re-issuing subkey binding signatures with alternate digests

Daniel Kahn Gillmor dkg at
Mon May 4 21:05:47 CEST 2009

On 05/04/2009 02:14 PM, David Shaw wrote:
> Let's say your key was originally generated with SHA-1 as the hash for
> the subkey binding signature, and you're concerned that an attacker can
> do nasty things with that binding signature if and when the SHA-1 break
> is extended.  You could probably do various pokings about and force that
> binding signature to be reissued using SHA-256, but that key has already
> (probably) been distributed far and wide with the original SHA-1 binding
> signature.  Even if you update the binding sig, an attacker can still
> pull the old copy, with the original binding signature, from a keyserver.

I understand the attack you describe, and realize that what i'm trying
to do doesn't defend against it.  However, i'm concerned that if we
start to explicitly deprecate MD5, then people with MD5-based subkey
binding signatures will suddenly find their subkeys not properly
associated.  If they were able to re-issue the subkey binding signature
using a more palatable digest, they'd be able to continue using them
even if everyone were to decide that MD5 has the same security
properties as sum(1).

> I think your best bet is to allow your current subkeys to expire or
> forcibly revoke them and then make new ones with the proper binding
> signature from day 1.

This doesn't address the attack you describe above either, does it?  the
SHA1 signatures are still out there, published.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090504/0c9aca15/attachment.pgp>

More information about the Gnupg-devel mailing list