[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems with v4 key packet format

On Wed, Sep 21, 2005 at 01:28:27PM +0100, Ben Laurie wrote:

> I don't understand this attack.

It's the well-known Klima-Rosa attack. It has been discussed earlier on
this list.

> >2. No explicit count of MPIs constituting the key material (both public and
> >private).
> >
> >This information can only be inferred from the algorithm specifier, meaning
> >that any implementation that wants to perform key management must have some
> >rudimentary knowledge about all public key algorithms. This, in turn,
> >hampers forward-compatibility.
> This appears to me to be incorrect - an implementation that didn't know 
> the algorithm could still deduce the number of MPIs by parsing the 
> packet until it is exhausted.

Except for private key packets.

> This would mean introducing a requirement 
> that all public key parameters were MPIs, of course.

That, too.

> >3. Key fingerprint depends on data unrelated to the actual key (namely:
> >creation date).
> >
> >This prevents solutions when signature keys are generated on the fly (e.g.
> >directly from a passphrase), as the key creation (or, in this case, key
> >registration) date is not available at the time of signing, thus making it
> >impossible to put am unambiguous reference to the public key into the
> >signature.
> Not impossible, but I'll agree, crufty. One could use a fixed creation date.

That's a horrible cruft breaking all sorts of things (validity period, etc.).

I like Dave's suggestion about adding optional subpackets, similar to those
in signatures.