks; Wed, 25 Jun 2003 21:46:08 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from walrus.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5Q4k6rb097026 for ; Wed, 25 Jun 2003 21:46:07 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from claude.jabberwocky.com (pcp04279182pcs.union01.nj.comcast.net [68.39.100.3]) by walrus.jabberwocky.com (8.11.6/8.11.6) with ESMTP id h5Q4k6421788 for ; Thu, 26 Jun 2003 00:46:07 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5Q4dSi03976 for ietf-openpgp@imc.org; Thu, 26 Jun 2003 00:39:28 -0400 Date: Thu, 26 Jun 2003 00:39:28 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Message-ID: <20030626043928.GF2867@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200306251924.h5PJOY429735@finney.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200306251924.h5PJOY429735@finney.org> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (12% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jun 25, 2003 at 12:24:34PM -0700, Hal Finney wrote: > As far as David's proposal, as I understand it, when a new subkey is > created, it signs the main key, along the lines we have been > discussing. However, rather than putting that signature on the main > key, we instead put it into a subpacket of the subkey binding > signature issued by the main key. Since the subkey creation process > has access to the private parts of both keys, there is of course no > difficulty in creating the signatures in this order and putting them > in these places. Exactly. Note, however, that there is no need for the subkey generation process to have access to the private part of the primary key. Since this subkey-on-primary signature does not need to be part of (i.e. hashed into) the subkey binding signature, and is just located on the binding signature for convenience, there is no reason why it can't be in the unhashed section of the binding signature. The subpacket should work equally well in either the hashed or unhashed section. > The main advantage I see would be that we would not have a new > signature sitting on the main key, which some old software might > choke on if it were particularly particular. Instead we have a new > kind of subpacket in the subkey binding signature, which hopefully > most software will ignore if it is non-critical. [..] > This proposal does depend on old software ignoring non-critical > subpackets, in order for newly created subkeys to still be used by > old software (at least, old software that allowed the use of signing > subkeys). Yes. I suppose it comes down to which is less likely to cause a problem: a new signature subpacket, or a new signature class (as suggested below). I lean towards a signature subpacket for the various reasons given in this thread thus far. There is also a minor advantage in key maintenance. If a subkey is deleted, the back-signature goes with it automatically, and the implementation doesn't have to search for and delete back signatures elsewhere on the key. > One concern I have is the rather generic "1F" signature type proposed > for the subkey-on-key signatures. It would probably be better to > use a new signature type specific for this purpose. We use "18" > for the topkey-on-subkey signature, so maybe we could use "19" for the > subkey-on-topkey. That would reduce the possibility of an existing "1F" > signature somehow being put to a new and malicious use. Introducing a > new signature type would increase the chance of an implementation choking > when it finds the signature on the top level key, which would be another > point in favor of David's suggestion to hide the new sig in a subpacket > of the topkey-on-subkey. I think this is an excellent suggestion. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3rc1 (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE++nj/4mZch0nhy8kRAltcAJ95z1bANc5YDF8aRYgcGzt8EaYWMACgsDiV oeYvphw5d+8uOTMouL3bVdY= =uaZ9 -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PKZorb085475 for ; Wed, 25 Jun 2003 13:35:50 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5PKZocA085473 for ietf-openpgp-bks; Wed, 25 Jun 2003 13:35:50 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.115]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PKZmrb085456 for ; Wed, 25 Jun 2003 13:35:49 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (c-67-160-217-89.client.comcast.net [67.160.217.89]) by mtaout02.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HH200HOV14YI7@mtaout02.icomcast.net> for ietf-openpgp@imc.org; Wed, 25 Jun 2003 16:34:11 -0400 (EDT) Date: Wed, 25 Jun 2003 13:34:03 -0700 From: Trevor Perrin Subject: Re: Suggestion for the signing subkey problem In-reply-to: <200306251924.h5PJOY429735@finney.org> X-Sender: trevp00@pop.comcast.net To: Hal Finney , ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030625130659.028f4e98@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 12:24 PM 6/25/2003 -0700, Hal Finney wrote: >Derek Atkins writes: > > Hmm, can subkeys have subkeys? > >Subkeys, unlike David's fleas, are not presently afflicted in this way. >However, if they ever suffered such a transformation, we could probably >link each top and child key in the same way we are proposing to link >our single level of parenthood. With a chain of N subkeys, this requires N back-signatures (so 2N total signatures). You could do it with zero or one back-signatures. Since PGP only has N=1, this may not be useful, but I'll point it out anyways: An alternative to back-signatures was to include the primary key ID as a hashed subpacket in a signature produced by the subkey. David didn't like this for subkeys because it would have to be repeated for every signature the subkey produced. But if you have a chain of subkeys, for every subkey except the last, you *have* a signature that the subkey produced. So if you added the primary key ID into subkey-on-subkey signatures, you'd only have to do something different for the last key, such as a back-signature, or adding the primary key ID into the signatures it produced. On a separate point, I think subkeys having subkeys could be useful[1]. For example, Alice is going on vacation for a month, and doesn't want to bring her primary key. However, she doesn't want to give her cellphone a month-long subkey, in case it gets stolen. So she issues a month-long subkey to an online service that she trusts, and then every day uses her cellphone to authenticate to the service and get an 8-hour subkey under the service's subkey. [1] http://www.imc.org/ietf-openpgp/mail-archive/msg05262.html Trevor Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PJS9rb082212 for ; Wed, 25 Jun 2003 12:28:09 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5PJS9Rt082211 for ietf-openpgp-bks; Wed, 25 Jun 2003 12:28:09 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PJS8rb082206 for ; Wed, 25 Jun 2003 12:28:08 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h5PJQbI29743 for ietf-openpgp@imc.org; Wed, 25 Jun 2003 12:26:37 -0700 Date: Wed, 25 Jun 2003 12:26:37 -0700 From: "Hal Finney" Message-Id: <200306251926.h5PJQbI29743@finney.org> To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: One other point, although I hesitate to mention it, is that we could consider using this sign-the-topkey trick for encryption subkeys as well as signature subkeys. Now, there are two immediate objections to this. First, as discussed earlier, the fraud does not seem nearly as serious for encryption subkeys, amounting to tricking someone into encrypting a message to someone else's key instead of your own. And second, it seems impossible anyway, as encryption subkeys can't issue signatures, so they can't sign the top level key. However, the impossibility is actually not so bad: RSA encryption subkeys can issue signatures just fine, even if they don't usually do so; and the same with ElGamal encryption subkeys. We have loaded up the spec with warnings about ElGamal signatures, but in fact those warnings mostly relate to chosen plaintext attacks. In this case it is the key owner who is choosing what to sign, hence those attacks don't apply. It should be perfectly safe for an ElGamal or RSA encryption subkey to issue an appropriate signature on its top-level key. The first objection still holds, that all this work may not be worth it (and it is a lot of work for those implementations which don't support ElGamal signatures) since we don't seem to be able to come up with much of a fraud by putting someone else's subkey under your own topkey. Nevertheless there is considerable appeal to being able to verify that all master-slave key-to-key relationships were fully consensual. Hal Finney Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PJQ6rb082171 for ; Wed, 25 Jun 2003 12:26:06 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5PJQ6H1082170 for ietf-openpgp-bks; Wed, 25 Jun 2003 12:26:06 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PJQ5rb082165 for ; Wed, 25 Jun 2003 12:26:05 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h5PJOY429735 for ietf-openpgp@imc.org; Wed, 25 Jun 2003 12:24:34 -0700 Date: Wed, 25 Jun 2003 12:24:34 -0700 From: "Hal Finney" Message-Id: <200306251924.h5PJOY429735@finney.org> To: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Derek Atkins writes: > Hmm, can subkeys have subkeys? Subkeys, unlike David's fleas, are not presently afflicted in this way. However, if they ever suffered such a transformation, we could probably link each top and child key in the same way we are proposing to link our single level of parenthood. As far as David's proposal, as I understand it, when a new subkey is created, it signs the main key, along the lines we have been discussing. However, rather than putting that signature on the main key, we instead put it into a subpacket of the subkey binding signature issued by the main key. Since the subkey creation process has access to the private parts of both keys, there is of course no difficulty in creating the signatures in this order and putting them in these places. The main advantage I see would be that we would not have a new signature sitting on the main key, which some old software might choke on if it were particularly particular. Instead we have a new kind of subpacket in the subkey binding signature, which hopefully most software will ignore if it is non-critical. David suggests that it could in fact be made critical, but I don't see any advantage to doing that. It would not stop the fraud from being perpetrated on old software, since of course the fraudster would not be in a position to create the new subpacket and certainly would not create a bogus one and mark it critical, since that would defeat his purpose. For a good subkey, all marking it critical would accomplish is to create an artificial backwards incompatibility, so that this very valid subkey was spuriously rejected by old software, which would not accomplish anything useful that I can see. This proposal does depend on old software ignoring non-critical subpackets, in order for newly created subkeys to still be used by old software (at least, old software that allowed the use of signing subkeys). One concern I have is the rather generic "1F" signature type proposed for the subkey-on-key signatures. It would probably be better to use a new signature type specific for this purpose. We use "18" for the topkey-on-subkey signature, so maybe we could use "19" for the subkey-on-topkey. That would reduce the possibility of an existing "1F" signature somehow being put to a new and malicious use. Introducing a new signature type would increase the chance of an implementation choking when it finds the signature on the top level key, which would be another point in favor of David's suggestion to hide the new sig in a subpacket of the topkey-on-subkey. Hal Finney David Shaw writes: > Hi everyone, > > I was thinking about the "stolen signing subkey" problem, and a > slightly different solution popped up: > > What if we create a new "signature in a signature" subpacket that is > defined as a regular signature contained in a subpacket? All signing > subkeys MUST contain such a subpacket in their binding self-signature. > The "subpacket signature" in this case is made by the signing subkey, > and on the primary key, hashed as if for a 1F signature. The end > result is that the signing subkey has a binding self-signature issued > by the primary key as we do now, and that binding self-signature has > an embedded 1F signature on the primary key data issued by the signing > subkey itself. > > One of the nice benefits of using a subpacket here, rather than some > other scheme is that we can set the critical bit of the subpacket if > we want to "break" the signing subkey on older implementations, but at > the same time, we don't have to. > > I was considering suggesting a single-purpose subpacket that could > only be used for making a back-signature from a signing subkey on the > primary key data, but it started to look like reinventing the wheel. > We have a good, working, signature format. If we just stick it in a > subpacket, we can leverage all that work. > > Yes, it is a little odd to contemplate the idea that a subpacket can > contain a signature that contains subpackets which contains a > signature... "Great fleas have little fleas upon their backs to bite > 'em, And little fleas have lesser fleas, and so ad infinitum." > > Is this overkill for the exact problem at hand? Probably. On the > brighter side, is certainly a more general solution that could be > useful elsewhere. For example, it might replace the (as yet unused) > signature target subpacket: since we can just stick the target > signature in this proposed subpacket, we don't need the current target > subpacket anymore. It also enables interesting possibilities for the > notary signature. > > David Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PITurb080615 for ; Wed, 25 Jun 2003 11:29:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5PITtqu080614 for ietf-openpgp-bks; Wed, 25 Jun 2003 11:29:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5PITdrb080479 for ; Wed, 25 Jun 2003 11:29:40 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5PITerM025738; Wed, 25 Jun 2003 14:29:41 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by central-city-carrier-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5PITerO006314; Wed, 25 Jun 2003 14:29:40 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h5PITbFJ014592; Wed, 25 Jun 2003 14:29:40 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.12.9) id h5PITb5m019426; Wed, 25 Jun 2003 14:29:37 -0400 (EDT) To: David Shaw Cc: ietf-openpgp@imc.org Subject: Re: Suggestion for the signing subkey problem References: <20030625025703.GL4469@jabberwocky.com> From: Derek Atkins Date: 25 Jun 2003 14:29:37 -0400 In-Reply-To: <20030625025703.GL4469@jabberwocky.com> Message-ID: Lines: 52 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hmm, can subkeys have subkeys? -derek David Shaw writes: > Hi everyone, > > I was thinking about the "stolen signing subkey" problem, and a > slightly different solution popped up: > > What if we create a new "signature in a signature" subpacket that is > defined as a regular signature contained in a subpacket? All signing > subkeys MUST contain such a subpacket in their binding self-signature. > The "subpacket signature" in this case is made by the signing subkey, > and on the primary key, hashed as if for a 1F signature. The end > result is that the signing subkey has a binding self-signature issued > by the primary key as we do now, and that binding self-signature has > an embedded 1F signature on the primary key data issued by the signing > subkey itself. > > One of the nice benefits of using a subpacket here, rather than some > other scheme is that we can set the critical bit of the subpacket if > we want to "break" the signing subkey on older implementations, but at > the same time, we don't have to. > > I was considering suggesting a single-purpose subpacket that could > only be used for making a back-signature from a signing subkey on the > primary key data, but it started to look like reinventing the wheel. > We have a good, working, signature format. If we just stick it in a > subpacket, we can leverage all that work. > > Yes, it is a little odd to contemplate the idea that a subpacket can > contain a signature that contains subpackets which contains a > signature... "Great fleas have little fleas upon their backs to bite > 'em, And little fleas have lesser fleas, and so ad infinitum." > > Is this overkill for the exact problem at hand? Probably. On the > brighter side, is certainly a more general solution that could be > useful elsewhere. For example, it might replace the (as yet unused) > signature target subpacket: since we can just stick the target > signature in this proposed subpacket, we don't need the current target > subpacket anymore. It also enables interesting possibilities for the > notary signature. > > David -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5P2v7rb003630 for ; Tue, 24 Jun 2003 19:57:07 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5P2v7w7003629 for ietf-openpgp-bks; Tue, 24 Jun 2003 19:57:07 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from walrus.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5P2v5rb003623 for ; Tue, 24 Jun 2003 19:57:06 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from claude.jabberwocky.com (pcp04280640pcs.union01.nj.comcast.net [68.39.105.184]) by walrus.jabberwocky.com (8.11.6/8.11.6) with ESMTP id h5P2v5415847 for ; Tue, 24 Jun 2003 22:57:05 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5P2v3b11351 for ietf-openpgp@imc.org; Tue, 24 Jun 2003 22:57:03 -0400 Date: Tue, 24 Jun 2003 22:57:03 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Suggestion for the signing subkey problem Message-ID: <20030625025703.GL4469@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Crescent (30% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi everyone, I was thinking about the "stolen signing subkey" problem, and a slightly different solution popped up: What if we create a new "signature in a signature" subpacket that is defined as a regular signature contained in a subpacket? All signing subkeys MUST contain such a subpacket in their binding self-signature. The "subpacket signature" in this case is made by the signing subkey, and on the primary key, hashed as if for a 1F signature. The end result is that the signing subkey has a binding self-signature issued by the primary key as we do now, and that binding self-signature has an embedded 1F signature on the primary key data issued by the signing subkey itself. One of the nice benefits of using a subpacket here, rather than some other scheme is that we can set the critical bit of the subpacket if we want to "break" the signing subkey on older implementations, but at the same time, we don't have to. I was considering suggesting a single-purpose subpacket that could only be used for making a back-signature from a signing subkey on the primary key data, but it started to look like reinventing the wheel. We have a good, working, signature format. If we just stick it in a subpacket, we can leverage all that work. Yes, it is a little odd to contemplate the idea that a subpacket can contain a signature that contains subpackets which contains a signature... "Great fleas have little fleas upon their backs to bite 'em, And little fleas have lesser fleas, and so ad infinitum." Is this overkill for the exact problem at hand? Probably. On the brighter side, is certainly a more general solution that could be useful elsewhere. For example, it might replace the (as yet unused) signature target subpacket: since we can just stick the target signature in this proposed subpacket, we don't need the current target subpacket anymore. It also enables interesting possibilities for the notary signature. David Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5OKtLrb093006 for ; Tue, 24 Jun 2003 13:55:21 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5OKtLwO093005 for ietf-openpgp-bks; Tue, 24 Jun 2003 13:55:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.infoseccorp.com ([12.2.121.3]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5OKtJrb092999 for ; Tue, 24 Jun 2003 13:55:20 -0700 (PDT) (envelope-from markowitz@infoseccorp.com) Received: from mjm340.infoseccorp.com (mjm [12.2.121.12]) by mail.infoseccorp.com (AIX4.3/8.9.3/8.9.3) with ESMTP id PAA18558; Tue, 24 Jun 2003 15:56:53 -0500 Message-Id: <5.2.0.9.2.20030624154647.0338c8e8@12.2.121.3> X-Sender: mjm@12.2.121.3 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 24 Jun 2003 15:54:49 -0500 To: moeller@cdc.informatik.tu-darmstadt.de (Bodo Moeller) From: Mike Markowitz Subject: Re: AES-256 vs AES-128 Cc: ietf-openpgp@imc.org In-Reply-To: References: <87r86f5vvb.fsf_-_@alberti.g10code.de> <3ED7EDD2.4050105@attbi.com> <87r86f5vvb.fsf_-_@alberti.g10code.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 03:10 PM 5/31/2003 +0200, Bodo Moeller wrote: >Of course arguably 128 bits are by far enough so that you don't really >have to worry about anything of this -- unless you think that quantum >attacks might become realistic. Just when you thought this thread was dead... Here NSA's current view of the matter (from the recent "CNSS Policy No. 15, FS-1" document: http://csrc.nist.gov/cryptval/CNSS15FS.pdf): "(6) The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths." -mjm Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HNL0rb015647 for ; Tue, 17 Jun 2003 16:21:00 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HNL0t5015643 for ietf-openpgp-bks; Tue, 17 Jun 2003 16:21:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from thetis.deor.org (thetis.deor.org [207.106.86.210]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HNKwrb015628 for ; Tue, 17 Jun 2003 16:20:58 -0700 (PDT) (envelope-from rabbi@abditum.com) Received: by thetis.deor.org (Postfix, from userid 500) id 59D43450A7; Tue, 17 Jun 2003 16:20:57 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by thetis.deor.org (Postfix) with ESMTP id 461B248024; Tue, 17 Jun 2003 16:20:57 -0700 (PDT) Date: Tue, 17 Jun 2003 16:20:57 -0700 (PDT) From: Len Sassaman X-Sender: To: David Shaw Cc: Subject: Re: key flag for authentication In-Reply-To: <20030615131946.GE28548@jabberwocky.com> Message-ID: X-AIM: Elom777 X-icq: 10735603 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Sun, 15 Jun 2003, David Shaw wrote: > It doesn't need much documentation. This is similar to the "This key > may be used to encrypt communications" or "This key may be used to > encrypt storage" flags: a usage hint. > > I think the proposed flag is a good idea. Agreed. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HNBKrb015319 for ; Tue, 17 Jun 2003 16:11:20 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HNBKIT015317 for ietf-openpgp-bks; Tue, 17 Jun 2003 16:11:20 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.116]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HNBIrb015306 for ; Tue, 17 Jun 2003 16:11:19 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout04.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGN006IEEWUE0@mtaout04.icomcast.net> for ietf-openpgp@imc.org; Tue, 17 Jun 2003 19:07:43 -0400 (EDT) Date: Tue, 17 Jun 2003 16:07:38 -0700 From: Trevor Perrin Subject: augmenting subkeys X-Sender: trevp00@pop.comcast.net To: ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030617160045.03b91c20@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: People were discussing the value of subkeys. I'm kind of a newcomer here, and I'm not an implementor, so my opinion doesn't count for much. But I think subkeys are cool. In fact, PGP could add features to support some advanced uses of subkeys. A few arguments in favor of subkeys, and of extending them in a couple ways: An obvious use of subkeys is to keep the primary key in a more secure/less convenient environment, and the subkeys in a less secure/more convenient environment, but give them short validity periods to mitigate compromise. Also, if PGP keys are used for things besides email (TLS, SSH, etc..), then the user may want to use his key with multiple devices and applications (laptops, desktops, PDAs, cellphones, etc.), so by getting his primary key certified, or by giving someone his primary key fingerprint, he can then certify subkeys in all these different devices. This is more convenient that getting all his subkeys certified individually, and is more secure than sharing the same key with all these devices, since transferring keys is risky, using the same key with different protocols isn't a good idea, and a compromise/revocation of one subkey won't affect the others. PKIX is looking at a similar thing with "Proxy Certificates"[1]. So in a sense, both PKIX and PGP are exploring a 2-tiered system, where the first tier uses TTP certificates to convince Alice of Bob's "primary" key, and the second tier is short-lived certificates that Bob issues from his primary key to different devices, applications, and services, so he can manage validity intervals, limit compromises, and keep the primary key in a safer place. This safer place might be a smartcard, a USB token, the user's main computer, or even a network service. You could imagine some elaborate things. For example, you might split your primary key into shares for use with some "proactive threshold signature scheme" and store these shares in different places around your home. Periodically you would bring the shares together, "refresh them", so that an attacker would have to steal the shares within a single period, and sign your subkeys. Or you could bring the shares together (say once a week or month) and sign a subkey possessed by an intermediary server. Then every day when your fire up your email client, cellphone, etc., you could authenticate to the server and get a sub-subkey with, say, an 8 hour lifetime. Maybe you could even give your primary key shares to different online servers, which you would choose to be independent so it's unlikely they would all be compromised simultaneously. They would automatically contact each other and refresh their shares once a week, and certify the intermediary's subkey. Anyways, not that anyone should start designing protocols for this, or that this should go in the next draft. But a few additions to the OpenPGP format might allow someone to do these types of things, if they wanted to: - a better way of binding a subkey to an application protocol, to compartmentalize the damage from a compromise - so if your OpenPGP/TLS key is compromised, the attacker couldn't turn around and use this key for OpenPGP/SSH. Discussed a bit here [2]. - sub-subkeys (and sub-sub-subkeys, etc.). So you can have "intermediaries" like above. Just curious if people think that would be an interesting direction for PGP to grow in.. Trevor [1] http://www.ietf.org/internet-drafts/draft-ietf-pkix-proxy-06.txt [2] http://www.imc.org/ietf-openpgp/mail-archive/msg05092.html Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HK7Xrb008037 for ; Tue, 17 Jun 2003 13:07:33 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HK7WhB008033 for ietf-openpgp-bks; Tue, 17 Jun 2003 13:07:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.115]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HK7Vrb008025 for ; Tue, 17 Jun 2003 13:07:31 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout02.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGN00FPP6GKPD@mtaout02.icomcast.net> for ietf-openpgp@imc.org; Tue, 17 Jun 2003 16:05:09 -0400 (EDT) Date: Tue, 17 Jun 2003 13:05:04 -0700 From: Trevor Perrin Subject: Re: PoP & Signer's User ID subpacket? In-reply-to: <20030617123002.GG20267@jabberwocky.com> X-Sender: trevp00@pop.comcast.net To: David Shaw , ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030617120640.028e0ce8@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <5.2.0.9.0.20030616211831.0289e480@pop.comcast.net> <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> <5.2.0.9.0.20030616211831.0289e480@pop.comcast.net> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 08:30 AM 6/17/2003 -0400, David Shaw wrote: >On Mon, Jun 16, 2003 at 09:47:59PM -0700, Trevor Perrin wrote: > > [...] > > The problem is that there's a forward-linkage from a primary key to a > > subkey, but no back-linkage from a signing subkey to the primary key. Hal > > suggested having the signing subkey also certify the primary key. I > > suggested having the signatures produced by the signing subkey have the > > primary key's ID as a hashed subpacket. > >Yes. There are pros and cons, but on balance I like Hal's solution a >bit better as it only needs to be done once, presumably at key >generation time. The subpacket solution needs to be done every time >the signing subkey issues a signature. > >The subpacket solution does have a nice side effect in that it becomes >possible to always know the primary key when looking at a subkey >signature. Since most keyservers don't support search-by-subkey yet, >this could be handy. [...] Another slight advantage is that the relying party doesn't have to verify an extra signature. Also, pre-existing keys with signing subkeys wouldn't have to be modified, they could just start issuing signatures with this new subpacket. (On the other hand, with the solution you and Hal advocate, if you *do* modify the key by adding a back-signature, then pre-existing message signatures can take advantage of it, so maybe this is a wash). Either solution seems fine. You also mentioned requiring self-signatures on user IDs, which seems like a good thing to insist on, and pretty much takes care of the proof-of-possession concern I was raising, I think. Trevor Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HK3nrb007916 for ; Tue, 17 Jun 2003 13:03:49 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HK3nJi007915 for ietf-openpgp-bks; Tue, 17 Jun 2003 13:03:49 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HK3lrb007902 for ; Tue, 17 Jun 2003 13:03:47 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-13-25.cyberia.net.lb ([195.112.203.123]) by sand.cyberia.net.lb with SMTP id <20030617195919.OBUE3447.sand@ppp-13-25.cyberia.net.lb> for ; Tue, 17 Jun 2003 22:59:19 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys Date: Tue, 17 Jun 2003 22:45:07 +0200 Message-ID: References: <008b01c3340c$9070cf70$39632352@happy> <5mqrev4fp1iu1uttgthqjmt8eacs91n37k@4ax.com> <87of0yrn9r.fsf@alberti.g10code.de> In-Reply-To: <87of0yrn9r.fsf@alberti.g10code.de> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5HK3mrb007910 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Werner, On Mon, 16 Jun 2003 18:38:08 +0200, you wrote: > >On Mon, 16 Jun 2003 18:29:06 +0200, Imad R Faiad said: > >> You are assuming that law enforcers are inept morons! > >It is a matter of the law and the loopholes it has. IIRC, the British >RIP act does not allow to seize a computer but allow a police officer >to demand the decryption key for a message they have intercepted of >somehow else got access to. There is even no need to pass them the >entire PGP key over including the passphrase, there must be simply a >mechanism to decrypt a message they "own". This is also the reason >GnuPG provides the --{show,override}-session-key options. > >> Do yourself a favor, and don't ever use this technique >> again, it is now public knowledge! > >I am pretty sure that Ian - who is FIPR director and co-author of the >PFS draft - knows very well what is doing. > I think you are need of some education, so I am going to take some time to broaden your perspective... Haven't you ever heard of the following:- We are all sprung from the same stock, partakers of the same nature, and sharers in the same hope; and although distinctions among men are necessary to preserve subordination, yet ought no eminence of situation make us forget that we are all in the same boat, for he who is placed on the lowest spoke of fortune's wheel is equally entitled to our regards, as time will come, and wisest of us knows not how soon, when all distinctions, save those of goodness and virtue, shall cease, and death, the grand leveler of all human greatness, reduce us to the same state. I do sincerely hope that you will be inspired by the above and apply it forthwith ;) Best regards Imad R. Faiad > >Salam-Shalom, > > Werner -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu99DLzDFxiDPxutAQL1XwgAo0SdFItVzb89RUGt1Gog8QflAYGpope6 YZ/NIuuyEWzicsPmmMPZcMLy10Bo2xeopCYzGSWoGFLjkCFZkNd23Dw28qr43rbv t0cV/tc4WSdfSjY0l7yWCChrvWNtztVuD8yPF0BcXEHUdBG6CeFqWEPnH0Xs7t5D 7o4vTdQ/NltKmBE8ug4jv2yoIHCzi9CAnrzEAUEmZTBnaIKUFNwC3EjlhQ9n/2CK xy3KpZw4+XOfpunBjz7z4zxk1DWaSgJKm5+EtwYMsIeUa81gRDYpRvPyj9z54/ZL NGbBVDD7CoRq54vAOMHanHJirk6HSrQOuwrDkOUPvJBaTtWVsqskVA== =Mzm4 -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HJWVrb005966 for ; Tue, 17 Jun 2003 12:32:31 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HJWVxC005965 for ietf-openpgp-bks; Tue, 17 Jun 2003 12:32:31 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HJWUrb005960 for ; Tue, 17 Jun 2003 12:32:30 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5HJWN500946; Tue, 17 Jun 2003 15:32:23 -0400 Date: Tue, 17 Jun 2003 15:32:23 -0400 From: David Shaw To: "Imad R. Faiad" Cc: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617193223.GJ20267@jabberwocky.com> Mail-Followup-To: "Imad R. Faiad" , ietf-openpgp@imc.org References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> <20030617140530.GA30488@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 17, 2003 at 07:26:24PM +0200, Imad R. Faiad wrote: > I am afraid that signing subkeys are going to be very > expensive to implement. The whole of the keyserver > infrastructure needs to retro fitted to deal with them. > You are right that 2440 defined signing master keys years > ago, however, to be honest with you, this is my second > encounter with them, and I consider myself a heavy > PGP user. TIGER192, SHA1x, & HAVAL-5-160, had more > widespread use than signing subkeys, if you ask me. > Yet, we had no qualms about dropping them. Yes, and I agreed with dropping them, but I don't see a real inconsistency here. There is a substantial difference between dropping hash algorithms that were either unused (MD2), or unusable (TIGER192 and HAVAL-5-160 had no OID, double-SHA was experimental), and dropping a used feature from a widely deployed implementation. As it happens, some keyservers (the LDAP ones) support subkey searches today. The newer HKP servers (SKS, ONAK) plan to add support soon. To be sure, PKS doesn't support it, but frankly, PKS also eats keys on a regular basis. If we were going to restrict OpenPGP based on what some of the PKSes out there could handle without choking, we'd have to throw away v4 RSA and any key with more than one subkey as well. ;) I think it is poor practice to restrict OpenPGP based on what a single broken keyserver can handle, especially since there are many alternatives, including a few fixed versions of PKS. If you are very concerned about old keyservers not being able to retrieve a key given a subkey ID, then I would certainly support an (optional) subpacket or signature notation to be used on signatures issued by a signing subkey. The subpacket would contain the keyid of the primary key, just to make it easier to find on a keyserver. (I saw you were unable to verify my message with PGP 8. For some reason, signing subkeys only work with the "pgpmail" interface and not the plugins in PGP 8. I assume it's a bug, and hopefully it'll be fixed in the next update.) David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+72zH4mZch0nhy8kRAoGtAJ4hsDLiw3JRhkaOxpBxzlcEz7uO/gCbBDp0 K4zZxXopEhEHLYnYNf6TUiE= =HzJv -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HGj5rb096979 for ; Tue, 17 Jun 2003 09:45:05 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HGj5wY096978 for ietf-openpgp-bks; Tue, 17 Jun 2003 09:45:05 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HGj2rb096967 for ; Tue, 17 Jun 2003 09:45:03 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-13-97.cyberia.net.lb ([195.112.203.195]) by sand.cyberia.net.lb with SMTP id <20030617164035.NXYR3447.sand@ppp-13-97.cyberia.net.lb> for ; Tue, 17 Jun 2003 19:40:35 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Date: Tue, 17 Jun 2003 19:26:24 +0200 Message-ID: References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> <20030617140530.GA30488@jabberwocky.com> In-Reply-To: <20030617140530.GA30488@jabberwocky.com> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5HGj4rb096974 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 17 Jun 2003 10:05:30 -0400, you wrote: > >[2F17AC17]*** PGP SIGNATURE VERIFICATION *** >[2F17AC17]*** Hash: SHA1 >[2F17AC17]*** Status: Signing Algorithm Not Supported >[2F17AC17]*** Signer: David M. Shaw >*** Note: Signing Key is a Sub-Key! >[2F17AC17]*** Key ID: 0xE2665C8749E1CBC9 >[2F17AC17]*** Fingerprint: FC2A 0E9B 5122 7D7B 5923 2CE6 E266 5C87 49E1 >CBC9 [2F17AC17]*** Signed: 6/17/2003 4:05:30 PM >[2F17AC17]*** Verified: 6/17/2003 6:55:28 PM >[2F17AC17]*** BEGIN PGP VERIFIED MESSAGE *** > > >With regards to signing subkeys in general, I'd much rather fix the >problem than drop signing subkeys. 2440 defined signing subkeys years >ago, and they are already in use today (this message is signed by >one). They are very useful in a good number of situations. To remove >them now seems like a step backwards. > David, I don't think that signing subkeys are a good idea. Please look at the above verification block. Furthermore, I had problems retrieving the signing key from the servers. So, I grabbed all the keys out there with "David Shaw" as UID. You probably consider me thick, but there are OpenPGP users out there who are a lot thicker than I am. The irony is that, you can achieve the same thing with a signing master key if you think about it. I am afraid that signing subkeys are going to be very expensive to implement. The whole of the keyserver infrastructure needs to retro fitted to deal with them. You are right that 2440 defined signing master keys years ago, however, to be honest with you, this is my second encounter with them, and I consider myself a heavy PGP user. TIGER192, SHA1x, & HAVAL-5-160, had more widespread use than signing subkeys, if you ask me. Yet, we had no qualms about dropping them. The same should be done for signing subkeys. The less, the simpler the better. >David > Best Regards Imad R. Faiad >[2F17AC17]*** END PGP VERIFIED MESSAGE *** -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu9ON7zDFxiDPxutAQJOyAf+PpxUIz5qsgStFfgHFthYo1SgcjOmPtwu EJ48Rj1P8qhvf7Mh/vh59hMwJQmnKVlG2tY2diyFTChLH4X0PODqXpRsqIp3ILVp WtM8R4RMJPtpV6mvKfUNPSTJhHNSRuQWrtSXF6k8FS0ngnPrY3niJ9klqp8Wv8j/ 7coxKOR6cRANYcRgGCfhHIzJk7ZaK7gTiDOVRAXKHnDpR+kIFqirdczJAhq7+srR gbt9dekTPS4/08NvkWlOGk/burQoFI971/0haSyI+xGYUcMk2f+hBN5IEMt2wXAo NoOq04qyWhyNgtAo68KZ4t+ui/YNoFN77+85WSZmrmMHp+6a4RU48A== =AIlF -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HF2Hrb092136 for ; Tue, 17 Jun 2003 08:02:17 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HF2HKM092135 for ietf-openpgp-bks; Tue, 17 Jun 2003 08:02:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HF2Frb092130 for ; Tue, 17 Jun 2003 08:02:15 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5HF2GZf002289; Tue, 17 Jun 2003 11:02:16 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5HF2Ftb016184; Tue, 17 Jun 2003 11:02:15 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h5HF2FFJ011904; Tue, 17 Jun 2003 11:02:15 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id LAA17450; Tue, 17 Jun 2003 11:02:15 -0400 (EDT) To: David Shaw Cc: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> <20030617140530.GA30488@jabberwocky.com> <20030617143715.GH20267@jabberwocky.com> From: Derek Atkins Date: 17 Jun 2003 11:02:15 -0400 In-Reply-To: <20030617143715.GH20267@jabberwocky.com> Message-ID: Lines: 28 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Sure, this is fine... Theoretically the real key owner should have access to both private keys at the same time, so this shouldn't be an issue. Using a subpacket is fine. I still belive this is a MUST ;) -derek David Shaw writes: > > I think this is exactly where a notary-style double-signature is > > useful (and should be required as a MUST). > > So, the primary signs the subkey as before and then the subkey > notarizes (0x50 sig) this signature? That sounds good, but we'll end > up with two signature packets after the signing subkey. I'm afraid it > would be likely to confuse pre-2440bis implementations which don't > expect to see that extra signature there. > > If we put the subkey-on-primary signature IN the original > primary-on-subkey signature (as a new subpacket), then it won't break > older implementations. > > David -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HEcLrb091604 for ; Tue, 17 Jun 2003 07:38:21 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HEcLFK091603 for ietf-openpgp-bks; Tue, 17 Jun 2003 07:38:21 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HEcJrb091598 for ; Tue, 17 Jun 2003 07:38:20 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5HEbFb30975; Tue, 17 Jun 2003 10:37:15 -0400 Date: Tue, 17 Jun 2003 10:37:15 -0400 From: David Shaw To: Derek Atkins Cc: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617143715.GH20267@jabberwocky.com> Mail-Followup-To: Derek Atkins , ietf-openpgp@imc.org References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> <20030617140530.GA30488@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 17, 2003 at 10:13:58AM -0400, Derek Atkins wrote: > David Shaw writes: > > > Yes. Hal suggested something similar, but to have the signing subkey > > certify the primary. > > That's not sufficient.. We need both signature keys to cross-certify. > The attack without cross-certification is that I could generate a > signing key and then certify that it's a signing subkey of > president@whitehouse.gov. Sorry, I wasn't clear. I should have said "... in addition to the current subkey certification from the primary". > > Does anyone have any thoughts on the details of this? We already have > > all the parts needed to have a signing subkey certify the primary > > (just have the subkey issue a 1F signature). I like your suggestion > > to put it in the subkey self-signature since that will avoid the > > inevitable messiness when a subkey is deleted, but leaves behind the > > 1F signature. Putting it in the subkey self-signature keeps things > > neat. > > I think this is exactly where a notary-style double-signature is > useful (and should be required as a MUST). So, the primary signs the subkey as before and then the subkey notarizes (0x50 sig) this signature? That sounds good, but we'll end up with two signature packets after the signing subkey. I'm afraid it would be likely to confuse pre-2440bis implementations which don't expect to see that extra signature there. If we put the subkey-on-primary signature IN the original primary-on-subkey signature (as a new subpacket), then it won't break older implementations. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7yeb4mZch0nhy8kRAlA5AJ4/ISSYODKaqfddnrTshij3wdCIwgCgkDlv nJ7Tnd18mVYhmWpeltpcE1M= =6y3m -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HEE1rb089012 for ; Tue, 17 Jun 2003 07:14:01 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HEE186089011 for ietf-openpgp-bks; Tue, 17 Jun 2003 07:14:01 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HEDxrb089001 for ; Tue, 17 Jun 2003 07:13:59 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5HEDxGU013680; Tue, 17 Jun 2003 10:13:59 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5HEDxwU008478; Tue, 17 Jun 2003 10:13:59 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h5HEDwU8022168; Tue, 17 Jun 2003 10:13:59 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id KAA17367; Tue, 17 Jun 2003 10:13:58 -0400 (EDT) To: David Shaw Cc: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> <20030617140530.GA30488@jabberwocky.com> From: Derek Atkins Date: 17 Jun 2003 10:13:58 -0400 In-Reply-To: <20030617140530.GA30488@jabberwocky.com> Message-ID: Lines: 39 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: David Shaw writes: > Yes. Hal suggested something similar, but to have the signing subkey > certify the primary. That's not sufficient.. We need both signature keys to cross-certify. The attack without cross-certification is that I could generate a signing key and then certify that it's a signing subkey of president@whitehouse.gov. > Does anyone have any thoughts on the details of this? We already have > all the parts needed to have a signing subkey certify the primary > (just have the subkey issue a 1F signature). I like your suggestion > to put it in the subkey self-signature since that will avoid the > inevitable messiness when a subkey is deleted, but leaves behind the > 1F signature. Putting it in the subkey self-signature keeps things > neat. I think this is exactly where a notary-style double-signature is useful (and should be required as a MUST). > With regards to signing subkeys in general, I'd much rather fix the > problem than drop signing subkeys. 2440 defined signing subkeys years > ago, and they are already in use today (this message is signed by > one). They are very useful in a good number of situations. To remove > them now seems like a step backwards. Fair enough.. I don't like it, but we can at least fix the certification problems. > David -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HE5arb087746 for ; Tue, 17 Jun 2003 07:05:36 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HE5a79087745 for ietf-openpgp-bks; Tue, 17 Jun 2003 07:05:36 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HE5Zrb087725 for ; Tue, 17 Jun 2003 07:05:35 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5HE5U630629; Tue, 17 Jun 2003 10:05:30 -0400 Date: Tue, 17 Jun 2003 10:05:30 -0400 From: David Shaw To: warlord@mit.edu Cc: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617140530.GA30488@jabberwocky.com> Mail-Followup-To: warlord@mit.edu, ietf-openpgp@imc.org References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (87% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jun 17, 2003 at 09:48:31AM -0400, Derek Atkins wrote: > David Shaw writes: > > > On Mon, Jun 16, 2003 at 10:36:58PM -0400, Derek Atkins wrote: > > > > > > Trevor Perrin writes: > > > > > > > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did > > > > you bury that treasure we stole?" Charlie replies "If you're really > > > > Bob, what's our codeword? And send it to me signed and encrypted, so > > > > I'll know which public key is yours." So Bob does. But Alice now > > > > slips Charlie a primary key that has Bob's public key as a signing > > > > subkey, and Alice's public key as an encryption subkey. Charlie > > > > decrypts and verifies the message, and is satisfied that the owner of > > > > this primary key knows the codeword, and is "Bob". So he encrypts the > > > > treasure map to Alice's public key. > > > > > > Except that Alice's subkey wouldn't have a self-signature by Bob's > > > primary key, so it shouldn't be accepted by Charlie as a valid subkey. > > > > I think Trevor was referring to Alice generating a brand new primary > > signing key and encryption subkey, and then using the new primary to > > self-sign Bob's signing subkey (or transform Bob's primary into a > > subkey and self-sign that). Alice then is in posession of a key that > > will correctly verify Bob's signatures, but someone encrypting to the > > key will encrypt to Alice. > > > > Alice can't issue signatures as Bob, but can attempt to claim existing > > Bob signatures as her own. > > Well, the obvious fix for this attack is to require all signing keys > to be authoritative. If we're going to allow signature subkeys (as > opposed to just encryption subkeys), then the self-signature on that > subkey should be a two-factor signature, requiring BOTH secret keys. Yes. Hal suggested something similar, but to have the signing subkey certify the primary. Does anyone have any thoughts on the details of this? We already have all the parts needed to have a signing subkey certify the primary (just have the subkey issue a 1F signature). I like your suggestion to put it in the subkey self-signature since that will avoid the inevitable messiness when a subkey is deleted, but leaves behind the 1F signature. Putting it in the subkey self-signature keeps things neat. With regards to signing subkeys in general, I'd much rather fix the problem than drop signing subkeys. 2440 defined signing subkeys years ago, and they are already in use today (this message is signed by one). They are very useful in a good number of situations. To remove them now seems like a step backwards. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7yAq4mZch0nhy8kRAvMdAKCsBsZK5LITnlFr4m/enwqUdmruUACgy/Dc RzWq73rYII43Mabr7S0QNO4= =RBrQ -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HDmYrb085344 for ; Tue, 17 Jun 2003 06:48:34 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HDmYmv085343 for ietf-openpgp-bks; Tue, 17 Jun 2003 06:48:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HDmXrb085336 for ; Tue, 17 Jun 2003 06:48:33 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h5HDmXY7000641; Tue, 17 Jun 2003 09:48:33 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5HDmWwU004925; Tue, 17 Jun 2003 09:48:32 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h5HDmVFJ009236; Tue, 17 Jun 2003 09:48:32 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id JAA17314; Tue, 17 Jun 2003 09:48:31 -0400 (EDT) To: David Shaw Cc: ietf-openpgp@imc.org From: Derek Atkins Subject: Re: PoP & Signer's User ID subpacket? References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <20030617032035.GE20267@jabberwocky.com> Date: 17 Jun 2003 09:48:31 -0400 In-Reply-To: <20030617032035.GE20267@jabberwocky.com> Message-ID: Lines: 47 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: David Shaw writes: > On Mon, Jun 16, 2003 at 10:36:58PM -0400, Derek Atkins wrote: > > > > Trevor Perrin writes: > > > > > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did > > > you bury that treasure we stole?" Charlie replies "If you're really > > > Bob, what's our codeword? And send it to me signed and encrypted, so > > > I'll know which public key is yours." So Bob does. But Alice now > > > slips Charlie a primary key that has Bob's public key as a signing > > > subkey, and Alice's public key as an encryption subkey. Charlie > > > decrypts and verifies the message, and is satisfied that the owner of > > > this primary key knows the codeword, and is "Bob". So he encrypts the > > > treasure map to Alice's public key. > > > > Except that Alice's subkey wouldn't have a self-signature by Bob's > > primary key, so it shouldn't be accepted by Charlie as a valid subkey. > > I think Trevor was referring to Alice generating a brand new primary > signing key and encryption subkey, and then using the new primary to > self-sign Bob's signing subkey (or transform Bob's primary into a > subkey and self-sign that). Alice then is in posession of a key that > will correctly verify Bob's signatures, but someone encrypting to the > key will encrypt to Alice. > > Alice can't issue signatures as Bob, but can attempt to claim existing > Bob signatures as her own. Well, the obvious fix for this attack is to require all signing keys to be authoritative. If we're going to allow signature subkeys (as opposed to just encryption subkeys), then the self-signature on that subkey should be a two-factor signature, requiring BOTH secret keys. It was unclear from the proposed attack that this was using signature sub-keys. I personally believe that signature subkeys are a bad idea, but if the working group seems to feel otherwise I think we should put some strong language about the pitfalls. > David -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HCU4rb081369 for ; Tue, 17 Jun 2003 05:30:04 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5HCU48l081368 for ietf-openpgp-bks; Tue, 17 Jun 2003 05:30:04 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5HCU2rb081362 for ; Tue, 17 Jun 2003 05:30:03 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5HCU2Q29822 for ietf-openpgp@imc.org; Tue, 17 Jun 2003 08:30:02 -0400 Date: Tue, 17 Jun 2003 08:30:02 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617123002.GG20267@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> <5.2.0.9.0.20030616211831.0289e480@pop.comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030616211831.0289e480@pop.comcast.net> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 16, 2003 at 09:47:59PM -0700, Trevor Perrin wrote: > > At 11:36 PM 6/16/2003 -0400, David Shaw wrote: > > >On Mon, Jun 16, 2003 at 03:53:11PM -0700, Trevor Perrin wrote: > >> But here's another angle: suppose Alice gets someone to sign her > >> legitimate primary signing key. Then she signs Bob's public key as > >> a subkey of her primary key. So even if you've done a > >> Proof-of-Possession check on Alice's primary key, she can possibly > >> evade that by introducing a subkey. > > > >At least one of the challenge policies (mine) requires that the > >challenge response comes from the primary key. The primary is the one > >that I got a fingerprint for, and the primary is the one I'm signing > >when I certify the key, so the primary is the one I require the > >challenge response from. > > Right, but after you've done this, and checked that Alice really possesses > her primary private key, Alice can certify a subkey whose private key she > doesn't really possess. Right, but if/when we fix this problem, then all of the certifications I've made already are still correct (as I ensured it was a primary that signed the challenge). > The problem is that there's a forward-linkage from a primary key to a > subkey, but no back-linkage from a signing subkey to the primary key. Hal > suggested having the signing subkey also certify the primary key. I > suggested having the signatures produced by the signing subkey have the > primary key's ID as a hashed subpacket. Yes. There are pros and cons, but on balance I like Hal's solution a bit better as it only needs to be done once, presumably at key generation time. The subpacket solution needs to be done every time the signing subkey issues a signature. The subpacket solution does have a nice side effect in that it becomes possible to always know the primary key when looking at a subkey signature. Since most keyservers don't support search-by-subkey yet, this could be handy. Still, having the subkey sign the primary seems cleaner. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7wnK4mZch0nhy8kRAi9KAJ98oRmHWim4+r27sGD6Mdf9YaTVOwCguBY5 AtOlPtttUTQ60/RjK3NEI6Y= =ug92 -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H4oQrb034665 for ; Mon, 16 Jun 2003 21:50:26 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H4oQDg034664 for ietf-openpgp-bks; Mon, 16 Jun 2003 21:50:26 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.115]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H4oOrb034657 for ; Mon, 16 Jun 2003 21:50:24 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout02.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGM00300001GJ@mtaout02.icomcast.net> for ietf-openpgp@imc.org; Tue, 17 Jun 2003 00:48:02 -0400 (EDT) Date: Mon, 16 Jun 2003 21:47:59 -0700 From: Trevor Perrin Subject: Re: PoP & Signer's User ID subpacket? In-reply-to: <20030617033611.GF20267@jabberwocky.com> X-Sender: trevp00@pop.comcast.net To: David Shaw , ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030616211831.0289e480@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 11:36 PM 6/16/2003 -0400, David Shaw wrote: >On Mon, Jun 16, 2003 at 03:53:11PM -0700, Trevor Perrin wrote: > > But here's another angle: suppose Alice gets someone to sign her > > legitimate primary signing key. Then she signs Bob's public key as > > a subkey of her primary key. So even if you've done a > > Proof-of-Possession check on Alice's primary key, she can possibly > > evade that by introducing a subkey. > >At least one of the challenge policies (mine) requires that the >challenge response comes from the primary key. The primary is the one >that I got a fingerprint for, and the primary is the one I'm signing >when I certify the key, so the primary is the one I require the >challenge response from. Right, but after you've done this, and checked that Alice really possesses her primary private key, Alice can certify a subkey whose private key she doesn't really possess. The problem is that there's a forward-linkage from a primary key to a subkey, but no back-linkage from a signing subkey to the primary key. Hal suggested having the signing subkey also certify the primary key. I suggested having the signatures produced by the signing subkey have the primary key's ID as a hashed subpacket. Trevor Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3aFrb033007 for ; Mon, 16 Jun 2003 20:36:15 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H3aFLb033006 for ietf-openpgp-bks; Mon, 16 Jun 2003 20:36:15 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3aErb033001 for ; Mon, 16 Jun 2003 20:36:14 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5H3aBW25369 for ietf-openpgp@imc.org; Mon, 16 Jun 2003 23:36:11 -0400 Date: Mon, 16 Jun 2003 23:36:11 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617033611.GF20267@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 16, 2003 at 03:53:11PM -0700, Trevor Perrin wrote: > >> Is there a risk that Alice could trick someone into certifying > >> that Bob's public key belongs to her? Then someone receiving a > >> signed message from Bob might incorrectly think it came from > >> Alice. > > > >Not really, since when Charlie certifies key X, he isn't certifying > >that it belongs to anyone other than the string in the user ID. > >Assuming Bob doesn't have a user ID "A-L-I-C-E", this shouldn't be > >a problem ;) > > > >Of course, it is possible for Alice to attach her own name to Bob's > >key as a second user ID, but that user ID wouldn't be selfsigned > >and so it would be difficult to get someone else to sign it. > > Probably Alice would first ditch Bob's self-signed user ID, then add > her own name as an unsigned user ID. How software would display > that, and whether users would recognize the danger signs and not > sign that, I dunno. PGP shows such user IDs as revoked (not sure why) and refuses to sign them. GnuPG shows such user IDs as unsigned, and warns the user before signing them. I may go ahead and make the warning even stronger or just flat out refuse to sign like PGP. This raises a 2440bis question: given all the recent deprecation of PGP 2.x stuff, is it worth requiring self-signatures on user IDs now? If I recall, the only reason that user ID self-signatures are not currently required was for 2.x compatibility. Certainly every modern implementation (5.0+, any GnuPG) generates user ID self-signatures automatically when a user ID is created. > But here's another angle: suppose Alice gets someone to sign her > legitimate primary signing key. Then she signs Bob's public key as > a subkey of her primary key. So even if you've done a > Proof-of-Possession check on Alice's primary key, she can possibly > evade that by introducing a subkey. At least one of the challenge policies (mine) requires that the challenge response comes from the primary key. The primary is the one that I got a fingerprint for, and the primary is the one I'm signing when I certify the key, so the primary is the one I require the challenge response from. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7oyr4mZch0nhy8kRAl49AKCuSJGc0CJnC6sNYxXvOhzW/xgYcQCgkErK k1+VB8LIaS1cDV/VFKSkmSc= =xm/X -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3NHrb032709 for ; Mon, 16 Jun 2003 20:23:17 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H3NHZ2032708 for ietf-openpgp-bks; Mon, 16 Jun 2003 20:23:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3NDrb032702 for ; Mon, 16 Jun 2003 20:23:16 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h5H3M7T12804 for ietf-openpgp@imc.org; Mon, 16 Jun 2003 20:22:07 -0700 Date: Mon, 16 Jun 2003 20:22:07 -0700 From: "Hal Finney" Message-Id: <200306170322.h5H3M7T12804@finney.org> To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Trevor Perrin wrote: > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did you > bury that treasure we stole?" Charlie replies "If you're really Bob, > what's our codeword? And send it to me signed and encrypted, so I'll know > which public key is yours." So Bob does. But Alice now slips Charlie a > primary key that has Bob's public key as a signing subkey, and Alice's > public key as an encryption subkey. Charlie decrypts and verifies the > message, and is satisfied that the owner of this primary key knows the > codeword, and is "Bob". So he encrypts the treasure map to Alice's public key. This illustrates a problem with signature subkeys. When a top-level key is used to sign a message, it is also used to sign the encryption subkeys. So your message is signed by the same key that said "use one of these subkeys to encrypt to me". You have assurance in that case that you are encrypting the reply to a key endorsed by the person who signed the original message. But with signature subkeys, there is no such guarantee. The subkey is just dangling. It isn't making any statements about the other encryption subkeys or the top-level master key. That is why this fraud works in that case. I seem to recall that many years ago we discussed this problem, or something similar. We talked about requiring signature subkeys to sign the top level key. That way the two keys, master key and subkey, would each sign the other. They would in effect endorse each other as belonging to the same key holder. Doing this would eliminate your fraud, as there would be no signature from Bob's "stolen" key on Alice's master key where she planted it. This would indicate that the subkey did not belong there, hence that the encryption subkeys didn't go with it. Hal Finney Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3Kcrb032653 for ; Mon, 16 Jun 2003 20:20:38 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H3Kc1Z032652 for ietf-openpgp-bks; Mon, 16 Jun 2003 20:20:38 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3Kbrb032617 for ; Mon, 16 Jun 2003 20:20:38 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5H3KZ725249; Mon, 16 Jun 2003 23:20:35 -0400 Date: Mon, 16 Jun 2003 23:20:35 -0400 From: David Shaw To: ietf-openpgp@imc.org Cc: Derek Atkins Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030617032035.GE20267@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org, Derek Atkins References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 16, 2003 at 10:36:58PM -0400, Derek Atkins wrote: > > Trevor Perrin writes: > > > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did > > you bury that treasure we stole?" Charlie replies "If you're really > > Bob, what's our codeword? And send it to me signed and encrypted, so > > I'll know which public key is yours." So Bob does. But Alice now > > slips Charlie a primary key that has Bob's public key as a signing > > subkey, and Alice's public key as an encryption subkey. Charlie > > decrypts and verifies the message, and is satisfied that the owner of > > this primary key knows the codeword, and is "Bob". So he encrypts the > > treasure map to Alice's public key. > > Except that Alice's subkey wouldn't have a self-signature by Bob's > primary key, so it shouldn't be accepted by Charlie as a valid subkey. I think Trevor was referring to Alice generating a brand new primary signing key and encryption subkey, and then using the new primary to self-sign Bob's signing subkey (or transform Bob's primary into a subkey and self-sign that). Alice then is in posession of a key that will correctly verify Bob's signatures, but someone encrypting to the key will encrypt to Alice. Alice can't issue signatures as Bob, but can attempt to claim existing Bob signatures as her own. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7okD4mZch0nhy8kRAjwwAKCJRJ3Ni/jNYBuHGTNxw9xn0rrAYACfSINB +2KqhU9KoX+/HInAzyMnH40= =nh7Z -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3FVrb032521 for ; Mon, 16 Jun 2003 20:15:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H3FV16032520 for ietf-openpgp-bks; Mon, 16 Jun 2003 20:15:31 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.116]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H3FTrb032515 for ; Mon, 16 Jun 2003 20:15:30 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout04.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGL00F97VKYE6@mtaout04.icomcast.net> for ietf-openpgp@imc.org; Mon, 16 Jun 2003 23:12:35 -0400 (EDT) Date: Mon, 16 Jun 2003 20:12:32 -0700 From: Trevor Perrin Subject: Re: PoP & Signer's User ID subpacket? In-reply-to: X-Sender: trevp00@pop.comcast.net To: Derek Atkins Cc: ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030616194039.03bdbab8@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 10:36 PM 6/16/2003 -0400, Derek Atkins wrote: >Trevor Perrin writes: > > > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did > > you bury that treasure we stole?" Charlie replies "If you're really > > Bob, what's our codeword? And send it to me signed and encrypted, so > > I'll know which public key is yours." So Bob does. But Alice now > > slips Charlie a primary key that has Bob's public key as a signing > > subkey, and Alice's public key as an encryption subkey. Charlie > > decrypts and verifies the message, and is satisfied that the owner of > > this primary key knows the codeword, and is "Bob". So he encrypts the > > treasure map to Alice's public key. > >Except that Alice's subkey wouldn't have a self-signature by Bob's >primary key, so it shouldn't be accepted by Charlie as a valid subkey. It would have a self-signature by Alice's primary key, but Charlie wouldn't know this was Alice's primary key and not Bob's. In this example, I was assuming there's no web of trust, and Charlie doesn't otherwise know Bob's primary key. Charlie is trying to authenticate Bob and determine Bob's keys, and knows that if Bob sends him (Charlie) a signed and encrypted message containing a "codeword" they both know, then the signing key must belong to Bob. Charlie then makes the reasonable but wrong assumption that the primary key and the encryption subkey that he found associated with this signing subkey must also belong to Bob. If the signature on the actual message contained the primary key ID, as a hashed subpacket, then an attacker wouldn't be able to associate her own primary key with Bob's signing key, so then Charlie's assumption would be correct. I think. Trevor Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H2axrb031112 for ; Mon, 16 Jun 2003 19:36:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H2ax0I031111 for ietf-openpgp-bks; Mon, 16 Jun 2003 19:36:59 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H2awrb031104 for ; Mon, 16 Jun 2003 19:36:58 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5H2b0rT007216; Mon, 16 Jun 2003 22:37:00 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by central-city-carrier-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5H2axhH024498; Mon, 16 Jun 2003 22:36:59 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h5H2awU8028930; Mon, 16 Jun 2003 22:36:58 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id WAA16026; Mon, 16 Jun 2003 22:36:58 -0400 (EDT) To: Trevor Perrin Cc: ietf-openpgp@imc.org From: Derek Atkins Subject: Re: PoP & Signer's User ID subpacket? References: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> Date: 16 Jun 2003 22:36:58 -0400 In-Reply-To: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> Message-ID: Lines: 43 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Trevor Perrin writes: > Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did > you bury that treasure we stole?" Charlie replies "If you're really > Bob, what's our codeword? And send it to me signed and encrypted, so > I'll know which public key is yours." So Bob does. But Alice now > slips Charlie a primary key that has Bob's public key as a signing > subkey, and Alice's public key as an encryption subkey. Charlie > decrypts and verifies the message, and is satisfied that the owner of > this primary key knows the codeword, and is "Bob". So he encrypts the > treasure map to Alice's public key. Except that Alice's subkey wouldn't have a self-signature by Bob's primary key, so it shouldn't be accepted by Charlie as a valid subkey. > In the "riddle" case, Charlie assumed a relation between the signing > key and Alice's name which Alice could falsify. In the "treasure" > case, Charlie assumed a relation between the signing subkey and > encryption subkey which Alice could falsify. Except Alice cannot falsify without the help of Bob. Why would bob sign Alice's subkey as her own? > Before, I suggested adding the "Signer's User ID" subpacket into > message signatures. This would work in the "riddle" case, where Alice > falsifies the name, but not in the "treasure" case, where Alice > falsifies the relation between subkeys. Maybe a message signature > produced by a subkey should also contain a subpacket that gives the > primary key ID, so an attacker can't present his primary key and > someone else's subkey to verify someone else's signature. Haven't > really thought this through, though.. Without a self-signature on the subkey, how would ie be accepted as valid? > Trevor -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H1oqrb030220 for ; Mon, 16 Jun 2003 18:50:52 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5H1oqRD030219 for ietf-openpgp-bks; Mon, 16 Jun 2003 18:50:52 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.109]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5H1oorb030212 for ; Mon, 16 Jun 2003 18:50:51 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout05.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGL00BC3RSFCN@mtaout05.icomcast.net> for ietf-openpgp@imc.org; Mon, 16 Jun 2003 21:50:39 -0400 (EDT) Date: Mon, 16 Jun 2003 18:50:36 -0700 From: Trevor Perrin Subject: Re: PoP & Signer's User ID subpacket? In-reply-to: <200306162322.h5GNMi411651@finney.org> X-Sender: trevp00@pop.comcast.net To: ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030616172415.0289e480@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 04:22 PM 6/16/2003 -0700, Hal Finney wrote: >How bad is it to make someone else think that a key is yours, when it >actually is not? I.e. you have no idea what the private part is. >[...] >This could mean that a message signed by someone else might appear to be >signed by you. But that's not so significant, as you could have achieved >the same effect just by copying the plaintext of the message to be signed >and signing it with one of your own keys. If you have access to the plaintext - but if Bob sends Charlie a signed and encrypted message, and Charlie receives what looks like a signed and encrypted message from Alice, that's a neat trick on Alice's part, since she'll have effectively signed something she never saw. For example, Charlie says "I'll give twenty bucks to whoever answers my riddle". Alice doesn't know the answer, but makes Bob's signed and encrypted answer appear to come from her. Something similar: what if Alice's signature subkey belongs to a primary key that also has an encryption subkey? Suppose the signature subkey is really Bob's key, but the encryption subkey is legitimately Alice's. Then if Charlie receives a message signed by Bob's signature key and containing corroborating info, so Charlie is convinced it really came from Bob, Charlie might leap to the false conclusion that Alice's encryption public key is also associated with Bob. I.e.: Bob emails Charlie and says "Hi, I'm your old friend Bob. Where did you bury that treasure we stole?" Charlie replies "If you're really Bob, what's our codeword? And send it to me signed and encrypted, so I'll know which public key is yours." So Bob does. But Alice now slips Charlie a primary key that has Bob's public key as a signing subkey, and Alice's public key as an encryption subkey. Charlie decrypts and verifies the message, and is satisfied that the owner of this primary key knows the codeword, and is "Bob". So he encrypts the treasure map to Alice's public key. In the "riddle" case, Charlie assumed a relation between the signing key and Alice's name which Alice could falsify. In the "treasure" case, Charlie assumed a relation between the signing subkey and encryption subkey which Alice could falsify. Before, I suggested adding the "Signer's User ID" subpacket into message signatures. This would work in the "riddle" case, where Alice falsifies the name, but not in the "treasure" case, where Alice falsifies the relation between subkeys. Maybe a message signature produced by a subkey should also contain a subpacket that gives the primary key ID, so an attacker can't present his primary key and someone else's subkey to verify someone else's signature. Haven't really thought this through, though.. Trevor Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GNNqrb027336 for ; Mon, 16 Jun 2003 16:23:52 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GNNqRT027335 for ietf-openpgp-bks; Mon, 16 Jun 2003 16:23:52 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GNNprb027329 for ; Mon, 16 Jun 2003 16:23:51 -0700 (PDT) (envelope-from hal@finney.org) Received: (from hal@localhost) by finney.org (8.11.6/8.11.6) id h5GNMi411651 for ietf-openpgp@imc.org; Mon, 16 Jun 2003 16:22:44 -0700 Date: Mon, 16 Jun 2003 16:22:44 -0700 From: "Hal Finney" Message-Id: <200306162322.h5GNMi411651@finney.org> To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: How bad is it to make someone else think that a key is yours, when it actually is not? I.e. you have no idea what the private part is. As Trevor points out, with subkeys especially, that's exactly the situation. The only key/person vouching for the ownership of the subkey(s) is the master key and its owner. Third-party certification doesn't cover subkeys, and in fact subkeys can be added even after third parties sign and certify the master key. So what can you do with this? If you claim someone else's encryption key as your own, it would mean (A) you can't decrypt messages sent to that key, and (B) someone else could. (The important point is that it does not allow the obvious attack of letting you read messages intended for that person.) I suppose this could be damaging to the sender in some contrived scenarios: if the government monitored his outgoing email, they might find him sending a message encrypted to Osama bin Laden's public key. He would be the victim of a prank; someone else gave him a key which had a match to ObL's encryption key on it. But that's pretty far-fetched. For signatures, it would mean that (A) you could not sign messages with that key, and (B) someone else could. This could mean that a message signed by someone else might appear to be signed by you. But that's not so significant, as you could have achieved the same effect just by copying the plaintext of the message to be signed and signing it with one of your own keys. And this also might work to your detriment, as you could be harmed by some signed statement issued by someone else, on a key you claimed as your own. So I don't think that either of these attacks is all that serious, as long as people understand what they mean and don't draw unwarranted conclusions. Hal Finney Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GMrtrb026520 for ; Mon, 16 Jun 2003 15:53:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GMrtla026519 for ietf-openpgp-bks; Mon, 16 Jun 2003 15:53:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.116]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GMrrrb026512 for ; Mon, 16 Jun 2003 15:53:53 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGL00JGSJKPJY@mtaout01.icomcast.net> for ietf-openpgp@imc.org; Mon, 16 Jun 2003 18:53:14 -0400 (EDT) Date: Mon, 16 Jun 2003 15:53:11 -0700 From: Trevor Perrin Subject: Re: PoP & Signer's User ID subpacket? In-reply-to: <20030616220823.GD20267@jabberwocky.com> X-Sender: trevp00@pop.comcast.net To: David Shaw , ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030616153459.03bc9cb8@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: At 06:08 PM 6/16/2003 -0400, David Shaw wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Mon, Jun 16, 2003 at 02:34:26PM -0700, Trevor Perrin wrote: > > > I could be wrong, but it seems like PGP keysigning often happens without > > Proof-of-Possession of the corresponding private key. For example, at PGP > > keysigning parties, I think it's common for people to attest that a > > fingerprint really belongs to them, but not have to produce signatures > with > > the corresponding private key. > >That is true. Some people (like me) send a challenge to the email >address in the user ID, and require that the key owner sign the >challenge before I'll sign the key. There are a few variations on >this basic idea, some more rigorous than others. > > > Is there a risk that Alice could trick someone into certifying that Bob's > > public key belongs to her? Then someone receiving a signed message from > > Bob might incorrectly think it came from Alice. > >Not really, since when Charlie certifies key X, he isn't certifying >that it belongs to anyone other than the string in the user ID. >Assuming Bob doesn't have a user ID "A-L-I-C-E", this shouldn't be a >problem ;) > >Of course, it is possible for Alice to attach her own name to Bob's >key as a second user ID, but that user ID wouldn't be selfsigned and >so it would be difficult to get someone else to sign it. Probably Alice would first ditch Bob's self-signed user ID, then add her own name as an unsigned user ID. How software would display that, and whether users would recognize the danger signs and not sign that, I dunno. But here's another angle: suppose Alice gets someone to sign her legitimate primary signing key. Then she signs Bob's public key as a subkey of her primary key. So even if you've done a Proof-of-Possession check on Alice's primary key, she can possibly evade that by introducing a subkey. I'm too lazy to spend a nice summer day testing this, but from the draft it seems like it might work. So I still like encouraging use of the "Signer's User ID" subpacket in the Security Considerations. Trevor Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GM8Srb025039 for ; Mon, 16 Jun 2003 15:08:28 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GM8Sk4025036 for ietf-openpgp-bks; Mon, 16 Jun 2003 15:08:28 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GM8Rrb025030 for ; Mon, 16 Jun 2003 15:08:27 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5GM8Ng22853 for ietf-openpgp@imc.org; Mon, 16 Jun 2003 18:08:23 -0400 Date: Mon, 16 Jun 2003 18:08:23 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: PoP & Signer's User ID subpacket? Message-ID: <20030616220823.GD20267@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (93% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 16, 2003 at 02:34:26PM -0700, Trevor Perrin wrote: > I could be wrong, but it seems like PGP keysigning often happens without > Proof-of-Possession of the corresponding private key. For example, at PGP > keysigning parties, I think it's common for people to attest that a > fingerprint really belongs to them, but not have to produce signatures with > the corresponding private key. That is true. Some people (like me) send a challenge to the email address in the user ID, and require that the key owner sign the challenge before I'll sign the key. There are a few variations on this basic idea, some more rigorous than others. > Is there a risk that Alice could trick someone into certifying that Bob's > public key belongs to her? Then someone receiving a signed message from > Bob might incorrectly think it came from Alice. Not really, since when Charlie certifies key X, he isn't certifying that it belongs to anyone other than the string in the user ID. Assuming Bob doesn't have a user ID "A-L-I-C-E", this shouldn't be a problem ;) Of course, it is possible for Alice to attach her own name to Bob's key as a second user ID, but that user ID wouldn't be selfsigned and so it would be difficult to get someone else to sign it. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7j/X4mZch0nhy8kRAiDvAJ4z56NpKT36kiqPTwt7emS63xxJOACeOfpN NR6yO0oWFrs032JQjE4E1As= =z0lH -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GLYerb024405 for ; Mon, 16 Jun 2003 14:34:40 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GLYeOI024404 for ietf-openpgp-bks; Mon, 16 Jun 2003 14:34:40 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp-out.comcast.net (smtp-out.comcast.net [24.153.64.116]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GLYdrb024397 for ; Mon, 16 Jun 2003 14:34:39 -0700 (PDT) (envelope-from trevp@trevp.net) Received: from TREVOR.trevp.net (12-208-8-45.client.attbi.com [12.208.8.45]) by mtaout01.icomcast.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HGL00ICPFXGMA@mtaout01.icomcast.net> for ietf-openpgp@imc.org; Mon, 16 Jun 2003 17:34:29 -0400 (EDT) Date: Mon, 16 Jun 2003 14:34:26 -0700 From: Trevor Perrin Subject: PoP & Signer's User ID subpacket? X-Sender: trevp00@pop.comcast.net To: ietf-openpgp@imc.org Message-id: <5.2.0.9.0.20030616143357.0289e480@pop.comcast.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I could be wrong, but it seems like PGP keysigning often happens without Proof-of-Possession of the corresponding private key. For example, at PGP keysigning parties, I think it's common for people to attest that a fingerprint really belongs to them, but not have to produce signatures with the corresponding private key. Is there a risk that Alice could trick someone into certifying that Bob's public key belongs to her? Then someone receiving a signed message from Bob might incorrectly think it came from Alice. Maybe, as a Security Consideration, the "Signer's User ID" subpacket should always be included in signatures. If Bob always included this subpacket in his signatures, then no-one could be tricked into thinking Bob's signed messages really came from Alice. Trevor Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GGbsrb012861 for ; Mon, 16 Jun 2003 09:37:54 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GGbsWr012859 for ietf-openpgp-bks; Mon, 16 Jun 2003 09:37:54 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GGbprb012850 for ; Mon, 16 Jun 2003 09:37:52 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19Rwtk-0005X6-00 for ; Mon, 16 Jun 2003 18:32:00 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19Rwzg-0001RU-00; Mon, 16 Jun 2003 18:38:08 +0200 To: "Imad R. Faiad" Cc: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys References: <008b01c3340c$9070cf70$39632352@happy> <5mqrev4fp1iu1uttgthqjmt8eacs91n37k@4ax.com> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Mon, 16 Jun 2003 18:38:08 +0200 In-Reply-To: <5mqrev4fp1iu1uttgthqjmt8eacs91n37k@4ax.com> (Imad R. Faiad's message of "Mon, 16 Jun 2003 18:29:06 +0200") Message-ID: <87of0yrn9r.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Mon, 16 Jun 2003 18:29:06 +0200, Imad R Faiad said: > You are assuming that law enforcers are inept morons! It is a matter of the law and the loopholes it has. IIRC, the British RIP act does not allow to seize a computer but allow a police officer to demand the decryption key for a message they have intercepted of somehow else got access to. There is even no need to pass them the entire PGP key over including the passphrase, there must be simply a mechanism to decrypt a message they "own". This is also the reason GnuPG provides the --{show,override}-session-key options. > Do yourself a favor, and don't ever use this technique > again, it is now public knowledge! I am pretty sure that Ian - who is FIPR director and co-author of the PFS draft - knows very well what is doing. Salam-Shalom, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GGD6rb009211 for ; Mon, 16 Jun 2003 09:13:06 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GGD6LD009210 for ietf-openpgp-bks; Mon, 16 Jun 2003 09:13:06 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5GGD4rb009200 for ; Mon, 16 Jun 2003 09:13:05 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Mon, 16 Jun 2003 17:12:56 +0100 From: Ian Brown To: "'Imad R. Faiad'" Cc: ietf-openpgp Subject: RE: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 17:12:57 +0100 Message-ID: <00cc01c33422$26d791a0$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: > You are assuming that law enforcers are inept morons! Nope. But if you no longer have a specific private key yourself, it can't be seized no matter what rubber-hose cryptanalysis is applied. Therefore any ciphertext that has previously been captured on-the-wire cannot be decrypted. Any message that you still have stored can be requisitioned. As I said, I don't keep the majority of messages for any length of time. >The mere fact that they are being discussed in a public forum >such as this makes them useless. You obviously didn't read them carefully enough. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFnDrb008304 for ; Mon, 16 Jun 2003 08:49:13 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GFnDZH008303 for ietf-openpgp-bks; Mon, 16 Jun 2003 08:49:13 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb ([195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFnBrb008249 for ; Mon, 16 Jun 2003 08:49:11 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-12-71.cyberia.net.lb ([195.112.203.72]) by sand.cyberia.net.lb with SMTP id <20030616154356.MQTN3447.sand@ppp-12-71.cyberia.net.lb> for ; Mon, 16 Jun 2003 18:43:56 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 18:29:46 +0200 Message-ID: References: <008b01c3340c$9070cf70$39632352@happy> In-Reply-To: <008b01c3340c$9070cf70$39632352@happy> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5GFnCrb008296 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Ian, Now, this defeats the purpose of your "short-lifetime encryption subkeys"! You are assuming that law enforcers are inept morons! This is a false sense of security. Unless you can outsmart them, which very few can indeed, never contemplate to circumvent the law by resorting to such naive tricks. The mere fact that they are being discussed in a public forum such as this makes them useless. I am sure that those authorized to seize Keys would have been trained to spot all sorts of techniques that a key holder will resort to in order to frustrate their effort. Do yourself a favor, and don't ever use this technique again, it is now public knowledge! my 2c Best Regards Imad R. Faiad On Mon, 16 Jun 2003 14:38:25 +0100, you wrote: > >> You clearly don't archive your encrypted email... > >Indeed -- I decrypt messages before saving them (and use separate >storage encryption to protect the mail store.) Nor do I save every >message sent and received (which I know some people do). > -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu3v47zDFxiDPxutAQIdtwf/ZRLQZCpo3G8D46kuzPvckfU4DRKZey8M /iMz2yCsaj3rZHa4wqy9O6/11pSXnv+DfQ7MbfJGiNyEpQOotEpjstiyNhmX/5/7 ZjVyFaFu0wMUZvAAoTa+INJstuNa0PI9+MA18lQw4zEAGw7aUdFKkZbPhQpgnQd3 AaQPwvauaH1/TPAOdHlXmqrGNMX5sb+qCVmgI878r3HoIB1YxkHKwIxMYcY1DQUe 3DM1e+3UoguXcNb868sQeDQU6Ew2CMbJ1fwMn22xV6Rq/mUJFWoDKNUBLwyr1UcL QEaFV5fAfnOCdb7IEWKnc8TXX71FKgHHJ0SPZNVGM4gv3MhRgCpMUg== =msEn -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFmwrb008277 for ; Mon, 16 Jun 2003 08:48:58 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GFmwrc008276 for ietf-openpgp-bks; Mon, 16 Jun 2003 08:48:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb ([195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFmurb008238 for ; Mon, 16 Jun 2003 08:48:56 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-12-71.cyberia.net.lb ([195.112.203.72]) by sand.cyberia.net.lb with SMTP id <20030616154317.MQTF3447.sand@ppp-12-71.cyberia.net.lb> for ; Mon, 16 Jun 2003 18:43:17 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 18:29:06 +0200 Message-ID: <5mqrev4fp1iu1uttgthqjmt8eacs91n37k@4ax.com> References: <008b01c3340c$9070cf70$39632352@happy> In-Reply-To: <008b01c3340c$9070cf70$39632352@happy> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5GFmvrb008272 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Ian, Now, this defeats the purpose of your "short-lifetime encryption subkeys"! You are assuming that law enforcers are inept morons! This is a false sense of security. Unless you can outsmart them, which very few can indeed, never contemplate to circumvent the law by resorting to such naive tricks. The mere fact that they are being discussed in a public forum such as this makes them useless. I am sure that those authorized to seize Keys would have been trained to spot all sorts of techniques that a key holder will resort to in order to frustrate their effort. Do yourself a favor, and don't ever use this technique again, it is now public knowledge! my 2c Best Regards Imad R. Faiad On Mon, 16 Jun 2003 14:38:25 +0100, you wrote: > >> You clearly don't archive your encrypted email... > >Indeed -- I decrypt messages before saving them (and use separate >storage encryption to protect the mail store.) Nor do I save every >message sent and received (which I know some people do). > -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu3v47zDFxiDPxutAQIdtwf/ZRLQZCpo3G8D46kuzPvckfU4DRKZey8M /iMz2yCsaj3rZHa4wqy9O6/11pSXnv+DfQ7MbfJGiNyEpQOotEpjstiyNhmX/5/7 ZjVyFaFu0wMUZvAAoTa+INJstuNa0PI9+MA18lQw4zEAGw7aUdFKkZbPhQpgnQd3 AaQPwvauaH1/TPAOdHlXmqrGNMX5sb+qCVmgI878r3HoIB1YxkHKwIxMYcY1DQUe 3DM1e+3UoguXcNb868sQeDQU6Ew2CMbJ1fwMn22xV6Rq/mUJFWoDKNUBLwyr1UcL QEaFV5fAfnOCdb7IEWKnc8TXX71FKgHHJ0SPZNVGM4gv3MhRgCpMUg== =msEn -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFCqrb007248 for ; Mon, 16 Jun 2003 08:12:52 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GFCqdq007247 for ietf-openpgp-bks; Mon, 16 Jun 2003 08:12:52 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GFCorb007227 for ; Mon, 16 Jun 2003 08:12:51 -0700 (PDT) (envelope-from A.Back@exeter.ac.uk) Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.14) id 19Rvf4-00Zk4I-Dy; Mon, 16 Jun 2003 16:12:46 +0100 Date: Mon, 16 Jun 2003 16:12:35 +0100 From: Adam Back To: Derek Atkins Cc: Ian Brown , "'ietf-openpgp'" , Adam Back Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) Message-ID: <20030616161235.A11815740@exeter.ac.uk> References: <008b01c3340c$9070cf70$39632352@happy> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: ; from warlord@MIT.EDU on Mon, Jun 16, 2003 at 10:21:57AM -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: The format of your mail storage encryption is an orthoganl issue. (If you prefer it there is nothing stopping you protecting your mailbox as a whole, or mails within it with pgp formats). Just decrypt with the communications private key and re-encrypt with the storage public key, or symmetric key (it is after all a message to your self where public key is not necessarily needed). In this way you have separated the key management of storage keys vs communications keys vs signing keys. Storage keys and signing keys it is usually convenient to have long lived. Encryption keys it is more secure to have short lived. (Think forward secrecy.) The fact that your storage key is necesarrily long lived presents a much leser risk: to make use of storage decryption keys, the attacker first has to seize your machine (or in your case ask the university / ISP for the encrypted mailbox). Encrypted emails on the other hand can be eavesdropped by the ISP, hackers and law-enforcement. There are many people who use their PGP keys only on systems they control. There are at least 3 different ways to achieve storage encryption: store the mailbox in an encrypted filesystem (convenient on linux, windows etc); decrypt and re-encrypt (with a storage key) each mail as you read it storing the modified re-encrypted mail back in the mailbox; find or patch a mail client to automatically work from PGP (or otherwise) storage key encrypted mail box. If on the other hand you rely on message encryption to protect your mail, you have to retain the corresponding private key esentially indefinately which is a long term security risk. Were the key you have since 2.0 days compromised and someone were out to get you, they'd get every mail you ever received since 91 or 92. I'd argue that this is a bad idea, but I guess it depends on your perceived threats. For me at least I intentionally revoked and deleted the private key of my older key to achieve forward secrecy. (First I had to re-encrypt a few things encrypted with it). Adam On Mon, Jun 16, 2003 at 10:21:57AM -0400, Derek Atkins wrote: > > Ian Brown writes: > > > > You clearly don't archive your encrypted email... > > > > Indeed -- I decrypt messages before saving them (and use separate > > storage encryption to protect the mail store.) Nor do I save every > > message sent and received (which I know some people do). > > I've still got messages encrypted with PGP 2.0 sitting in my > mail storage. The pgp encryption is better than any disk > encryption I could get -- especially considering that I dont > maintain my disk storage or backups myself. ;) > > The wonders of "distributed computing"... Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GEMCrb004935 for ; Mon, 16 Jun 2003 07:22:12 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GEMCsf004934 for ietf-openpgp-bks; Mon, 16 Jun 2003 07:22:12 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GEMArb004926 for ; Mon, 16 Jun 2003 07:22:11 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h5GEM5bu012975; Mon, 16 Jun 2003 10:22:05 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5GEM4qA008041; Mon, 16 Jun 2003 10:22:04 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h5GELvFJ009655; Mon, 16 Jun 2003 10:22:04 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id KAA12999; Mon, 16 Jun 2003 10:21:57 -0400 (EDT) To: Ian Brown Cc: "'Imad R. Faiad'" , "'ietf-openpgp'" Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) References: <008b01c3340c$9070cf70$39632352@happy> From: Derek Atkins Date: 16 Jun 2003 10:21:57 -0400 In-Reply-To: <008b01c3340c$9070cf70$39632352@happy> Message-ID: Lines: 22 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ian Brown writes: > > You clearly don't archive your encrypted email... > > Indeed -- I decrypt messages before saving them (and use separate > storage encryption to protect the mail store.) Nor do I save every > message sent and received (which I know some people do). I've still got messages encrypted with PGP 2.0 sitting in my mail storage. The pgp encryption is better than any disk encryption I could get -- especially considering that I dont maintain my disk storage or backups myself. ;) The wonders of "distributed computing"... -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDvurb001169 for ; Mon, 16 Jun 2003 06:57:56 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GDvuJP001168 for ietf-openpgp-bks; Mon, 16 Jun 2003 06:57:56 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDvrrb001160 for ; Mon, 16 Jun 2003 06:57:54 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19RuOw-0000Qu-00 for ; Mon, 16 Jun 2003 15:52:02 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19RuVQ-0001ES-00; Mon, 16 Jun 2003 15:58:44 +0200 To: "Imad R. Faiad" Cc: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys References: <003901c333df$d2b95230$39632352@happy> <1kdrevo6nqm19h8fdcc1bd0ag6gle92jj1@4ax.com> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Mon, 16 Jun 2003 15:58:40 +0200 In-Reply-To: <1kdrevo6nqm19h8fdcc1bd0ag6gle92jj1@4ax.com> (Imad R. Faiad's message of "Mon, 16 Jun 2003 14:30:08 +0200") Message-ID: <87adcit97z.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Mon, 16 Jun 2003 14:30:08 +0200, Imad R Faiad said: > Let me add, and no offence of course, from the fact that you are > relegating those short-lifetime signing sub keys to a less secure > environment, I infer that you have no confidence in them, so how There is a huge difference in chances to get compromised between a networked and daily used box and a non-networked box somewhere else used only for certification. You can't remotely attack that certification box as long as you take simple precautions like transferring the data on a floppy etc. All software has bugs and there are almost always known or not yet known exploits. Cutting the connection between a possible attacker by manually transferring data is a sound precaution against most exploits - it would be a bit annoying for the bulk of everydays work, though. -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDcdrb099848 for ; Mon, 16 Jun 2003 06:38:39 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GDcd2b099847 for ietf-openpgp-bks; Mon, 16 Jun 2003 06:38:39 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5GDccrb099841 for ; Mon, 16 Jun 2003 06:38:38 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Mon, 16 Jun 2003 14:38:25 +0100 From: Ian Brown To: "'Derek Atkins'" Cc: "'Imad R. Faiad'" , "'ietf-openpgp'" Subject: RE: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 14:38:25 +0100 Message-ID: <008b01c3340c$9070cf70$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: > You clearly don't archive your encrypted email... Indeed -- I decrypt messages before saving them (and use separate storage encryption to protect the mail store.) Nor do I save every message sent and received (which I know some people do). Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDVZrb099678 for ; Mon, 16 Jun 2003 06:31:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GDVZBt099677 for ietf-openpgp-bks; Mon, 16 Jun 2003 06:31:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDVXrb099672 for ; Mon, 16 Jun 2003 06:31:34 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by pacific-carrier-annex.mit.edu (8.12.4/8.9.2) with ESMTP id h5GDVSbu027513; Mon, 16 Jun 2003 09:31:28 -0400 (EDT) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by central-city-carrier-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5GDVR8S011123; Mon, 16 Jun 2003 09:31:27 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by melbourne-city-street.mit.edu (8.12.4/8.12.4) with ESMTP id h5GDVQU8011893; Mon, 16 Jun 2003 09:31:26 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id JAA12913; Mon, 16 Jun 2003 09:31:26 -0400 (EDT) To: Ian Brown Cc: "'Imad R. Faiad'" , ietf-openpgp Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) References: <003901c333df$d2b95230$39632352@happy> From: Derek Atkins Date: 16 Jun 2003 09:31:26 -0400 In-Reply-To: <003901c333df$d2b95230$39632352@happy> Message-ID: Lines: 17 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Ian Brown writes: > Another "eccentricity" I am fond of is short-lifetime encryption subkeys > that can be deleted once they have expired, reducing the impact of the > above-mentioned key seizure powers. I currently (manually) generate such > keys valid for one month; if I ever got round to automating this, I > would go for a week or less... > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA127BBD5 You clearly don't archive your encrypted email... -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDRbrb099444 for ; Mon, 16 Jun 2003 06:27:37 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GDRbXw099443 for ietf-openpgp-bks; Mon, 16 Jun 2003 06:27:37 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail1.wiktel.com (mail1.wiktel.com [204.221.145.7]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GDRZrb099438 for ; Mon, 16 Jun 2003 06:27:36 -0700 (PDT) (envelope-from rlaager@wiktel.com) Received: from NB1131 (unverified [206.9.80.4]) by wiktel.com (Rockliffe SMTPRA 5.3.4) with ESMTP id ; Mon, 16 Jun 2003 08:27:41 -0500 From: "Richard Laager" To: "'Imad R. Faiad'" Cc: Subject: RE: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 08:27:40 -0500 Organization: Wikstrom Telecom Internet Message-ID: <000601c3340b$0fc81000$b3000a0a@umcrookston.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 In-Reply-To: <1kdrevo6nqm19h8fdcc1bd0ag6gle92jj1@4ax.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Let me add, and no offence of course, from the fact that you are > relegating those short-lifetime signing sub keys to a less secure > environment, I infer that you have no confidence in them, so how > do you expect others to trust such keys, or signatures generated > by them for that matter? You might as well not sign at all. Less secure = less confidence != no confidence. Here's an example (fictional, but this is what I would do if I could): I store my long term primary key on a floppy. When I need the primary key (to create a new subkey or to sign another key), I do that signing on a secure stand-alone workstation. When I'm not using that floppy, I store the key off-site in a safe-deposit box. The less secure subkeys are stored on a laptop. Now, I believe my laptop is secure, but it's subject to theft. If it's stolen, I can simply revoke that signing subkey. Now, what happens if I leave for a lunch break and someone steals my signing subkey? If I notice it, I can revoke the subkey. By having short-term subkeys, I can limit the number of legitimate signatures that are invalidated by this. Also, if the subkey expires in a week or month, the attacker will have to repeat the subkey theft. This increases their chances of getting caught. This is no worse than people who keep their primary key on said laptop and use it for signing. It's quite obviously more secure. Richard Laager -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ iQA/AwUBPu3Fym31OrleHxvOEQJI1gCgseinuSwV8uDA3hYuQiVOmKT8VXcAoObj ddCi+kWnU3Z6TvvsOBeZrmB9 =KM1m -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GCZPrb096274 for ; Mon, 16 Jun 2003 05:35:25 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GCZO4m096273 for ietf-openpgp-bks; Mon, 16 Jun 2003 05:35:24 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5GCZNrb096268 for ; Mon, 16 Jun 2003 05:35:23 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Mon, 16 Jun 2003 13:35:21 +0100 From: Ian Brown To: "'Imad R. Faiad'" , ietf-openpgp Subject: RE: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 13:35:21 +0100 Message-ID: <006201c33403$c11263e0$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: > If you are so paranoid, why don't you keep all your PGP keys > in a "more secure offline machine" and use PGP solely on it? Because for the vast majority of messages that I send, the increased security would not be worth the extra effort. Whereas the compromise of a key used to certify other keys has a much greater effect, and so to many people it would. > Should you have a need for shorter-lifetime signing keys, > just generate master keys explicitly for that purpose. The point of the master key/subkey structure is that you shouldn't have to do this, with the Web of Trust complications it introduces -- as Werner said. > If indeed you have such needs, there is nothing to preclude > from generating two distinct keys, one for signing and the > other for encryption. Nor is there anything to preclude me using the existing master key/subkey structure to do this. > Let me add, and no offence of course, from the fact that you > are relegating those short-lifetime signing sub keys to a > less secure environment, I infer that you have no confidence > in them, Confidence is not a binary issue. I trust the environment they are used in less; therefore I would give them a shorter lifetime, so that their compromise would have a smaller impact. Ian. Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GBmkrb095027 for ; Mon, 16 Jun 2003 04:48:46 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GBmkIr095026 for ietf-openpgp-bks; Mon, 16 Jun 2003 04:48:46 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GBmirb095021 for ; Mon, 16 Jun 2003 04:48:45 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-14-93.cyberia.net.lb ([195.112.197.159]) by sand.cyberia.net.lb with SMTP id <20030616114419.MIDN3447.sand@ppp-14-93.cyberia.net.lb> for ; Mon, 16 Jun 2003 14:44:19 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 14:30:08 +0200 Message-ID: <1kdrevo6nqm19h8fdcc1bd0ag6gle92jj1@4ax.com> References: <003901c333df$d2b95230$39632352@happy> In-Reply-To: <003901c333df$d2b95230$39632352@happy> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5GBmjrb095022 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Ian, On Mon, 16 Jun 2003 09:18:09 +0100, you wrote: >Imad R. Faiad wrote: >> I would like to propose that signing sub keys be disallowed >> in OpenPGP. > >This would stop people keeping their master signing key on a more secure >offline machine, and using it to sign shorter-lifetime signing subkeys >which can be used on a day-to-day basis to sign messages :( > Let me add, and no offence of course, from the fact that you are relegating those short-lifetime signing sub keys to a less secure environment, I infer that you have no confidence in them, so how do you expect others to trust such keys, or signatures generated by them for that matter? You might as well not sign at all. my 2c Best Regards Imad R. Faiad -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu24HrzDFxiDPxutAQKFHQf9GdGwv8ghOX5v1vNjLQqfA+k31m1POKu9 v65xCLzscw7tkkdtlshecypvSFnAtpgx3ih/XCWkpic00wwOcqN7paqi/LNSsJLS tju/1OTSLhL47MDJND1XK8CoGo4cv0id70y9Uo344BoR6Z7pQStLzkK7wTA9yeQb KEWQu75H/HUnARCpmjVcjpcasqeYqEnyowra9T5xIElEC1KSyAkqE2cbN+UTvLoa Nz3BPQb9k2ZMD6GslzpHx3yS4S2dpEmd8isu6bTksjljF9g2g4iK1W/1idM3gdAx sBb1ZHAbjt+7kucya4aDgJnf5O6PdtaKR3o5hUF5W5jgyx4lIQuAfQ== =AIA0 -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GBeZrb094436 for ; Mon, 16 Jun 2003 04:40:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5GBeZgm094435 for ietf-openpgp-bks; Mon, 16 Jun 2003 04:40:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb ([195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5GBeXrb094398 for ; Mon, 16 Jun 2003 04:40:34 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-14-93.cyberia.net.lb ([195.112.197.159]) by sand.cyberia.net.lb with SMTP id <20030616113453.MHUS3447.sand@ppp-14-93.cyberia.net.lb> for ; Mon, 16 Jun 2003 14:34:53 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 14:20:42 +0200 Message-ID: References: <003901c333df$d2b95230$39632352@happy> In-Reply-To: <003901c333df$d2b95230$39632352@happy> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5GBeYrb094431 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, On Mon, 16 Jun 2003 09:18:09 +0100, you wrote: >Imad R. Faiad wrote: >> I would like to propose that signing sub keys be disallowed >> in OpenPGP. > >This would stop people keeping their master signing key on a more secure >offline machine, and using it to sign shorter-lifetime signing subkeys >which can be used on a day-to-day basis to sign messages :( > If you are so paranoid, why don't you keep all your PGP keys in a "more secure offline machine" and use PGP solely on it? Should you have a need for shorter-lifetime signing keys, just generate master keys explicitly for that purpose. >> As I understand it, sub keys are only justified in the following >> circumstances:- >> 1) When the public key algorithm does not support encryption >> (e.g. DSA). >> 2) In agreement with a school of thought, which recommends that >> it is good practice not to use the same key for signing and >> encryption. > >(2) is vital in countries where decryption but not signature keys can be >seized by law enforcement agencies and others: >http://www.acsac.org/2000/papers/47.pdf > If indeed you have such needs, there is nothing to preclude from generating two distinct keys, one for signing and the other for encryption. >> Any other arguments beyond the above, are just >> eccentricities, and will be better addressed by creating another key. > >Another "eccentricity" I am fond of is short-lifetime encryption subkeys >that can be deleted once they have expired, reducing the impact of the >above-mentioned key seizure powers. I currently (manually) generate such >keys valid for one month; if I ever got round to automating this, I >would go for a week or less... >http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA127BBD5 > I think there is a very serious flaw in the OpenPGP WOT when it comes to v4 keys, sub keys literally have blown a hole in it, and created a nice backdoor resulting in what I call a Web of Mistrust... Whatever one feels about sub keys, I think that this WOT issue ought to be addressed. my 2c Best Regards Imad R. Faiad -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu2zebzDFxiDPxutAQIQngf9GB9yLk1k1MzwdFUWQe31MlTeVyO24pQh VXzKv4OGOsswa2eKJzSnCfNVapHEjKIWKeqaAQVifEP6Ifk6yav6lzxT9PlwWNn7 abmUmfuWK9oybzl/eknCiZ6BjwNIlhLwawrVMlSpSWpDoAWstIMzehi4egi85w7f Ytmi9VCqxG+KfLyf0rwWygSpO/N1N/HKevLlx3tpr6HTXeRh+5TIa2n3G9P9hAKr ZL8Fs4g++YWqju3YA4f8/c7nfPGqSd69JsgvXkhfPJ/Hm8rG3rMCaRkuQxaDCIUk ut4zypqmjK2PXnAah7HC8INX9Fq2mlR36ymB0Um6C13Qo3fX1hujNw== =wTgt -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5G9vxrb088361 for ; Mon, 16 Jun 2003 02:57:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5G9vw7R088360 for ietf-openpgp-bks; Mon, 16 Jun 2003 02:57:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5G9vurb088355 for ; Mon, 16 Jun 2003 02:57:57 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19Rqed-0006hS-00 for ; Mon, 16 Jun 2003 11:51:59 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19Rqii-0000Jy-00; Mon, 16 Jun 2003 11:56:12 +0200 To: Ian Brown Cc: "'Imad R. Faiad'" , ietf-openpgp Subject: Re: OpenPGP Sub Keys References: <003901c333df$d2b95230$39632352@happy> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Mon, 16 Jun 2003 11:56:08 +0200 In-Reply-To: <003901c333df$d2b95230$39632352@happy> (Ian Brown's message of "Mon, 16 Jun 2003 09:18:09 +0100") Message-ID: <87vfv6tkg7.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Mon, 16 Jun 2003 09:18:09 +0100, Ian Brown said: > This would stop people keeping their master signing key on a more secure > offline machine, and using it to sign shorter-lifetime signing subkeys > which can be used on a day-to-day basis to sign messages :( That is exactly what I would like to do. Today I still use a separate certification key but it is a problem WoT wise and annoying to tell people how to send me encrypted mail, because they usually have problems with the sign-only certification key. -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5G8IIrb076772 for ; Mon, 16 Jun 2003 01:18:18 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5G8IIWj076771 for ietf-openpgp-bks; Mon, 16 Jun 2003 01:18:18 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from bells.cs.ucl.ac.uk (bells.cs.ucl.ac.uk [128.16.5.31]) by above.proper.com (8.12.9/8.12.8) with SMTP id h5G8IGrb076763 for ; Mon, 16 Jun 2003 01:18:17 -0700 (PDT) (envelope-from I.Brown@cs.ucl.ac.uk) Received: from 82-35-99-57.cable.ubr05.dals.blueyonder.co.uk by bells.cs.ucl.ac.uk with UK SMTP id ; Mon, 16 Jun 2003 09:18:12 +0100 From: Ian Brown To: "'Imad R. Faiad'" , ietf-openpgp Subject: RE: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 09:18:09 +0100 Message-ID: <003901c333df$d2b95230$39632352@happy> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5G8IHrb076766 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Imad R. Faiad wrote: > I would like to propose that signing sub keys be disallowed > in OpenPGP. This would stop people keeping their master signing key on a more secure offline machine, and using it to sign shorter-lifetime signing subkeys which can be used on a day-to-day basis to sign messages :( > As I understand it, sub keys are only justified in the following > circumstances:- > 1) When the public key algorithm does not support encryption > (e.g. DSA). > 2) In agreement with a school of thought, which recommends that > it is good practice not to use the same key for signing and > encryption. (2) is vital in countries where decryption but not signature keys can be seized by law enforcement agencies and others: http://www.acsac.org/2000/papers/47.pdf > Any other arguments beyond the above, are just > eccentricities, and will be better addressed by creating another key. Another "eccentricity" I am fond of is short-lifetime encryption subkeys that can be deleted once they have expired, reducing the impact of the above-mentioned key seizure powers. I currently (manually) generate such keys valid for one month; if I ever got round to automating this, I would go for a week or less... http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA127BBD5 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5G7efrb068305 for ; Mon, 16 Jun 2003 00:40:41 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5G7ef02068304 for ietf-openpgp-bks; Mon, 16 Jun 2003 00:40:41 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5G7ecrb068257 for ; Mon, 16 Jun 2003 00:40:39 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-08-25.cyberia.net.lb ([195.112.205.26]) by sand.cyberia.net.lb with SMTP id <20030616073607.LXSZ3447.sand@ppp-08-25.cyberia.net.lb> for ; Mon, 16 Jun 2003 10:36:07 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: OpenPGP Sub Keys (Was: key flag for authentication) Date: Mon, 16 Jun 2003 10:21:57 +0200 Message-ID: References: <87ptlrtxa5.fsf@alberti.g10code.de> In-Reply-To: <87ptlrtxa5.fsf@alberti.g10code.de> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h5G7eerb068297 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 06 Jun 2003 10:39:30 +0200, you wrote: > >Hi! > >I know that we are short of releasing a new RFC and bis-08 looks >really good. Due to the project I am currently working on I'd like to >suggest a small enhancement: > > 5.2.3.21. Key Flags > > [...] > > 0x20 - This key may be used for authentication. > >Usage notes are not necessary and it should be left to an >implementation on how to handle this key flag. > >There are drafts and actual implementations to use OpenPGP keys with >TLS and ssh. Thus, having a subkey specially for this purpose seems >to be a good idea. A key with key flag 0x02 (sign data) could be used >for authentication too but this has the problem than there would be no >easy way to select the appropriate subkey for data signing or >authentication purposes. As a workaround an implementation could use >notation data but this would be implementation dependend and a kind of >hack. > >What do you think? > Hello Werner, This is what I think:- Why not just create a key dedicated for the purposes of TLS or SSH. I would like to propose that signing sub keys be disallowed in OpenPGP. While an encryption key concerns the key holder, a signing key is of concern to others. PGP users identify keys and publicize theirs by the master key ID and fingerprint. These are also the primary keys used by key servers. As I understand it, sub keys are only justified in the following circumstances:- 1) When the public key algorithm does not support encryption (e.g. DSA). 2) In agreement with a school of thought, which recommends that it is good practice not to use the same key for signing and encryption. Any other arguments beyond the above, are just eccentricities, and will be better addressed by creating another key. Therefore, for the sake of simplicity, please permit me to propose that an OpenPGP key be a Master Key of an OpenPGP public key algorithm suitable for signing, and ONE optional encryption sub key of an OpenPGP public key algorithm suitable for encryption PERIOD. It is evident that sub keys seem to be evolving beyond their intended use. Let's clean up that mess before it is too late. What do you think? > > Werner Best Regards Imad R. Faiad -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf Comment: KeyID: 0xBCC31718833F1BAD Comment: Fingerprint: 75CD 96A7 8ABB F87E 9390 5FD7 2A88 4F45 iQEVAwUBPu19vrzDFxiDPxutAQJ7rQf/Z085Fotrl/uroZ80pO/OwAHZ3fcABG06 azvmdXfnW1Z7/fWfV7vHixzzLaUdXhFEm9m+Nj0XTSQ7a5QU8M0hZQJNRiv3cSbb QWWDN93AHUkdZLUXClcNfBy+ipUpwWbutMDMNuhKOEOSwMDH/+db2DfF+++ixpqa PeAEEdKU7UtteaD6gpqfiCvJsU9gda8XKA65m0/9BF1RngX/OBV4rkkb98EVE5IH RiQI+tXl8WECAi0wQw0y7dLixlIpBase78KXN6LFGLt0I4ojD4URUX6XE6Afz8Ko 5mpYFkTJkdoobbGoNFbA1c7op76ixKNnbgsq4oDZ+5n2C2TyTpij6g== =efDu -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FLBGrb035118 for ; Sun, 15 Jun 2003 14:11:16 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5FLBGGv035117 for ietf-openpgp-bks; Sun, 15 Jun 2003 14:11:16 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FLBFrb035108 for ; Sun, 15 Jun 2003 14:11:15 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5FLBCb10813 for ietf-openpgp@imc.org; Sun, 15 Jun 2003 17:11:12 -0400 Date: Sun, 15 Jun 2003 17:11:11 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: key flag for authentication Message-ID: <20030615211111.GA7586@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <87ptlrtxa5.fsf@alberti.g10code.de> <200306151208.42675@fortytwo.ch> <20030615131946.GE28548@jabberwocky.com> <003901c33356$4e3e0fc0$c23fa8c0@transarc.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <003901c33356$4e3e0fc0$c23fa8c0@transarc.ibm.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (98% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Jun 15, 2003 at 11:53:44AM -0400, Michael Young wrote: > But, new flags can be structured to disambiguate new revisions > from old. For example, here we can add two bits: > 0x20 - This key may be used for authentication. > 0x40 - (Bit 0x20 is explicitly set.) > Old signatures would have a zero in 0x40, so a new application > can apply its own default (rather than having one imposed by > the specification). New signatures that actively decide on the > value for the 0x20 bit must set 0x40. (A new signer could also > choose to accept the viewer's default by leaving 0x40 zero.) I don't think this is really necessary. The lack of a given flag being set doesn't necessarily mean that the key *isn't* used for the respective action. The draft even uses the phrase "...stating a preference...". If anyone cares enough, they can certainly re-issue the signature with the flag set. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7ODv4mZch0nhy8kRAjvYAJ9JLGOSm0IBYq8sOQks5UGpRLBJYACgg2VF CPgCU3u+sVAk9/AoIoC8L88= =ex0m -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FFtArb022015 for ; Sun, 15 Jun 2003 08:55:10 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5FFtASt022014 for ietf-openpgp-bks; Sun, 15 Jun 2003 08:55:10 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mta6.adelphia.net (mta6.adelphia.net [64.8.50.190] (may be forged)) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FFt8rb022009 for ; Sun, 15 Jun 2003 08:55:09 -0700 (PDT) (envelope-from mwy-opgp97@the-youngs.org) Received: from mwyoung ([68.168.179.202]) by mta6.adelphia.net (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with SMTP id <20030615155454.BJMJ1347.mta6.adelphia.net@mwyoung> for ; Sun, 15 Jun 2003 11:54:54 -0400 Message-ID: <003901c33356$4e3e0fc0$c23fa8c0@transarc.ibm.com> From: "Michael Young" To: References: <87ptlrtxa5.fsf@alberti.g10code.de> <200306151208.42675@fortytwo.ch> <20030615131946.GE28548@jabberwocky.com> Subject: Re: key flag for authentication Date: Sun, 15 Jun 2003 11:53:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This discussion raises another concern I've had regarding new flags. The description (in draft 7, anyway) reads: > This subpacket contains a list of binary flags that hold information > about a key. It is a string of octets, and an implementation MUST > NOT assume a fixed size. This is so it can grow over time. If a list > is shorter than an implementation expects, the unstated flags are > considered to be zero. ... In fact, the list of flags can grow *without* increasing the length. we're contemplating adding new flags to the first octet. I think it's inappropriate to change the meaning of an old signature by adding flags to the specification. Here, we're considering adding exactly one bit: > 0x20 - This key may be used for authentication. An old signature didn't contemplate the meaning of this bit. The key might be intended for authentication; it might not. New software that looks at this bit can't tell whether: the signer explicitly chose not to allow authentication; or, the signer was using an old revision of the specification. But, new flags can be structured to disambiguate new revisions from old. For example, here we can add two bits: 0x20 - This key may be used for authentication. 0x40 - (Bit 0x20 is explicitly set.) Old signatures would have a zero in 0x40, so a new application can apply its own default (rather than having one imposed by the specification). New signatures that actively decide on the value for the 0x20 bit must set 0x40. (A new signer could also choose to accept the viewer's default by leaving 0x40 zero.) I don't know whether this is the right time to start adopting this sort of policy for new flags -- do implementations make use of the existing key flags already? If they do, then I strongly encourage including disambiguation for new flags. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBPuyWWOc3iHYL8FknEQJvRwCfQjcFuBDOGOeEX86hqtsXSea1pbsAoJH5 I/n8ZbzEHQnJpqme/AKOwVMo =XT3/ -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FFTYrb021608 for ; Sun, 15 Jun 2003 08:29:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5FFTYqe021607 for ietf-openpgp-bks; Sun, 15 Jun 2003 08:29:34 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FFTWrb021602 for ; Sun, 15 Jun 2003 08:29:33 -0700 (PDT) (envelope-from warlord@MIT.EDU) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5FFTXFm018740; Sun, 15 Jun 2003 11:29:33 -0400 (EDT) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.12.4/8.9.2) with ESMTP id h5FFTWmv028944; Sun, 15 Jun 2003 11:29:32 -0400 (EDT) Received: from kikki.mit.edu (KIKKI.MIT.EDU [18.18.1.142]) ) by manawatu-mail-centre.mit.edu (8.12.4/8.12.4) with ESMTP id h5FFTVFJ023668; Sun, 15 Jun 2003 11:29:31 -0400 (EDT) Received: (from warlord@localhost) by kikki.mit.edu (8.9.3p2) id LAA07996; Sun, 15 Jun 2003 11:29:31 -0400 (EDT) To: Mauricio Junqueira Cc: From: Derek Atkins Subject: Re: Using all zeros for IV means that.. References: Date: 15 Jun 2003 11:29:31 -0400 In-Reply-To: Message-ID: Lines: 62 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, first, this is probably not the apprpriate forum for general cryptographic help (unless of course you are looking for a security consulting to come help you, in which case you can look at my personal website and retain my services ;) Having said that.... Mauricio Junqueira writes: > .. a cipher text encoded in CFB mode could be decrypted in CBC ? No. CFB and CBC are completely different crypto modes. [snip] > But it only operates on 16bytes each time, what makes it > a CBC mode ( I guess ). No. It has a 16-byte block size, but that does not make it CBC. > My solution was to complete with spaces the remain bytes to have > an entire block, but what about the IV? You should read Applied Cryptography. This is "not the way". There are a number of standard padding techniques, but you do not need them if you use CFB mode. CFB mode always gives you the "exact" amount of ciphertext that you need. > I will lose some quality if I drop the IV and CFB mode in the > server or is there a way to use the IV in CBC mode like pre-pending > the IV or using all zeros IV in CFB... This question does not make sense. > I hope I have found the right place to post this and I was encouraged > in doing so after reading some messages from this mail list. Not really, as this list is for discussion of the OpenPGP specification, not about cryptography in general. > Thank you for your time in reading this and > who knows if some one could enlightenment me > in the right direction. As I said, I recommend you read Applied Cryptograhy, or engage the services of a Security Consultant to help you understand all the issues... Good Luck, > Mauricio Junqueira > mau.go@terra.com.br -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FDJqrb015557 for ; Sun, 15 Jun 2003 06:19:52 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5FDJqPl015556 for ietf-openpgp-bks; Sun, 15 Jun 2003 06:19:52 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FDJprb015550 for ; Sun, 15 Jun 2003 06:19:51 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h5FDJkK07415 for ietf-openpgp@imc.org; Sun, 15 Jun 2003 09:19:46 -0400 Date: Sun, 15 Jun 2003 09:19:46 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: key flag for authentication Message-ID: <20030615131946.GE28548@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <87ptlrtxa5.fsf@alberti.g10code.de> <200306151208.42675@fortytwo.ch> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline In-Reply-To: <200306151208.42675@fortytwo.ch> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Full User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 15, 2003 at 12:08:38PM +0200, Adrian 'Dagurashibanipal' von Bid= der wrote: > > authentication purposes. As a workaround an implementation could use > > notation data but this would be implementation dependend and a kind of > > hack. >=20 > Hmm. Using a flag which is not documented (except in that it exists) seem= s=20 > kind of a hack, too. If the correct behaviour of openpgp software is to b= e=20 > left to implementors, why not use a notation - which is more flexible tha= n a=20 > one-bit flag anyway? It doesn't need much documentation. This is similar to the "This key may be used to encrypt communications" or "This key may be used to encrypt storage" flags: a usage hint. I think the proposed flag is a good idea. David --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+7HJy4mZch0nhy8kRAinHAJ4zTOr5E11w1/bRqyym3qu4LYA/qQCgx5/N FtzfDIJwRg17P8xz4YYRuDo= =fIhw -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FA8rrb007726 for ; Sun, 15 Jun 2003 03:08:53 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5FA8rWN007724 for ietf-openpgp-bks; Sun, 15 Jun 2003 03:08:53 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from gluggsi.fortytwo.ch (zux006-028-188.adsl.green.ch [81.6.28.188]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5FA8prb007705 for ; Sun, 15 Jun 2003 03:08:51 -0700 (PDT) (envelope-from vbi@fortytwo.ch) Received: from altfrangg.fortytwo.ch (altfrangg.fortytwo.ch [192.168.1.17]) by gluggsi.fortytwo.ch (Postfix) with ESMTP id 11F556913 for ; Sun, 15 Jun 2003 12:08:44 +0200 (CEST) Received: by altfrangg.fortytwo.ch (Postfix, from userid 1002) id 1C63A414FB; Sun, 15 Jun 2003 12:08:43 +0200 (CEST) From: "Adrian 'Dagurashibanipal' von Bidder" To: ietf-openpgp@imc.org Subject: Re: key flag for authentication Date: Sun, 15 Jun 2003 12:08:38 +0200 User-Agent: KMail/1.5.1 References: <87ptlrtxa5.fsf@alberti.g10code.de> In-Reply-To: <87ptlrtxa5.fsf@alberti.g10code.de> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_qWE7+JXt2jWT7eF"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200306151208.42675@fortytwo.ch> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --Boundary-02=_qWE7+JXt2jWT7eF Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 06 June 2003 10:39, Werner Koch wrote: > 5.2.3.21. Key Flags > > [...] > > 0x20 - This key may be used for authentication. > > Usage notes are not necessary and it should be left to an > implementation on how to handle this key flag. At least a note that handling of this flag should be implementation defined= =20 should go in. Somebody implementing OpenPGP software needs to know at least= =20 that he needn't worry what to do with such keys (or perhaps that he should= =20 ignore such [sub]keys in most cases?) > authentication purposes. As a workaround an implementation could use > notation data but this would be implementation dependend and a kind of > hack. Hmm. Using a flag which is not documented (except in that it exists) seems= =20 kind of a hack, too. If the correct behaviour of openpgp software is to be= =20 left to implementors, why not use a notation - which is more flexible than = a=20 one-bit flag anyway? greets =2D- vbi =2D-=20 featured link: http://fortytwo.ch/smtp --Boundary-02=_qWE7+JXt2jWT7eF Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj7sRapgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWqboAn1/lQTM9r9kR8K3I7SCALBY5 SQ2AAKD3Qkk1t/q8qBlIU478fHPcrd6EYw== =WGSO -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_qWE7+JXt2jWT7eF-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5EEUirb039639 for ; Sat, 14 Jun 2003 07:30:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h5EEUiAK039638 for ietf-openpgp-bks; Sat, 14 Jun 2003 07:30:44 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from itaqui.terra.com.br (itaqui.terra.com.br [200.176.3.19]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h5EEUgrb039633 for ; Sat, 14 Jun 2003 07:30:43 -0700 (PDT) (envelope-from mau.go@terra.com.br) Received: from campina.terra.com.br (campina.terra.com.br [200.176.3.38]) by itaqui.terra.com.br (Postfix) with ESMTP id BFD2C3BC624 for ; Sat, 14 Jun 2003 11:30:42 -0300 (BRT) Received: from [192.168.1.3] (200-193-230-044.gnace7001.dsl.brasiltelecom.net.br [200.193.230.44]) (authenticated user mau.go) by campina.terra.com.br (Postfix) with ESMTP id E2C56224062 for ; Sat, 14 Jun 2003 11:30:41 -0300 (BRT) User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Date: Sat, 14 Jun 2003 11:32:27 -0300 Subject: Using all zeros for IV means that.. From: Mauricio Junqueira To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: .. a cipher text encoded in CFB mode could be decrypted in CBC ? That question may be a silly one, but here's the point: I am a Brazilian engineer who are in charge of a system development that needs to send critical data over the internet and other means. Being new to cryptography but with some past experience coding the DES algorithm for TEF I decided to do a little research for new encryption methods. Then I decided for twofish 128bits and implemented the server side of the system using C and mcrypt in the CFB. So I decided a very special convection for the IV bytes and also had hash the IV prior his use. To test the server, we have coded some clients in PHP and everything works just fine. Well, now we are developing for the real client: a 16mhz Hitachi H300 that has its own c libraries. I found the implement mcrypt then twofish was not an option and went to code twofish only. When Looking for some examples showing how to implement twofish, I found a Twofish source for PGP and used that as the basis for the H300 implementation. Aside from differences in what a unsigned char means, I now have it working. But it only operates on 16bytes each time, what makes it a CBC mode ( I guess ). My solution was to complete with spaces the remain bytes to have an entire block, but what about the IV? I will lose some quality if I drop the IV and CFB mode in the server or is there a way to use the IV in CBC mode like pre-pending the IV or using all zeros IV in CFB... I hope I have found the right place to post this and I was encouraged in doing so after reading some messages from this mail list. Thank you for your time in reading this and who knows if some one could enlightenment me in the right direction. Mauricio Junqueira mau.go@terra.com.br AMERICA - SOUTH AMERICA - BRASIL - GOIAS - GOIANIA Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56HvXAF025689 for ; Fri, 6 Jun 2003 10:57:33 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h56HvXgN025688 for ietf-openpgp-bks; Fri, 6 Jun 2003 10:57:33 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56HvVAF025682 for ; Fri, 6 Jun 2003 10:57:32 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19OLNb-0004eQ-00 for ; Fri, 06 Jun 2003 19:51:55 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19OLSS-0000yK-00; Fri, 06 Jun 2003 19:56:56 +0200 To: iang@systemics.com Cc: ietf-openpgp@imc.org Subject: Re: key flag for authentication References: <87ptlrtxa5.fsf@alberti.g10code.de> <3EE0B325.A6F3BB3F@systemics.com> From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 Date: Fri, 06 Jun 2003 19:56:56 +0200 In-Reply-To: <3EE0B325.A6F3BB3F@systemics.com> (Ian Grigg's message of "Fri, 06 Jun 2003 11:28:37 -0400") Message-ID: <878ysfqec7.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Fri, 06 Jun 2003 11:28:37 -0400, Ian Grigg said: > To identify keys and their roles, we stick the following > into the keyId textual tag: > [role] That used to be the only way during PGP 2 times. A German ISP with an associated CA created pgp 2.63in to formalize their conventions on how to encode more attributes in the User ID. This made it even possible to use separate signing and encryption keys as well as expiration dates. In contrast OpenPGP provides a more general way to encode more information with a key. Most notably notation data can be used instead of tags encoded in the User ID. > (And, thinking about it some more, I can see that the issue > you might have there is that once you have your authentication > bit in place, how do you show that the key is to be used for > SSH authentication and not TLS?) That is not the question I want to address. The problem stems from this: If you have more than one encryption subkey, the most useful way is to use the newest encryption subkey which has not been created in the future. This allows for an automatic key rollover. Although it does not make that much sense, the scheme can also be used for signing subkeys. To figure out what subkey to use, the implementation computes the key capabilities from the used algorithm and the key flags and decided on this. If you add a subkey for authentication, this one is probably the newest one and would be used for signing - that is probably not what you want. Shalom-Salam, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56FUKAF018617 for ; Fri, 6 Jun 2003 08:30:20 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h56FUKmZ018616 for ietf-openpgp-bks; Fri, 6 Jun 2003 08:30:20 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mx1.cryptohill.net (ns1.cryptohill.net [24.244.145.2]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h56FUJAF018607 for ; Fri, 6 Jun 2003 08:30:19 -0700 (PDT) (envelope-from iang@systemics.com) Received: from systemics.com (localhost [127.0.0.1]) by mx1.cryptohill.net (Postfix) with ESMTP id 83A3E1C955; Fri, 6 Jun 2003 11:30:14 -0400 (EDT) Message-ID: <3EE0B325.A6F3BB3F@systemics.com> Date: Fri, 06 Jun 2003 11:28:37 -0400 From: Ian Grigg Reply-To: iang@systemics.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Werner Koch Cc: ietf-openpgp@imc.org Subject: Re: key flag for authentication References: <87ptlrtxa5.fsf@alberti.g10code.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Werner Koch wrote: > > Hi! > > I know that we are short of releasing a new RFC and bis-08 looks > really good. Due to the project I am currently working on I'd like to > suggest a small enhancement: > > 5.2.3.21. Key Flags > > [...] > > 0x20 - This key may be used for authentication. > > Usage notes are not necessary and it should be left to an > implementation on how to handle this key flag. > > There are drafts and actual implementations to use OpenPGP keys with > TLS and ssh. Thus, having a subkey specially for this purpose seems > to be a good idea. A key with key flag 0x02 (sign data) could be used > for authentication too but this has the problem than there would be no > easy way to select the appropriate subkey for data signing or > authentication purposes. As a workaround an implementation could use > notation data but this would be implementation dependend and a kind of > hack. > > What do you think? Not that I disagree with you, but I'd like to point out alternative practice. We (Systemics/Ricardo/SOX/WebFunds) have been using PGP keys for authentication purposes for years (8, if anyone's counting, with a couple of years gap where we got blindsided into x.509). (Something betwee 100k and a million transactions.) To identify keys and their roles, we stick the following into the keyId textual tag: [role] where role could be one of certification, operator, server, contract, ... This appears to be much more flexible than looking for bits in the key, as it allows lots of roles. When one gets into bigger protocols, one ends up with dozens of different keys at different places in the PKI. And they all need to have their roles and characteristics encoded in them. So, whilst I wouldn't necessarily disagree with the bit being there, I'm not sure I see the need. (And, thinking about it some more, I can see that the issue you might have there is that once you have your authentication bit in place, how do you show that the key is to be used for SSH authentication and not TLS?) Just some thoughts! -- iang Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h568bdAF089660 for ; Fri, 6 Jun 2003 01:37:39 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h568bcY0089659 for ietf-openpgp-bks; Fri, 6 Jun 2003 01:37:38 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [217.69.77.222]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h568baAF089651 for ; Fri, 6 Jun 2003 01:37:37 -0700 (PDT) (envelope-from wk@gnupg.org) Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 3.35 #1 (Debian)) id 19OCde-0000Jk-00 for ; Fri, 06 Jun 2003 10:31:54 +0200 Received: from wk by alberti.g10code.de with local (Exim 3.36 #1 (Debian)) id 19OCl1-0008An-00; Fri, 06 Jun 2003 10:39:31 +0200 To: ietf-openpgp@imc.org Subject: key flag for authentication From: Werner Koch Organisation: g10 Code GmbH X-Request-PGP: finger:wk@g10code.com X-PGP-KeyID: 621CC013 X-FSFE-Info: http://fsfeurope.org Date: Fri, 06 Jun 2003 10:39:30 +0200 Message-ID: <87ptlrtxa5.fsf@alberti.g10code.de> User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi! I know that we are short of releasing a new RFC and bis-08 looks really good. Due to the project I am currently working on I'd like to suggest a small enhancement: 5.2.3.21. Key Flags [...] 0x20 - This key may be used for authentication. Usage notes are not necessary and it should be left to an implementation on how to handle this key flag. There are drafts and actual implementations to use OpenPGP keys with TLS and ssh. Thus, having a subkey specially for this purpose seems to be a good idea. A key with key flag 0x02 (sign data) could be used for authentication too but this has the problem than there would be no easy way to select the appropriate subkey for data signing or authentication purposes. As a workaround an implementation could use notation data but this would be implementation dependend and a kind of hack. What do you think? Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h551RgAF064722 for ; Wed, 4 Jun 2003 18:27:42 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h551RgRl064721 for ietf-openpgp-bks; Wed, 4 Jun 2003 18:27:42 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h551RfAF064716 for ; Wed, 4 Jun 2003 18:27:41 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h551Rcq28872 for ietf-openpgp@imc.org; Wed, 4 Jun 2003 21:27:38 -0400 Date: Wed, 4 Jun 2003 21:27:38 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: I-D ACTION:draft-ietf-openpgp-rfc2440bis-08.txt Message-ID: <20030605012738.GD23351@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200306041156.HAA12763@ietf.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200306041156.HAA12763@ietf.org> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (20% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Jun 04, 2003 at 07:56:54AM -0400, Internet-Drafts@ietf.org wrote: > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt I'm quite pleased with this draft. I'm going to give it a more in-depth read, but I did notice a few very minor (mostly language) nits: *************** In section 5.2.1 ("Signature Types"): In the description of the 0x50 signature, there is a sentance that reads "such a a blind party that only sees the signature, not the key nor source document". That first "a" was probably intended as an "as". In the same section, "It is a notary seal on the signed data", could probably be better as "It is analogous to a notary seal on the signed data". This should also help Ian Grigg's concerns about misuse of the word "notary". *************** In section 14 ("Implementation Nits") one of the items mentions: * PGP 2.0 through 2.5 generated V2 Public Key Packets. These are identical to the deprecated V3 keys except for the version number. An implementation may accept or reject them as it sees fit. It might be good to change this a bit to: * PGP 2.0 through 2.5 generated V2 Public Key Packets and V2 signatures. These are identical to the deprecated V3 keys and signatures except for the version number. An implementation may accept or reject them as it sees fit. *************** I understood that the "keyserver preferences" and "features" subpackets contain a collection of single-bit flags, but it isn't completely clear from the text. Maybe a sprinkling of the word "bit" would help here. *************** In section 5.2.4 ("Computing Signatures"), a sentance reads "A V3 certification hashes the contents of the name packet, without any header." Instead of "name packet", I suggest "user ID or attribute packet". *************** In section 10.1 ("Transferable Public Keys"), subkeys are followed by "After each Subkey packet, one signature packet, optionally a revocation." I think the word "plus", as in "... plus optionally a revocation" would be helpful here. A revocation does not take the place of the original binding signature. *************** David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+3pyK4mZch0nhy8kRAnjWAKDAE/pOoO5ERuUoCD89yWF/dzfwogCfZTXt FnFGatmn7C7QTqGpGtjXcYw= =Ulf9 -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h550r8AF063350 for ; Wed, 4 Jun 2003 17:53:08 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h550r8YU063349 for ietf-openpgp-bks; Wed, 4 Jun 2003 17:53:08 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from claude.jabberwocky.com (walrus.ne.client2.attbi.com [24.60.130.129]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h550r6AF063341 for ; Wed, 4 Jun 2003 17:53:07 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id h550r4q28422 for ietf-openpgp@imc.org; Wed, 4 Jun 2003 20:53:04 -0400 Date: Wed, 4 Jun 2003 20:53:03 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: I-D ACTION:draft-ietf-openpgp-rfc2440bis-08.txt Message-ID: <20030605005303.GC23351@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <200306041156.HAA12763@ietf.org> <823tdvcb36dtfmrn4k607k0vn2qophahb5@4ax.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <823tdvcb36dtfmrn4k607k0vn2qophahb5@4ax.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (20% of Full) User-Agent: Mutt/1.5.4i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Jun 05, 2003 at 02:18:31AM +0200, Imad R. Faiad wrote: > > Hello Mr. Callas, > > And while we are hacking, by hacking, I mean > chopping with an axe. Let us spruce the > compression algorithms. > > The zlib compression algorithm seems to be only > implemented in the GnuPG variants, and > is causing a lot of inter-operability problems. > The compression function is breaking inter > operability, therefore, we ought to state what is a > "MUST" and what isn't, so that the issue may be resolved, > once and for all. I think the text in the draft is pretty clear on this point. To my reading, it says: * You MUST support uncompressed data. * You SHOULD support ZIP. * You MAY support ZLIB. * If a key states compression preferences, they MUST be followed at least to the point of knowing when to send uncompressed. An easy way to do this is to to always send uncompressed data since it is known to always be supported. * If a key does not state compression preferences, they are assumed to be "ZIP, Uncompressed". It all seems pretty clear-cut to me. I have seen a few interoperability problems between GnuPG and PGP due to ZLIB, but each and every one falls into one of two groups: 1) A GnuPG user who insists on forcing the use of ZLIB when communicating with a PGP user, and ignores the "forcing compression algorithm ZLIB violates recipient preferences" error message. This is depressingly common, but still is not a problem that the OpenPGP design can solve. 2) A key is generated in GnuPG, then later the user switches over to using PGP. Since the ZLIB preference still exists on the key, a correspondant using GnuPG will naturally use ZLIB when encrypting to that key. This is a problem that OpenPGP addresses in section 5.2.3.3 ("Notes on Self-Signatures"): Since a self-signature contains important information about the key's use, an implementation SHOULD allow the user to rewrite the self-signature, and important information in it, such as preferences and key expiration. > Especially so, when, forgive > my expression, some implementors, default to zilb, > while others seem to be unwilling to implement it. Which implementation is that? Both GnuPG and PGP default to ZIP. The problem here is actually wider than the ZIP/ZLIB issue. The same thing happens with any two OpenPGP programs that support any different cipher or hash algorithms. The answer is not to force all implementations to have the exact same algorithms. The answer is to properly use the preference lists. That's what they are there for. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iD8DBQE+3pRv4mZch0nhy8kRAs0gAKDJkU7Y0RJmWg5oeJjKICAQ+LTgCACgth2C E2mSyLcJoDRwAMzEIXs4jRA= =poNL -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54NKWAF060910 for ; Wed, 4 Jun 2003 16:20:32 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h54NKWXm060909 for ietf-openpgp-bks; Wed, 4 Jun 2003 16:20:32 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sand.cyberia.net.lb (sand.cyberia.net.lb [195.112.195.68]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54NKTAF060900 for ; Wed, 4 Jun 2003 16:20:30 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from ppp-06-90.cyberia.net.lb ([195.112.206.91]) by sand.cyberia.net.lb with SMTP id <20030604231555.NGMW1948.sand@ppp-06-90.cyberia.net.lb> for ; Thu, 5 Jun 2003 02:15:55 +0300 From: "Imad R. Faiad" To: ietf-openpgp@imc.org Subject: Re: I-D ACTION:draft-ietf-openpgp-rfc2440bis-08.txt Date: Thu, 05 Jun 2003 02:18:31 +0200 Message-ID: <823tdvcb36dtfmrn4k607k0vn2qophahb5@4ax.com> References: <200306041156.HAA12763@ietf.org> In-Reply-To: <200306041156.HAA12763@ietf.org> X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id h54NKVAF060905 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Mr. Callas, And while we are hacking, by hacking, I mean chopping with an axe. Let us spruce the compression algorithms. The zlib compression algorithm seems to be only implemented in the GnuPG variants, and is causing a lot of inter-operability problems. The compression function is breaking inter operability, therefore, we ought to state what is a "MUST" and what isn't, so that the issue may be resolved, once and for all. Especially so, when, forgive my expression, some implementors, default to zilb, while others seem to be unwilling to implement it. my 2c, Best Regards Imad R. Faiad On Wed, 04 Jun 2003 07:56:54 -0400, you wrote: >A New Internet-Draft is available from the on-line Internet-Drafts >directories. This draft is a work item of the An Open Specification for >Pretty Good Privacy Working Group of the IETF. > > Title : OpenPGP Message Format > Author(s) : J. Callas, L. Donnerhacke, H. Finney, R. Thayer > Filename : draft-ietf-openpgp-rfc2440bis-08.txt > Pages : 71 > Date : 2003-6-3 > >This document is maintained in order to publish all necessary >information needed to develop interoperable applications based on >the OpenPGP format. It is not a step-by-step cookbook for writing an >application. It describes only the format and methods needed to >read, check, generate, and write conforming packets crossing any >network. It does not deal with storage and implementation questions. >It does, however, discuss implementation issues necessary to avoid >security flaws. >OpenPGP software uses a combination of strong public-key and >symmetric cryptography to provide security services for electronic >communications and data storage. These services include >confidentiality, key management, authentication, and digital >signatures. This document specifies the message formats used in >OpenPGP. > >A URL for this Internet-Draft is: >http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt > >To remove yourself from the IETF Announcement list, send a message to >ietf-announce-request with the word unsubscribe in the body of the >message. > >Internet-Drafts are also available by anonymous FTP. Login with the >username "anonymous" and a password of your e-mail address. After logging >in, >type "cd internet-drafts" and then > "get draft-ietf-openpgp-rfc2440bis-08.txt". > >A list of Internet-Drafts directories can be found in >http://www.ietf.org/shadow.html >or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > >Internet-Drafts can also be obtained by e-mail. > >Send a message to: > mailserv@ietf.org. >In the body type: > "FILE /internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt". > >NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > >Below is the data which will enable a MIME compliant mail reader >implementation to automatically retrieve the ASCII version of the >Internet-Draft. -----BEGIN PGP SIGNATURE----- Version: 8.0.2irf iQEVAwUBPt6K3rzDFxiDPxutAQIF7Qf+OjgWE3X6wDxlvFCiSHRgPXhZ26bU4CLE JFaM/5k2yZgiwSrErge92Sp92aUnfvjADrsVfGNFeyz7jMKRpeme4FyCpvqGa6eZ fRVT+VDpE7LfXIfi+m7pKq67LaYiOvrE5ucV5EZgFGkSncAiGDL7PB4PjT9vTSB0 uZieKUS0gurnFjtVev2scnSu0XjTtsblomstRiYC943COlO7+U/GK78seHYW1MnS fAnQqRNksR7adDbBsjdZjMdBpgarYwc6gyIaG3P2CNqq35F6fF2SwhcI8JlqYUPS lO5QjbwFkX0WzhlR3Qm+6RHxpRnlsUfNdTmPZlwG25rAJeyletpqOg== =go/t -----END PGP SIGNATURE----- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54BxQAF028257 for ; Wed, 4 Jun 2003 05:01:57 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h54BxQhq028256 for ietf-openpgp-bks; Wed, 4 Jun 2003 04:59:26 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54ButAF028208 for ; Wed, 4 Jun 2003 04:59:26 -0700 (PDT) (envelope-from nsyracus@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA12763; Wed, 4 Jun 2003 07:56:54 -0400 (EDT) Message-Id: <200306041156.HAA12763@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-openpgp@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-openpgp-rfc2440bis-08.txt Date: Wed, 04 Jun 2003 07:56:54 -0400 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the An Open Specification for Pretty Good Privacy Working Group of the IETF. Title : OpenPGP Message Format Author(s) : J. Callas, L. Donnerhacke, H. Finney, R. Thayer Filename : draft-ietf-openpgp-rfc2440bis-08.txt Pages : 71 Date : 2003-6-3 This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws. OpenPGP software uses a combination of strong public-key and symmetric cryptography to provide security services for electronic communications and data storage. These services include confidentiality, key management, authentication, and digital signatures. This document specifies the message formats used in OpenPGP. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-openpgp-rfc2440bis-08.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-6-3151148.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-openpgp-rfc2440bis-08.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-openpgp-rfc2440bis-08.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-6-3151148.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h539liAF024950 for ; Tue, 3 Jun 2003 02:47:44 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h539lixR024949 for ietf-openpgp-bks; Tue, 3 Jun 2003 02:47:44 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h539lhAF024944 for ; Tue, 3 Jun 2003 02:47:43 -0700 (PDT) (envelope-from jon@callas.org) Received: from [203.112.9.169] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2) for ; Tue, 3 Jun 2003 02:47:40 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Mon, 02 Jun 2003 16:59:09 -0700 Subject: Bis-08 submitted From: Jon Callas To: OpenPGP Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: It contains all the things I think we've agreed to, plus a first stab at the normative/non-normative reference separation, which will no doubt be a subject of debate. Jon Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h520VdAF072607 for ; Sun, 1 Jun 2003 17:31:39 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h520VdDO072606 for ietf-openpgp-bks; Sun, 1 Jun 2003 17:31:39 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h520VbAF072591 for ; Sun, 1 Jun 2003 17:31:38 -0700 (PDT) (envelope-from A.Back@exeter.ac.uk) Received: from [144.173.6.20] (helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 4.14) id 19MdEc-00Vjdr-HU; Mon, 02 Jun 2003 01:31:34 +0100 Date: Mon, 2 Jun 2003 01:31:33 +0100 From: Adam Back To: Jon Callas Cc: John Wilkinson , OpenPGP , Adam Back Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) Message-ID: <20030602013133.A10766486@exeter.ac.uk> References: <3ED7EDD2.4050105@attbi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.2i In-Reply-To: ; from jon@callas.org on Sun, Jun 01, 2003 at 03:27:24AM -0700 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Not sure if this is what you were referring to about their comments in Practical Cryptography, but in that book they argue for use of 256-bit keys on the basis that protocols and algorithms more frequently than we'd like fall victim to variants of the meet-in-the-middle attack where the key space ends up being half as many bits as you thought it might. So personally I'm not sure I buy that particular argument, but I happen to share the conclusion: 256-bit keys are a good idea. Also I'd think the most suspect aspect of a 256-bit keyed cipher is whether it truly achieves 256-bits of strength. I'd say it's much less controversial however to say 256-bit AES provides a better margin of security than 128-bit AES. Adam On Sun, Jun 01, 2003 at 03:27:24AM -0700, Jon Callas wrote: > Now Ferguson and Schneier have a new book out, "Practical Cryptography" and > their opinions are well worth paying close attention to, even if you don't > completely agree. > > Personally, I stick with 128-bit keys, but that's because I think too many > people want more bits in their keys without understanding what's going on. > > The question, "Will a key with more bits give me better security?" is a lot > like the question, "Will more cylinders in my car engine make me go faster?" > The answer to both is, "Ummm, well, maybe. Usually yes, but too many can > actually cause all sorts of troubles." It's not what people want to hear. > > Jon > Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h51ARRAF013874 for ; Sun, 1 Jun 2003 03:27:27 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h51ARRfE013873 for ietf-openpgp-bks; Sun, 1 Jun 2003 03:27:27 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h51ARQAF013863 for ; Sun, 1 Jun 2003 03:27:26 -0700 (PDT) (envelope-from jon@callas.org) Received: from [63.73.97.180] (63.73.97.165) by merrymeet.com with ESMTP (Eudora Internet Mail Server 3.2); Sun, 1 Jun 2003 03:27:24 -0700 User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Sun, 01 Jun 2003 03:27:24 -0700 Subject: Re: AES-256 vs AES-128 (Re: Suggested DER Prefixes) From: Jon Callas To: John Wilkinson , OpenPGP Message-ID: In-Reply-To: <3ED7EDD2.4050105@attbi.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 5/30/03 4:48 PM, "John Wilkinson" wrote: > > With all due respect, Jon, I would like to see a quote from a recognized > crypto expert who feels that AES-128 is "safer" than AES-256. I think you misunderstand what I'm saying. In crypto circles, there's a subtle difference between being conservative and being insecure. Safety is like wine. It ages over years. We tend to use the word "safe" informally. What I said was that the 256 bit ciphers make two changes, and that makes them daring. I did say that I did not share the concerns I've heard, but I still value them as the opinions of colleagues. As for "recognized crypto experts" -- well, there are a lot of them here, even if a number of us crypto experts aren't cipher designers. You've heard from recognized crypto experts, and note that there's a variation of opinion, and some of them say that yes, AES-256 is more daring than AES-128. When I was at Counterpane, we used Blowfish over either AES or Twofish, despite the fact that we thought that AES and Twofish both were better designs. It was all a matter of aging, and it was at that time that Schneier, Ferguson, and Kelsey (all Twofish designers) opined precisely what I said -- that all of the AES candidates should be used in 128-bit mode, as that was better understood. Now Ferguson and Schneier have a new book out, "Practical Cryptography" and their opinions are well worth paying close attention to, even if you don't completely agree. Personally, I stick with 128-bit keys, but that's because I think too many people want more bits in their keys without understanding what's going on. The question, "Will a key with more bits give me better security?" is a lot like the question, "Will more cylinders in my car engine make me go faster?" The answer to both is, "Ummm, well, maybe. Usually yes, but too many can actually cause all sorts of troubles." It's not what people want to hear. Jon