re-issuing subkey binding signatures with alternate digests
David Shaw
dshaw at jabberwocky.com
Mon May 4 20:14:36 CEST 2009
On May 4, 2009, at 1:23 PM, Daniel Kahn Gillmor wrote:
> Another (more relevant to my
> current digest review) would be to change the digest algorithm used on
> the subkey binding signature (e.g. to re-issue a subkey-binding
> signature that was originally issued with MD5 to a more acceptable
> digest).
There is no good way to do this without hackery, but the thing is, you
probably don't want to do it that way in any event.
Let's say your key was originally generated with SHA-1 as the hash for
the subkey binding signature, and you're concerned that an attacker
can do nasty things with that binding signature if and when the SHA-1
break is extended. You could probably do various pokings about and
force that binding signature to be reissued using SHA-256, but that
key has already (probably) been distributed far and wide with the
original SHA-1 binding signature. Even if you update the binding sig,
an attacker can still pull the old copy, with the original binding
signature, from a keyserver.
I think your best bet is to allow your current subkeys to expire or
forcibly revoke them and then make new ones with the proper binding
signature from day 1.
David
More information about the Gnupg-devel
mailing list