[messaging] Keybase Proofs

Tim Bray tbray at textuality.com
Wed Nov 19 08:15:52 PST 2014

This actually raises an interesting larger point.  My implementation of
Keybase proof verification is based on BouncyCastle (and I was pleased by
the zero interop friction, since I bet basically none of the keys or proofs
were constructed with that software).

I’m not a cryptographer, I just looked at the API and followed the
instructions.  I think that’s what the community of experts would like
non-expert implementors to do.   I have to confess I have no idea whether
or not BouncyCastle is doing what David Leon Gil calls “checking any of the
RSA cryptosystem's validity conditions”.  Should non-expert implementors
like me worry?

On Wed, Nov 19, 2014 at 6:19 AM, Maxwell Krohn <themax at gmail.com> wrote:

> > On Nov 19, 2014, at 1:47 AM, Tim Bray <tbray at textuality.com> wrote:
> >
> > Are there any threads other than the one starting at
> http://www.metzdowd.com/pipermail/cryptography/2014-September/022754.html
> ?
> >
> > The conclusion there, via David Leon Gil, is instructive:
> http://www.metzdowd.com/pipermail/cryptography/2014-September/022758.html
> >
> Exactly, we put more checks into our PGP implementation as a result of
> this discussion:
> https://github.com/keybase/kbpgp/commit/ef9f264c5d4bd6e908d8da26c84863dffa19a662
> Presumably PGP (which our CLI shells out to), had some of those checks all
> along (taking David’s word on this
> though I can’t find them looking through the source code).
> In that previous discussion, we weren’t assuming the worst of SHA-1, but
> such an assumption
> seems reasonable going forward.  The OpenPGP folks should assume the same,
> and transition to
> a SHA-2 (or -3) based key fingerprint. In addition to the issues I
> mentioned previously, if SHA-1 is broken,
> I’m sure we’ll find many implementation flaws in GnuPG, which uses SHA-1
> key fingerprints internally to check for
> key equality.
> I disagree with Tony, I don’t see a compelling argument here that the
> Keybase design is “conceptually flawed,”
> especially if including SHA-2 or SHA-3 key fingerprints in our proofs can
> defeat the proposed attack.

- Tim Bray (If you’d like to send me a private message, see
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141119/e8437951/attachment.html>

More information about the Messaging mailing list