un-trusting MD5 in gpg
wk at gnupg.org
Wed May 6 15:38:06 CEST 2009
On Tue, 5 May 2009 20:50, dkg at fifthhorseman.net said:
> --trust-digest-algo name
> --no-trust-digest-algo name
> Trust (or not) signatures made over a digest algorithm of *name*.
> Untrusted digests can still be computed in other contexts, but
> certifications and data signatures made over untrusted digests
> will be considered invalid. By default, all implemented digest
> algorithms are trusted.
This mixes trust with an algorithm, something we never did. With the
same reasoning we could say: Don't trust a key with less than 1536 bits.
The point here is that we can't take a decision for the signer - he
might have valid reasons to use certain parameters which reflects the
needs to fulfill a ertain goal.
An option --disable-digest-algo better reflects what you want to do: I
don't want to check signatures made using algorithm MD5. It is not a
matter of trust but a decision by you and only you. This is similar to
my procmailrc which sends all mails with HTML in it to the bit bucket:
it is my decisions, that I don't want to see such mails. It does not
mean that I don't trust the sender; he might have very good reasons to
send HTML mail but for technical reasons I reject them.
We need to see whether we can use this option name without getting into
problems with gpg2. I don't know right now. Another name might be
something along the words --ignore-signatures-with.
> And last: is there any reason to add an additional error value to cover
> these semantics (e.g. G10_ERR_INSECURE_DIGEST_ALGO), or is
> G10_ERR_DIGEST_ALGO sufficient?
I can imagin adding a few new error codes; we already have:
43 GPG_ERR_WEAK_KEY Weak encryption key
and new ones like:
may be useful for further processing; not necessary to be dispalyed to a
user but may be displayed as well in cases you describe.
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-devel