laying groundwork for an eventual migration away from SHA1 with gpg

Daniel Kahn Gillmor dkg at
Mon May 11 07:26:30 CEST 2009

On 05/10/2009 09:49 PM, David Shaw wrote:
> On May 8, 2009, at 5:00 PM, Daniel Kahn Gillmor wrote:
> It would be interesting to know if the new attack works against
> SHA-256.  Not in the sense that it could bring SHA-256 down to 2^52, but
> in the sense that it could bring it to something less than 2^128.

Indeed.  I wish i understood the math behind all this more clearly :(

> I don't mean there are faster/easier/cheaper ways of doing this
> mathematically.  I mean boring old subterfuge like going to a keysigning
> party with a fake ID, claiming to be someone else.  I get a bunch of
> signatures, and I'm done.  It skips the whole difficult math problem.

Yeah, i understood what you were driving at.  I agree that the social
protocols are far easier to crack than the crypto right now.  And i'd
like to see that stay the same, actually, since the crypto is actually
easier to get right (in the tool chain) than user education (which has
to happen with each individual, fallible human).  I just want to be sure
that people who *do* think about the security implications of their
decisions and actions will have a toolchain that is comparably secure,
even in the face of a mathematically- and computationally-sophisticated

> Certainly.  This is the sort of thing that reasonable people can
> disagree on.  I don't think that your plan is wrong or evil or anything
> like that.  I just worry it's rather eager to expunge SHA-1.  The plan
> pushes a 3-month window to migrate to SHA-256 and revoke all earlier
> keys.  We're not particularly close to having any collision at all, much
> less the finesse necessary to "weaponize" that collision generating
> process into an attack on OpenPGP.  The plan text doesn't really say
> this, though, and instead puts forth a perception that is scarier than
> (I think) the reality is.

Yeah, this is a tradeoff i had difficulty making, and it looks like i
drew the line differently than you would have.  I was balancing between
making a non-panicked, concise post with concrete, relatively simple
recommendations, and a more lengthy, nuanced, non-panicked discussion
about the various factors in play along with a concrete list of
next-step actions.  I opted for the shorter version in the hopes that
people would actually read the post and take the actions described  :/

> I'm afraid that the plan document is going to result in scared people,
> and scared people do very dumb things.  I'm already seeing various
> pieces of posted advice around the net to do stuff like immediately
> switch to 4096-bit keys or force SHA256 via 'digest-algo', or use
> SHA512, or other things that can actually cause more harm than good. 

For the record, i've been using 4096-bit OpenPGP keys for about 20
months now (without incident), and have just started using signatures
over SHA-512, mainly because i'm interested in seeing what actually does
break.  I plan on publicizing such breakage as soon as it happens so
other folks can know about it.  Basically, i'm willing to be a guinea pig.

I grant that most of my cryptographic communications (authenticated
and/or private) tend to be in the free software world, though, so i
might not be the best judge of interoperability with non-free tools.  It
would be great if someone who does have those interoperability concerns
wanted to write up specific harms that can arise from these choices.

I'm going to point to the archive of this discussion from my blog post
so that these perspectives get some exposure.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090511/f2159459/attachment.pgp>

More information about the Gnupg-devel mailing list