1.3.6 cert signatures

David Shaw dshaw at jabberwocky.com
Sun Jul 25 06:01:06 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Jul 24, 2004 at 02:20:44PM -0400, Atom 'Smasher' wrote:

> i suspect that within my lifetime, SHA-1 will be too weak be taken
> seriously. with that possibility (or likelihood, depending on your
> paranoia) i think the standard should be thinking that far ahead,
> and require larger hashes to be recognized... or at least encourage
> their use, since there will obviously be ~some~ applications where
> it would be too much of a burden.

If you think about it, it almost doesn't matter whether SHA-1 lasts
forever or not.  Pure conservatism pretty much requires that there be
an alternative hash, just in case you are right.  The standard does
think that far ahead, and so includes SHA-256, 384, and 512 among
others.  384 is sort of pointless in the OpenPGP context, but 256 and
512 will be useful eventually.  Real world implementations and brand
new standards are always a little bit different, if only because the
real world takes time to get to where the standard is.  Put another
way, it's easier to write standards than it is to deploy code :)

> what's the point of having a 2048 (or larger) signing key, if that
> key is only signing a 160 bit hash? it seems that nothing is gained
> by the larger signing key. i don't think this helps, in the long
> term.

Long term is a different story.  Short term (months to a year) is the
concern here.  In any event, breaking a hash is not the same as
breaking a key, and each gives slightly different capabilities to the
attacker.

Incidentally, don't assume that because SHA-256 is larger than SHA-1
that it is stronger.  Remember the lesson of SHA-0.

> there are still people who use PGP-2, but that doesn't obligate me to use 
> MD5 and IDEA. there will *always* be vintage/obsolete applications out 
> there, but that shouldn't prevent (or discourage) someone from using 
> what's available. (i often get mail from people and notice the "Version" 
> header is from an old version of GnuPG... i let them know what's current, 
> and i've almost always been thanked for pointing that out.)

Programs do not become obsolete overnight.  PGP 2.x is generally
considered obsolete, but that took *years* (and some people seem to
have missed the memo).  GnuPG doesn't even support generating SHA-256
signatures yet.  You are using a development build (or hacking 1.2.x)
to do it, so it's rather premature to claim that the actual released
version of GnuPG is now obsolete...

> i ~think~ i understand your challenge as a developer here... that the 
> application must understand how something is used, and have a large enough 
> base that can _understand_ that feature, before that feature can safely be 
> "turned on".
> 
> that said, at what point would you feel comfortable "turning on" SHA-256 
> (or larger) cert hashes?

Not today.  Not tomorrow.  Next year?  I don't know.  I have not
rigorously tested interoperability with SHA-256 certification
signatures.  I have seen some anecdotal evidence, but nothing more.
It may just not work without harming much else, or it may fail in some
large and messy manner under certain conditions.  Not enough data yet.

To a certain extent, I guess I have cast my vote on the issue since
GnuPG 1.2.x cannot generate SHA-256 certification signatures and GnuPG
1.3.x can.

Even when 1.3.x becomes GnuPG 1.4, though, the default will remain
SHA-1.  People will need to explicitly set the digest to SHA-256 if
they want to.

> BTW 1) my 4096-RSA key has a DSA and elgamal subkey (with SHA-1 cert 
> hashes) and RSA signing & encryption subkeys (with SHA-256 cert hashes). 
> if someones application chokes on the SHA-256 certs, they should still be 
> able to use the older subkeys. i haven't yet heard from anyone having 
> trouble with this.

What you describe sounds reasonable, but again, I haven't tested it.
To a non-SHA-256 implementation, it would probably appear like two
subkeys, one without a binding signature (and thus invalid) and one
with (and thus valid).

> BTW 2) i've been exchanging key signatures with people and signing their 
> keys with SHA-256. again, no complaints.

I doubt most people even realize those signatures are not really
connecting them to the web of trust in the way they think.  Someday
they will connect, but I don't think SHA-256 has enough penetration
yet.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6-cvs (GNU/Linux)

iGoEARECACoFAkEDMIIjGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2tleS5h
c2MACgkQ4mZch0nhy8mE7ACghTaI46OC0QKNSiT7tEnWJPL/LUcAoJY8b5V6bZBr
2W7WI++WrSc8i/tt
=TRe4
-----END PGP SIGNATURE-----



More information about the Gnupg-devel mailing list