SHA-1 recommendations
David Shaw
dshaw at jabberwocky.com
Mon May 18 19:21:27 CEST 2009
On May 18, 2009, at 11:14 AM, Daniel Kahn Gillmor wrote:
>> So, while I personally am issuing SHA-256 key certifications (and
>> have
>> been for a while), I do not think that switching the default away
>> from
>> SHA-1 is appropriate at this time. What is good for me is not
>> necessarily what is good for the whole world.
>
> Understood. We're not discussing changing the defaults here, though,
> we're discussing Robert J. Hansen's proposed document for people who
> are
> interested in mitigating whatever risks may be implied by a
> progressive
> weakening of SHA-1.
Understood, but I believe the quote from me that was used was from
that context, so I wanted to make that context clear. I don't really
favor this sort of "here's how to transition everyone" document.
> Here's an idea: trawl the public keyservers, and look at the
> proportion
> of valid (non-expired, non-revoked) keys with digest preference
> subpackets in their self-sigs which mention any digest from the SHA-2
> family. It would be good to rule out abandoned keys somehow; doing so
> is probably fundamentally impossible, but maybe we could approximate
> it
> by discarding keys with no certifications attached in the last 5
> years?
Not all users of OpenPGP use the keyservers or even participate in the
web of trust. It's also used in various environments where keys are
traded manually.
>> I see no conflict in the RFC: the list is ordered, and a random
>> selection is perfectly conformant. The list is ordered to give
>> implementations that want to do something useful with rankings
>> something
>> to work with (and note that both of the "big two" of PGP and GPG
>> order
>> their lists to varying degrees), but those implementations that do
>> not
>> want to play with rankings are allowed to pick however they like.
>> It's
>> similar, in a way, to the IETF meta-rule: be conservative in what you
>> generate, be liberal in what you accept.
>>
>> So it's an ordered list of capabilities. Or perhaps a capability
>> set of
>> preferences. ;-)
>
> I'm not suggesting there is a conflict in the RFC, simply that it
> seems
> that GnuPG could use a refresh of its default digest preferences.
No, I was agreeing with you. Robert saw a conflict, but I don't.
> * include the stronger SHA-2 digests which gpg supports, and
>
> * re-order them in a clearly-stated way (i.e. commit to saying "gpg
> interprets and produces the orderings as preferential, with most-
> desired
> first"), and explicitly, publically prefer digests from the SHA-2
> family
> over SHA-1.
I don't have a problem with this. GPG does interpret the ordering as
preferential (is there some source that says otherwise?). The current
default hash preference list is "SHA1 SHA256 RIPEMD160". It's simple
enough to juggle the list so that SHA256 comes first, etc. I wouldn't
want to put that into some extra document, though: it's a fairly
small, and quite safe change. I'd support changing the default for
that.
David
More information about the Gnupg-devel
mailing list