SHA1 being used despite public key preferences

David Shaw dshaw at jabberwocky.com
Wed Oct 20 20:52:34 CEST 2010


On Oct 20, 2010, at 1:02 PM, Daniel Kahn Gillmor wrote:

> On 10/19/2010 07:01 PM, David Shaw wrote:
>> In this particular case of the signing digest, GnuPG does in fact honor the
>> preferences of the recipient, but for historical reasons, the only
> algorithm
>> that the sender will allow is SHA-1 (thus effectively disabling the
> feature).
>> The reason behind this is that old versions of GnuPG generated keys with a
>> standard hash preference of RIPEMD/160 before SHA-1.  When GnuPG got
> the ability
>> to use that preference to decide which hash to pick, people who were expecting
>> SHA-1 suddenly got RIPEMD/160.  In order to not violate the law of
> least surprise,
>> we stuck a SHA-1 preference in personal-digest-preferences.
> 
> Thanks for explaining the historical background, David.  So it sounds
> like people had published preferences in their public keys stating a
> preference for RIPEMD160 over SHA1, and then they were surprised to get
> signed docs that used RIPEMD160?  That strikes me as a strange thing to
> be surprised by, given that they presumably would have had to explicitly
> change their published digest preferences (e.g. with --edit-key setpref).

GnuPG itself defaulted to "RIPEMD/160 SHA-1" when generating keys.  The surprise was from those people who hadn't changed anything on their key - one day they were using SHA-1, then after upgrading GnuPG to the version that actually made use of the hash preferences, they would suddenly find themselves using RIPEMD/160.

> given that the --default-preference-list for GnuPG (that is, the default
> for selfcert-published preferences for each newly-created key) now lists
> at least one SHA-2 algorithm (SHA-256) ahead of SHA-1, perhaps it would
> make more sense for the default --personal-digest-preferences to be
> updated to match?
> 
> I personally think that the --personal-digest-preferences should default
> to the strongest supported algorithm:
> 
> SHA512 SHA384 SHA256 SHA224 SHA1
> 
> The current --default-preference-list defaults for digest algorithms are:
> 
> SHA256 SHA1 SHA384 SHA512 SHA224

Isn't this sort of saying one thing with default-preference-list ("these are our ranked ordering of hashes..."), and then saying something else with personal-digest-preferences ("...but ignore that ranking and use this ranking instead") ?

I'm not yet convinced a change is necessary here, but if something really needs to change, I would say that a better answer would be to make personal-digest-preferences not default to anything at all.  This would make it match the other personal-XXX-preferences, and allow the recipient keys to specify whatever the like (as is true for ciphers).  If a user chooses to restrict this list further, that's up to them.

(Note that this does not mean that people can request MD5 - MD5 is deprecated, so if the algorithm picking math settles on MD5, and SHA-1 is also available, we'll use SHA-1).

David




More information about the Gnupg-devel mailing list