Use other hash than SHA-1
Christoph Anton Mitterer
christoph.anton.mitterer at physik.uni-muenchen.de
Fri May 8 01:17:33 CEST 2009
On Tue, 2009-05-05 at 22:16 -0400, David Shaw wrote:
> > I'm not sure if this leads to the same discussion that we had some
> > time
> > ago on the WG-list (about explicitly revoking previous self-sigs),...
> > but if a key has self-sigs with different hash-algos,... does this
> > "allow" downgrad-attacks or that like?
>
> It depends on the attack. What is the attack you are concerned about?
Nothing specific,... it was my question, whether there could be any
attacks,.. using the fact, that an older self-sig with "weaker" hash
algo is available.
> > Even when they see, that the self-sig with the "better" algo, has a
> > newer creation date?
> > Would consider this critical :/
>
> They mustn't do this. They can't, really. It would enable a pretty
> trivial DoS if I could make up a bogus self-sig with some hash number
> that isn't even allocated yet, but a later date, and send it to a
> keyserver to be attached to my victim key. GPG must treat any
> signature that does not verify as irrelevant.
Oops,.. of course you're right,.. but then it's possible,... that e.g.
the newer self-sig (with the newer hash algo) contains e.g. a key
revocation, or something else security relevant (e.g. important new
policy).
As the older signature is not revoked,.. and the newer is not understood
(thus ignored),... this could lead to problems, or am I wrong?
Cheers,
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3387 bytes
Desc: not available
URL: </pipermail/attachments/20090508/6a0acec4/attachment.bin>
More information about the Gnupg-users
mailing list