removing SHA1 from digest preference list

John W. Moore III jmoore3rd at bellsouth.net
Sun May 3 05:26:29 CEST 2009


Daniel Kahn Gillmor wrote:
> Hi folks--
> 
> In light of the recent SHA1 advances, i thought i'd look into what it
> would take to remove SHA1 from my list of preferred ciphers for a given key.

> I don't see anything in the RFC to indicate that SHA1 must be included
> in the list of preferred hashes:

It falls under the heading of Compatibility; particularly with regards
to backward compatibility.

> http://tools.ietf.org/html/rfc4880#section-9.4 suggests that compliant
> implementations must *implement* SHA-1.  But the earlier section
> suggests that the list of digest algorithms indicates "Message digest
> algorithm numbers that indicate which algorithms the key holder prefers
> to receive."  I no longer prefer to receive SHA-1 (well, i don't
> understand the nuances of the latest report yet, so i'm not really at
> this extreme position right now, but i might want to adopt it sooner
> than i had expected to).  I'd like to be able to make that statement
> explicit if possible, even though i use an RFC-compliant tool.

Until such time as OpenPGP implementations completely abandon backwards
compatibility SHA1 will be recognized & 'accepted'; just as MD5 is at
present.  Removing it from Your Preference List will only mean that
everyone who Imports Your Key after You make the change will recognize
that You prefer _not_ to use SHA1; but everyone who already has Your Key
on their Keyring will still be encrypting to a Key that states SHA1 in
it's Preferences.  Even the Key Servers will be propagating Your Key
with SHA1 'advertised'.

Generating a New Key at the present time will not erase this as every
OpenPGP Application I am aware of at present includes SHA1 by default.
SHA1, at present, is the de facto Standard hash to ensure that
Encryption to multiple Keys using various OpenPGP engines will /always/
have a compatible Hash.  Also to consider is that, at present, the
Default Key for GPG & PGP is a 1024 DSA Key.  Should You be successful
in implementing an installation that cannot or refuses to recognize SHA1
You will be cutting Yourself off from being able to verify the
overwhelming majority of Signatures that You encounter.  :-\

> There's no reason to force-include MD5 in the list of digests, for
> example, even though gnupg is capable of implementing it, right?  If the
> recent results have any practical traction, it seems like we might want
> to be able to exclude SHA1 in the same way that we currently exclude
> MD5, no?

Exclude?  Even if MD5 isn't listed in the Preferences it is still
recognized and accepted by all OpenPGP Applications.  Battleships don't
U-turn in 100 yards and neither does Software.  Look at how long it took
for MD5 to become unused.  The only Hash that I am aware of that has
actually been excluded is TIGER192 and even that Hash can be seen
occasionally.  With the vast repository of Keys generated over 20 years
coupled with the number of folks who continue to use deprecated builds
of PGP & GPG discarding SHA1 is not going to be as simple as throwing a
switch.  This is what folks are alluding to when they say Move in an
orderly fashion toward the theater exits.  To promptly abandon SHA1
immediately is akin to shouting Fire in a crowded theater.  <SIGH>
Ostracizing SHA1 will be no simple task.

JOHN 8-)
Timestamp: Saturday 02 May 2009, 23:26  --400 (Eastern Daylight Time)

.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 654 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090502/e37f3bea/attachment.pgp>


More information about the Gnupg-devel mailing list