laying groundwork for an eventual migration away from SHA1 with gpg
David Shaw
dshaw at jabberwocky.com
Fri May 8 02:07:30 CEST 2009
On May 7, 2009, at 4:57 PM, Daniel Kahn Gillmor wrote:
>> Personally, when I switched to SHA-256 a few years ago, I didn't
>> re-issue any signatures.
>
> Your key does not indicate a switch to SHA256:
I meant when I switched to SHA-256 for key signing (i.e. "cert-digest-
algo sha256"). I've been meaning to update my preference lists,
actually, but I'm waiting for the Camellia draft to be published (it
received IESG approval today, so we're getting closer).
>> If I happen on the same person at a keysigning
>> event, I'll re-sign of course, but I didn't seek people out to do
>> it. I
>> think it's prudent to move away from SHA-1 (and did), but actually
>> going
>> back and re-making old signatures seems excessive to me.
>
> My goal is to make sure that there *is* a reasonable non-SHA1 WoT in
> the
> near future, which is why i included that step. If everyone had
> switched to SHA256 when you did (i wish i had), we'd have such a WoT
> by
> now, and we could start actively deprecating SHA-1 instead of just
> laying groundwork.
>
> My thought was that we could get new non-SHA1 certifications out
> there
> in the near-term, before there are active attacks(?) that would render
> review of our previous SHA-1 signatures dubious.
I don't think that the SHA-1 situation is nearly that dire. What is
the attack that you're worried about here? Sure, let's all switch
over to something better, but I think that the idea that we have to
quickly rebuild the web of trust or that we're somehow in a race
against time before someone starts forging signatures is more than a
bit excessive.
>> Incidentally, there is a minor technical gotcha in the re-signing
>> plans
>> in general. Neither PGP nor GPG will allow you to re-sign a key
>> you've
>> already signed. You can work around this by deleting the old
>> signature
>> first, then re-signing.
>
> Ah, good point. But this is signing with a new key (it's in the
> context
> of a key transition). That should be OK, right?
With a new key there is no problem. If someone has a RSA or DSA2 key
already, though, and simply wants to start issuing SHA-256 signatures
instead of SHA-1, they might run into a problem.
David
More information about the Gnupg-devel
mailing list