SHA3 IANA registration - method?
Andrey Jivsov
openpgp at brainhub.org
Mon Dec 17 21:22:11 CET 2012
On 12/17/2012 06:23 AM, Daniel Kahn Gillmor wrote:
> On 12/17/2012 02:28 AM, Andrey Jivsov wrote:
>> Now my denial of the signature looks convincing: the fingerprint is
>> correct and is exactly the one that was on my page at the alleged time
>> of signing, but the signature doesn't verify. I hire 3d party experts to
>> record the current state of things and will rely on their statement for
>> the repudiation.
>>
>> ( Of course the accuser forgot to cache my old key. )
>
> I'm unconvinced of this as a realistic threat. For one thing, all
> OpenPGP implementations i've seen cache keys by default.
The products that work as mail gateways can work with millions of user
keys. These discovered keys are not cached indefinitely (I know one such
a product).
This is different from end-user products/usage model.
>
> For another thing, if all the stars are aligned as you suggest, then all
> i need to do to repudiate it is simply remove the key in the first
> place. No key, no verification.
>
> So if we are to consider this a vulnerability, i don't think it is a
> problem that is solved by a more-collision-resistant fingerprint.
>
If we can count on removing the keys, the collision resistance has no
opportunity to play out. Here we are discussing the issue from the
somewhat academic point of view. The question is what additional
problems creep in when fingerprints are not collision resistant.
I don't think one has a convincing story in front of the court saying
that he lost the key pair.
> So i'm still left with the sense that OpenPGP's key fingerprint
> mechanism is reliant on resistance to a pre-image attack, and is *not*
> concerned with its collision resistance.
Without special wording anywhere about weaknesses of fingerprints,
OpenPGP fingerprints can be used in protocols that depend on collision
resistance, as well as in protocols that don't.
More information about the Gnupg-devel
mailing list