[messaging] Advertising public key in email (was: TOFU to ease PGP key discovery)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Feb 11 06:11:47 PST 2015 

On Wed 2015-02-11 01:33:40 -0500, Trevor Perrin wrote:
> I'm not sure PGP signatures contain the public key or a full hash by
> default - so you may be right that signing by itself is insufficient
> (signatures don't necessarily "bind" the public key - see
> "duplicate-signature key selection" [2]).

OpenPGP signatures currently don't contain the full public key or even a
full fingerprint.  What's present is the 64-bit "long keyid", which i
don't think is sufficient (David Leon Gil has already demonstrated
manufactured collisions in the short keyid space, and i doubt a
pre-image against some key in the strong set is out of reach for a
well-resourced researcher).

It is a trivial extension to include the full fingerprint, though, and
i've been doing it for years with a minor change to gpg.conf, which
anyone can add:

  sig-notation issuer-fpr at notations.openpgp.fifthhorseman.net=%g

The name of the notation is
"issuer-fpr at notations.openpgp.fifthhorseman.net" (i selected this from
my own namespace, but i encourage everyone to use the same string
instead of inventing their own; if this is useful, it would probably not
be hard to make this a global notation called just "issuer" via tedious
IETF process) and the content is the full fingerprint.

> Per Mike's suggestion I tried this with S/MIME:
>  - Got an S/MIME cert, the enrollment was easy with OSX Chrome *but*
> only free for personal use, the cert expires in a year, and the cert
> could be revoked anytime.
>  - Thunderbird couldn't see the cert (doesn't integrate with OSX
> keystore), but OSX Mail started signing my messages and picked up
> Mike's key from his message (it's too transparent, though - I can't
> tell what's encrypted or view fingerprints).  Plaintext drafts of the
> messages I'm writing get sync'd through IMAP, which is bad.
>  - Exporting my certificate from OSX keychain, then importing into
> Thunderbird, was a minor hassle but got encryption/decryption working.
> Though my Thunderbird won't sign for some reason.
>  - Mike had one failure-to-encrypt (sent plaintext) in a conversation
> of a few messages, which he blamed on some "smart card stick" he had
> plugged in overriding his regular cert.
>
> Quoting Mike, this feels like "bugs and interop problems nobody ever
> fixes because it’s just not a widely used feature. And partly it
> doesn’t become widely used because there are lots of rough edges".
>
> But it sort of worked - it would be nice to see more analysis and testing.

Are you using the same key for signing as for encryption with this
setup, or does your S/MIME cert somehow have a separate signing key from
an encryption key?

        --dkg

More information about the Messaging mailing list