laying groundwork for an eventual migration away from SHA1 with gpg

Daniel Kahn Gillmor dkg at
Fri May 8 18:30:04 CEST 2009

On 05/07/2009 08:07 PM, David Shaw wrote:
> I don't think that the SHA-1 situation is nearly that dire.  What is the
> attack that you're worried about here?  

Some attacks i'm concerned about are similar to the one demonstrated
against MD5/X.509 at the end of last year:

OpenPGP is in better shape than X.509 already because there isn't a
handful of central authorities that everyone chain-trusts absolutely.
So there isn't room for a 'net-wide compromise of the type demonstrated
by the hashclash folks.  But there is still room for bogus
certifications compromising pockets of the existing web of trust.

> Sure, let's all switch over to
> something better, but I think that the idea that we have to quickly
> rebuild the web of trust or that we're somehow in a race against time
> before someone starts forging signatures is more than a bit excessive.

I think it *is* something of a race against time, assuming the
announcement from this year's eurocrypt is legitimate.  And the writing
has been on the wall for SHA-1 since Wang's results in 2005, no?

If we're picking arbitrary deadlines, a major user of cryptography (the
US gov't) has decreed a deadline to completely abandon reliance on SHA-1
for digital signatures by the end of 2010 (19 months away).  By what
time do *you* think we should stop relying on SHA-1 as a community?  How
long do you think it will take for there to be a relatively-functional
WoT if you disregard all SHA-1 certifications?  How long before a
practical attack along the lines of what the hashclash folks did last
December against MD5 pops up, published or not?

I'm not suggesting that we panic.  I'm suggesting that we need to
actively coordinate a retreat from the algorithm.  And coordinating
action on a platform as deliberately decentralized as OpenPGP is a tad
more difficult than on a centralized system like X.509.  Hence the
politicking and prodding of the broader OpenPGP community ;)

> With a new key there is no problem.  If someone has a RSA or DSA2 key
> already, though, and simply wants to start issuing SHA-256 signatures
> instead of SHA-1, they might run into a problem.

Understood.  This was within my "transition to a new key" instructions,
though, so i'm hoping that folks who are already ahead of the curve with
greater-than-1024-bit keys (a small number, if my scan of the debian
keyring is representative) will be able to sort it out for themselves.
My goal was to keep those instructions relatively simple.  i think
they're too complicated anyway, but i did try! :(

My basic goal is to ensure that this infrastructure remains robust
against a determined attacker with reasonable resources.  At some point
(i don't know when) that's going to mean ignoring/blacklisting SHA-1
signatures.  I want there to be a core of stronger signatures available
*before* that happens.  I welcome suggestions for other ways to do this.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090508/baac7aca/attachment-0001.pgp>

More information about the Gnupg-devel mailing list