un-trusting MD5 in gpg
dshaw at jabberwocky.com
Thu May 7 00:04:06 CEST 2009
On May 6, 2009, at 4:46 PM, Daniel Kahn Gillmor wrote:
> On 05/06/2009 04:23 PM, David Shaw wrote:
>> Maybe we should name it personal-digest-something. It makes it clear
>> that these are personal settings, pertain to digests, and that this
>> sort of a parallel function to personal-digest-preferences. What are
>> the antonyms of preferences? personal-digest-dislikes?
>> personal-digest-rejections? personal-digest-disable?
> I'm not so sure. as currently defined, personal-digest-preferences
> apply mainly in situations where you are the only person whose
> preferences can be taken into account (clearsigning a public document,
> for example) -- there are no recipients to consider, and you are
> creating the digest yourself. This seems to be what makes them
p-d-p is used during all signing operations whether there are
recipients or not. The clearsign case has no recipients, but an
encrypt+sign does. Say Alice was signing a document and encrypting it
to Baker and Charlie. The cipher is chosen by taking the union of
Baker and Charlie's cipher preferences and then using Alice's personal-
cipher-preferences to pick Alice's favorite choice from the union.
The digest is chosen in the same way: take the union of Baker and
Charlie's preferences, and then use Alice's personal-digest-
preferences to pick Alice's favorite choice from the union. The only
thing that is special about picking digests is that some results are
impossible and are automatically discarded. Let's say Alice had a
3072-bit DSA key. The answer thus has to be SHA256, SHA384, or
SHA512. If the preferences cannot agree on one of these, then it is
Either way, though, Baker and Charlie's preferences are consulted first.
> But instead, we're talking about not *accepting* a particular digest
> from someone else (or from yourself at an earlier time). Should this
> blacklist we're creating also govern digests that we sign over? if we
> say --personal-digest-blacklist, does that mean both that we will
> *generate* signatures over the given hash and that we will not accept
> signatures over the given hash?
Blacklist is pretty good. We could call it "blacklist-digests" (which
gives us a name for "blacklist-ciphers" later). It's reasonably clear
just from the name.
In terms of whether blacklist-digests only rejects incoming signatures
or both rejects incoming signatures and refuses to generate a
signature as well, I could make a reasonable argument for either side,
but I think I lean more towards doing both - rejecting incoming and
not generating outgoing. It would be a strange sort of thing if user
disliked an algorithm so much that he refused to accept it from
somewhere else, but yet still generated it himself.
> With flexible cipher
> suites and tools which adequately represent their users intent, it
> likely that there will always exist some intersection of a user with a
> pathologically archaic toolset and a user with pathologically
> bleeding-edge demands. The tools need to be able to fail gracefully
> when they recognize that such an intersection exists.
Up until today, we have relied on the must-implement algorithms to get
us out of a conflict like this. This will be a new, and surprising,
behavior for GPG. It will need to be off by default.
More information about the Gnupg-devel