[PATCH] Allow printing key digests in key edit

Werner Koch wk at gnupg.org
Mon Jan 30 15:44:08 CET 2012 

On Mon, 30 Jan 2012 14:36, christian at quelltextlich.at said:

> I suppose we all agree that among those who claim such "nonsense" are
> for example renowned cryptographer Bruce Schneier [1]. For whatever

You need to understand what crypto analysts understand under "broken":
It does not match the original design goals anymore.  However, all
algorithms have a high security margin which allows them to be used
after that break.

Even the for many common usages actually broken MD5, still holds strong
when used as the digest in a HMAC.  For SHA-1 we even don't known how to
compute a collision.

> Be things as they may, I haven't seen SHA-1 collisions growing on
> trees since 2005 either :)

In the case of a fingerprint we don't care too much about collision
resistance but about preimage attacks.  Consider if someone is able to
create two keys with the same fingerprint.  You don't need to care
because you sign his key+user_id.  The fingerprint doesn't matter
anymore after you signed it.  Only with a preimage attack a third person
would be able to create a key to impersonate the first one.

In any case the crypto community is well aware that algorithms wear out
that we need to prepare the migration to newer algorithms.  This is the
hard job of protocol designing and product deployment.

> with OpenPGP business. It is not an attempt to replace the OpenPGP
> fingerprint. It does not even touch any OpenPGP stuff within GnuPG.
> It's solely about letting GnuPG (not general OpenPGP) users experiment.

New features will be used and may later force the protocol designers to
take a path they would haven't used if not many users had set a de-facto
standard.  Fortunately the OpenPGP fingerprint is well defined and we
want to keep it this way and don't fall back to a de-facto method on how
to compute a fingerprint on an X.509 certificate.

> - Is it feasable to ask people to check printouts of SHA2 digests before
>   coming to key-signing parties?

No.

[ And you should not use the key checking method you have in mind.
  Exchanging paper slips is the only solid way to run a key signing
  party.  I am really sorry, that we came up with that crypto-cool key
  signing scheme back at the Utrecht keyserver admins back in 2000.  It
  does not work in practice. ]


> - Is it feasable to hold key-signing parties where SHA2 digests are
>   compared live?

No.

> - Do people revolt against manually checking longer digests?

No.  Because may of them check only the begin and end of the fingerprint
- if at all.

> It is about freedom; giving people access to further digests.
> Letting people experiment.

You are about to weaken a good protocol to drive it into the X.509 mess.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list