This actually raises an interesting larger point. My implementation of Keybase proof verification is based on BouncyCastle (and I was pleased by the zero interop friction, since I bet basically none of the keys or proofs were constructed with that software).
I’m not a cryptographer, I just looked at the API and followed the instructions. I think that’s what the community of experts would like non-expert implementors to do. I have to confess I have no idea whether or not BouncyCastle is doing what David Leon Gil calls “checking any of the RSA cryptosystem's validity conditions”. Should non-expert implementors like me worry? On Wed, Nov 19, 2014 at 6:19 AM, Maxwell Krohn <[email protected]> wrote: > > > On Nov 19, 2014, at 1:47 AM, Tim Bray <[email protected]> wrote: > > > > Are there any threads other than the one starting at > http://www.metzdowd.com/pipermail/cryptography/2014-September/022754.html > ? > > > > The conclusion there, via David Leon Gil, is instructive: > http://www.metzdowd.com/pipermail/cryptography/2014-September/022758.html > > > > Exactly, we put more checks into our PGP implementation as a result of > this discussion: > > https://github.com/keybase/kbpgp/commit/ef9f264c5d4bd6e908d8da26c84863dffa19a662 > > Presumably PGP (which our CLI shells out to), had some of those checks all > along (taking David’s word on this > though I can’t find them looking through the source code). > > In that previous discussion, we weren’t assuming the worst of SHA-1, but > such an assumption > seems reasonable going forward. The OpenPGP folks should assume the same, > and transition to > a SHA-2 (or -3) based key fingerprint. In addition to the issues I > mentioned previously, if SHA-1 is broken, > I’m sure we’ll find many implementation flaws in GnuPG, which uses SHA-1 > key fingerprints internally to check for > key equality. > > I disagree with Tony, I don’t see a compelling argument here that the > Keybase design is “conceptually flawed,” > especially if including SHA-2 or SHA-3 key fingerprints in our proofs can > defeat the proposed attack. > > > -- - Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray)
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
