re-issuing subkey binding signatures with alternate digests

[David Shaw]

On May 4, 2009, at 1:23 PM, Daniel Kahn Gillmor wrote:

> Another (more relevant to my
> current digest review) would be to change the digest algorithm used on
> the subkey binding signature (e.g. to re-issue a subkey-binding
> signature that was originally issued with MD5 to a more acceptable  
> digest).

There is no good way to do this without hackery, but the thing is, you  
probably don't want to do it that way in any event.

Let's say your key was originally generated with SHA-1 as the hash for  
the subkey binding signature, and you're concerned that an attacker  
can do nasty things with that binding signature if and when the SHA-1  
break is extended.  You could probably do various pokings about and  
force that binding signature to be reissued using SHA-256, but that  
key has already (probably) been distributed far and wide with the  
original SHA-1 binding signature.  Even if you update the binding sig,  
an attacker can still pull the old copy, with the original binding  
signature, from a keyserver.

I think your best bet is to allow your current subkeys to expire or  
forcibly revoke them and then make new ones with the proper binding  
signature from day 1.

David