[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenPGP mail/news header

To: ietf-openpgp@xxxxxxx
Subject: Re: OpenPGP mail/news header
From: Simon Josefsson <jas@xxxxxxxxxxx>
Date: Sun, 16 Jan 2005 21:00:26 +0100
In-reply-to: <20050116183942.GB24957@xxxxxxxxxxxxxxx> (David Shaw's message of "Sun, 16 Jan 2005 13:39:42 -0500")
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <iluzmzkzvkj.fsf@xxxxxxxxxxxxxxxxxxx> <F45ACA4D-6430-11D9-B343-000D9344F9D6@xxxxxxxxxx> <iluhdlhtz22.fsf@xxxxxxxxxxxxxxxxxxx> <20050116183942.GB24957@xxxxxxxxxxxxxxx>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3.50 (gnu/linux)

David Shaw <dshaw@xxxxxxxxxxxxxxx> writes:

> On Sun, Jan 16, 2005 at 12:04:37PM +0100, Simon Josefsson wrote:
>
>> This seems like a good solution.  Will there ever be a need to have
>> key id's of different length than 4, 8, 16 and 20 bytes?  The BNF now
>> reads:
>> 
>> id        := 4*HEXDIG / 8*HEXDIG / 32*HEXDIG / 40*HEXDIG
>> 
>> And I'm not certain it is a good idea to allow the flexibility of
>> 
>> id        := *HEXDIG
>
> I like the simplicity and flexibility of this.  The key ID field is a
> message from the OpenPGP user to the world.  Specifying that the ID
> must be a particular length doesn't really help anyone, since it is up
> to the recipient to decide how the key ID is going to be handled
> anyway.  Plus, someday we'll have a v5 key.  Chances are it won't be
> 40 hex digits long.

Ok, I'm convinced.

>> Thanks for this input.  I have been trying to understand why
>> algo/size/created are needed, but nobody has been able to explain it
>> to me.
>> 
>> The reason was supposedly that with v3 keys, you subject to something
>> called the 0xDEADBEEF attack, where I infer that keys can be created
>> easily with any given key id.  The attack is not possible with v4
>> keys.  Someone said the attack is harder for v3 keys if you also
>> compare the key size, key algorithm and creation time.
>
> There are actually two different attacks.  It is trivial to create a
> V3 key with any key ID you like.  That's the 0xDEADBEEF attack.  There
> is a different attack altogether (but lacking a catchy name), which is
> against the V3 fingerprint.  Since the V3 fingerprint consists of the
> RSA values n and e, but not their lengths, you can do tricks with
> 'sliding' bits from one into the other.  The end result is a
> constructed V3 key with the same fingerprint as the 'victim' V3 key.
> The trick is that such a constructed key will always have a different
> size than the original key.

Thanks for explaining this, I finally understand.  So it seems
"created" never help to mitigate any attacks.  Only size does (and
from your description, perhaps also algo).

>> Without understanding the motivation for size/algo/created, I'm in
>> favor of dropping them.
>
> Even understanding the motivation, I'm in favor of dropping them.  V3
> keys are deprecated.  If someone desperately needs to use V3 keys, and
> desperately needs to include their key size in the OpenPGP header to
> foil this attack, well, there is already a way to include arbitrary
> free-text comments in the header.

Right, unless someone has a good argument to keep them, I believe they
will be dropped.

Thanks,
Simon

Follow-Ups:
- Re: OpenPGP mail/news header
  - From: Konrad Rosenbaum

References:
- OpenPGP mail/news header
  - From: Simon Josefsson
- Re: OpenPGP mail/news header
  - From: Jon Callas
- Re: OpenPGP mail/news header
  - From: Simon Josefsson
- Re: OpenPGP mail/news header
  - From: David Shaw

Prev by Date: Re: inline/partitioned vs. PGP/MIME support in MUA's
Next by Date: Re: OpenPGP mail/news header
Previous by thread: Re: OpenPGP mail/news header
Next by thread: Re: OpenPGP mail/news header
Index(es):
- Date
- Thread