[messaging] Keybase Proofs
Tim Bray
tbray at textuality.com
Wed Nov 19 08:15:52 PST 2014
This actually raises an interesting larger point. My implementation of
Keybase proof verification is based on BouncyCastle (and I was pleased by
the zero interop friction, since I bet basically none of the keys or proofs
were constructed with that software).
I’m not a cryptographer, I just looked at the API and followed the
instructions. I think that’s what the community of experts would like
non-expert implementors to do. I have to confess I have no idea whether
or not BouncyCastle is doing what David Leon Gil calls “checking any of the
RSA cryptosystem's validity conditions”. Should non-expert implementors
like me worry?
On Wed, Nov 19, 2014 at 6:19 AM, Maxwell Krohn <themax at gmail.com> wrote:
>
> > On Nov 19, 2014, at 1:47 AM, Tim Bray <tbray at textuality.com> wrote:
> >
> > Are there any threads other than the one starting at
> http://www.metzdowd.com/pipermail/cryptography/2014-September/022754.html
> ?
> >
> > The conclusion there, via David Leon Gil, is instructive:
> http://www.metzdowd.com/pipermail/cryptography/2014-September/022758.html
> >
>
> Exactly, we put more checks into our PGP implementation as a result of
> this discussion:
>
> https://github.com/keybase/kbpgp/commit/ef9f264c5d4bd6e908d8da26c84863dffa19a662
>
> Presumably PGP (which our CLI shells out to), had some of those checks all
> along (taking David’s word on this
> though I can’t find them looking through the source code).
>
> In that previous discussion, we weren’t assuming the worst of SHA-1, but
> such an assumption
> seems reasonable going forward. The OpenPGP folks should assume the same,
> and transition to
> a SHA-2 (or -3) based key fingerprint. In addition to the issues I
> mentioned previously, if SHA-1 is broken,
> I’m sure we’ll find many implementation flaws in GnuPG, which uses SHA-1
> key fingerprints internally to check for
> key equality.
>
> I disagree with Tony, I don’t see a compelling argument here that the
> Keybase design is “conceptually flawed,”
> especially if including SHA-2 or SHA-3 key fingerprints in our proofs can
> defeat the proposed attack.
>
>
>
--
- Tim Bray (If you’d like to send me a private message, see
https://keybase.io/timbray)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141119/e8437951/attachment.html>
More information about the Messaging
mailing list