re-issuing subkey binding signatures with alternate digests
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue May 5 00:52:37 CEST 2009
On 05/04/2009 03:21 PM, David Shaw wrote:
> Are there many subkey binding signatures using MD5? Talking about
> subkeys at all means we're talking about something closer to OpenPGP,
> which implies SHA-1 to me.
I have no idea how many there are, actually. But if it makes more
sense, imagine planning against the SHA-1 weaknesses instead, a few
years down the road. As people start to jump ship from SHA-1 by
explicitly distrusting all signatures made under that hash, your old
SHA-1 subkey binding will become suspect, even if your key doesn't need
to be revoked.
>> This doesn't address the attack you describe above either, does it? the
>> SHA1 signatures are still out there, published.
> It really depends on the exact details of the attack (I used the "do
> nasty things with" attack, which isn't terribly specific!) The logic
> I'm using is: if we're nervous enough about the binding signature hash
> that we want to reissue it, we aren't actually changing anything by just
> reissuing the signature.
I'm not nervous about people doing bad things with the signature -- i
recognize that if that becomes possible by a digest breakdown, that
signature would be rendered useless *whether or not* your specific
signature has actually been compromised. Why? Because people have no
reason to trust signatures made over compromised hashes.
Re-issuing the signature over a stronger hash should make the subkey
acceptable to people who have already decided that the older hash is
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 890 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-devel