re-issuing subkey binding signatures with alternate digests

Daniel Kahn Gillmor dkg at
Tue May 5 00:52:37 CEST 2009

On 05/04/2009 03:21 PM, David Shaw wrote:
> Are there many subkey binding signatures using MD5?  Talking about
> subkeys at all means we're talking about something closer to OpenPGP,
> which implies SHA-1 to me.

I have no idea how many there are, actually.  But if it makes more
sense, imagine planning against the SHA-1 weaknesses instead, a few
years down the road.  As people start to jump ship from SHA-1 by
explicitly distrusting all signatures made under that hash, your old
SHA-1 subkey binding will become suspect, even if your key doesn't need
to be revoked.

>> This doesn't address the attack you describe above either, does it?  the
>> SHA1 signatures are still out there, published.
> It really depends on the exact details of the attack (I used the "do
> nasty things with" attack, which isn't terribly specific!)  The logic
> I'm using is: if we're nervous enough about the binding signature hash
> that we want to reissue it, we aren't actually changing anything by just
> reissuing the signature.

I'm not nervous about people doing bad things with the signature -- i
recognize that if that becomes possible by a digest breakdown, that
signature would be rendered useless *whether or not* your specific
signature has actually been compromised.  Why?  Because people have no
reason to trust signatures made over compromised hashes.

Re-issuing the signature over a stronger hash should make the subkey
acceptable to people who have already decided that the older hash is


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090504/858af8bd/attachment.pgp>

More information about the Gnupg-devel mailing list