laying groundwork for an eventual migration away from SHA1 with gpg

David Shaw dshaw at jabberwocky.com
Fri May 8 02:07:30 CEST 2009 

On May 7, 2009, at 4:57 PM, Daniel Kahn Gillmor wrote:

>> Personally, when I switched to SHA-256 a few years ago, I didn't
>> re-issue any signatures.
>
> Your key does not indicate a switch to SHA256:

I meant when I switched to SHA-256 for key signing (i.e. "cert-digest- 
algo sha256").  I've been meaning to update my preference lists,  
actually, but I'm waiting for the Camellia draft to be published (it  
received IESG approval today, so we're getting closer).

>> If I happen on the same person at a keysigning
>> event, I'll re-sign of course, but I didn't seek people out to do  
>> it.  I
>> think it's prudent to move away from SHA-1 (and did), but actually  
>> going
>> back and re-making old signatures seems excessive to me.
>
> My goal is to make sure that there *is* a reasonable non-SHA1 WoT in  
> the
> near future, which is why i included that step.  If everyone had
> switched to SHA256 when you did (i wish i had), we'd have such a WoT  
> by
> now, and we could start actively deprecating SHA-1 instead of just
> laying groundwork.
>
> My thought was that we could get new  non-SHA1 certifications out  
> there
> in the near-term, before there are active attacks(?) that would render
> review of our previous SHA-1 signatures dubious.

I don't think that the SHA-1 situation is nearly that dire.  What is  
the attack that you're worried about here?  Sure, let's all switch  
over to something better, but I think that the idea that we have to  
quickly rebuild the web of trust or that we're somehow in a race  
against time before someone starts forging signatures is more than a  
bit excessive.

>> Incidentally, there is a minor technical gotcha in the re-signing  
>> plans
>> in general.  Neither PGP nor GPG will allow you to re-sign a key  
>> you've
>> already signed.  You can work around this by deleting the old  
>> signature
>> first, then re-signing.
>
> Ah, good point.  But this is signing with a new key (it's in the  
> context
> of a key transition).  That should be OK, right?

With a new key there is no problem.  If someone has a RSA or DSA2 key  
already, though, and simply wants to start issuing SHA-256 signatures  
instead of SHA-1, they might run into a problem.

David

More information about the Gnupg-devel mailing list