Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
Stefan Tomanek wrote: > Dies schrieb John Clizbe (jpcli...@gingerbear.net): >> 2012-10-27: Fixes for machine-readable indices. >> >> Key expiration times are now read from self-signatures on the key's UIDs. >> (KF) >> In addition, instead of 8-digit key IDs, index entries now return the most >> specific key ID possible: 16-digit key ID for V3 keys, and the > ~~~ >> full fingerprint for V4 keys. (JPC) >> > > IMO having a dedicated entry with the fingerprint is a nice thing to have, > that's why I am about to patch gnupg and enigmail to display this information > when searching for keys. It's nice to see that sks uses the longest key id > possible (so I could remove half of my patch), but I still consider an > optional > and explicit entry useful. Standards can be expanded, and nothing changes > until > the client explicitly asks for a fingerprint (fingerprint=on). OK, so this is only a benefit for V3 keys. V4 keys already gives the fingerprint as the key ID. To quote RFC4880: "V3 keys are deprecated. They contain three weaknesses. First, it is relatively easy to construct a V3 key that has the same Key ID as any other key because the Key ID is simply the low 64 bits of the public modulus. Secondly, because the fingerprint of a V3 key hashes the key material, but not its length, there is an increased opportunity for fingerprint collisions. Third, there are weaknesses in the MD5 hash algorithm that make developers prefer other algorithms. See below for a fuller discussion of Key IDs and fingerprints..." The use of MD5 makes crafted key fingerprint collisions almost trivial. V3 key ID collisions are already trivially constructed. While you may think it "is a nice thing to have", you already get the fingerprint from SKS for the vast majority of keys. The V3 keys your patch addresses have such basic problems they should probably abandoned. Adding an fpr line to mr indexes is just redundant. -- John P. Clizbe Inet: John (a) Gingerbear DAWT net SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
On Tue, 2013-09-10 at 22:40 -0500, John Clizbe wrote: > 2) As Christoph has already pointed out, this breaks the draft we try to > follow as our standard. One should add though, that it's only a pseudo-standard... perhaps one should pick up that work again and make a proper RFC out of it... one that is easily extendible. Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
Dies schrieb John Clizbe (jpcli...@gingerbear.net): > 1) It doesn't appear you checked the need for this patch against the current > trunk source, changelog, commit history, or any server running 1.1.4+. What > did you use as your source for SKS? I did use the current trunk source. I however started using 1.1.4 sources, which did not have the feature you describe, however I still considered adding the line after noticing that V3 keys (although not really common anymore) were lacking any fingerprint. > 2012-10-27: Fixes for machine-readable indices. > > Key expiration times are now read from self-signatures on the key's UIDs. (KF) > In addition, instead of 8-digit key IDs, index entries now return the most > specific key ID possible: 16-digit key ID for V3 keys, and the ~~~ > full fingerprint for V4 keys. (JPC) > IMO having a dedicated entry with the fingerprint is a nice thing to have, that's why I am about to patch gnupg and enigmail to display this information when searching for keys. It's nice to see that sks uses the longest key id possible (so I could remove half of my patch), but I still consider an optional and explicit entry useful. Standards can be expanded, and nothing changes until the client explicitly asks for a fingerprint (fingerprint=on). ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
Stefan Tomanek wrote: > With this change, an additional line is appended to each search result when > using the machine readable output. This line is prefixed with "fpr:" and > contains the fingerprint of the key returned, making it possible to > distinguish > keys from each other before downloading them - even if a key id collision has > occured. > > Signed-off-by: Stefan Tomanek > --- A few questions: 1) It doesn't appear you checked the need for this patch against the current trunk source, changelog, commit history, or any server running 1.1.4+. What did you use as your source for SKS? 2) As Christoph has already pointed out, this breaks the draft we try to follow as our standard. What benefit does this change give? Especially when you consider... 3) Why do you need a SECOND fingerprint on a separate line? The one on the pub: line isn't sufficient? http://keyserver.gingerbear.net:11371/pks/lookup?search=Stefan+Tomanek&op=index&options=mr https://bitbucket.org/skskeyserver/sks-keyserver/commits/f187022f7583c56216ca5871c56b0639ad837481 2012-10-27: Fixes for machine-readable indices. Key expiration times are now read from self-signatures on the key's UIDs. (KF) In addition, instead of 8-digit key IDs, index entries now return the most specific key ID possible: 16-digit key ID for V3 keys, and the full fingerprint for V4 keys. (JPC) -- John P. Clizbe Inet: John (a) Gingerbear DAWT net SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
On Wed, 2013-09-11 at 02:13 +0200, Stefan Tomanek wrote: > Just to be on the safe side, what about making the > fpr line depend on the "fingerprint" parameter? I think that sounds generally reasonable... not only for being on the "save side"... and I guess you're right and now client should fail. Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
On Tue, 2013-09-10 at 23:29 +0200, Stefan Tomanek wrote: > With this change, an additional line is appended to each search result when > using the machine readable output. This line is prefixed with "fpr:" and > contains the fingerprint of the key returned, making it possible to > distinguish > keys from each other before downloading them - even if a key id collision has > occured. May it cause any problems as this "breaks" the pseudo-standard: http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-5.2 ? Cheers, Chris. ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
Dies schrieb Christoph Anton Mitterer (cales...@scientia.net): > On Tue, 2013-09-10 at 23:29 +0200, Stefan Tomanek wrote: > > With this change, an additional line is appended to each search result when > > using the machine readable output. This line is prefixed with "fpr:" and > > contains the fingerprint of the key returned, making it possible to > > distinguish > > keys from each other before downloading them - even if a key id collision > > has > > occured. > > May it cause any problems as this "breaks" the pseudo-standard: > http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#section-5.2 I'm not sure, although I did not encounter any issues with gnupg (even the unpatched one) and enigmail; Just to be on the safe side, what about making the fpr line depend on the "fingerprint" parameter? Currently, "fingerprint=on" is only used for human readable output, so extending it to "mr" should not break any clients. signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] [PATCH] add fingerprint line to machine readable output
> With this change, an additional line is appended to each search result when > using the machine readable output. This line is prefixed with "fpr:" and > contains the fingerprint of the key returned, making it possible to > distinguish > keys from each other before downloading them - even if a key id collision has > occured. I've created a quick patch to gnupg here, so if you like to play around with this change, feel free to give it a try: https://github.com/wertarbyte/gnupg/commit/keyserver_fpr signature.asc Description: Digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
