force-v4-certs and digest-algo
David Shaw
dshaw@jabberwocky.com
Fri May 10 06:23:01 2002
On Thu, May 09, 2002 at 09:46:18PM -0500, Robert J. Hansen wrote:
> Unless the spec lists it as a MUST or a SHOULD, I honestly don't think
> GnuPG should generate it. Be liberal in what you accept, but very
> conservative in what you generate. (I know that Len says RIPEMD-160
> isn't a SHOULD, and I have no reason to doubt him. However, I haven't
> checked RFC2440/2015/3156 myself yet, so I'll hedge it with an
> `unless'.)
He's right. SHA1 is the only MUST hash, and MD5 is the only SHOULD.
Still, the spec is not the beginning and the end of GnuPG. GnuPG
certainly does things that are contrary to the spec (and documents
them carefully and gives the user the ability to turn them off). For
example, when generating a clear signature, by default a line
beginning with "From " is escaped, probably in violation of a strict
reading of RFC2440. The reason it does this is that clearsigned
documents are often emailed and otherwise the mail system would
probably break the signature when it changed "From " to ">From ". PGP
does the same thing.
Another good example is the v3 sigs problem. Most versions of PGP
don't handle v4 sigs on data, but the RFC says they are a SHOULD. If
GnuPG blindly followed the SHOULD it would make itself incompatible
with PGP.
The --openpgp flag in GnuPG turns all of this off and makes it use a
rigid following of RFC2440. If you use that flag though, you'll have
problems communicating with the rest of the world.
> > There is no reason that DSA couldn't use any other 160 bit hash. Nevertheless,
>
> Sure there is. If DSA used any other 160-bit hash, it wouldn't be DSA
> anymore because the DSA spec demands SHA. Insofar as whether or not the
> DSA spec could be changed to accept RIPEMD-160, and whether or not the
> resulting system would still be secure... who knows?
Not quite correct. The DSA algorithm can use any 160-bit hash. The
DSS spec is DSA+SHA1 (plus some other details that don't matter here).
OpenPGP does not specify DSS signatures - it specifies DSA and can
thus use any 160-bit hash.
I agree with Len in general on being very careful with adding new
algorithms to OpenPGP, and in turn to GnuPG. However, in the specific
case of RIPEMD-160, it's already part of the standard and both PGP and
GnuPG already support it. There is no question on whether to add it -
it's already added. There is also no evidence that it is not just as
secure as SHA1 is.
I don't see any particular reason for someone to not use RIPEMD-160
for data signatures - if there is a compatibility problem they're only
hurting themselves. I do wish people would not use it for key
signatures, as a compatibility problem there affects the web of trust.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson