2.1 beta or release

David Leon Gil coruus at gmail.com
Sat Oct 25 20:09:55 CEST 2014


On Sat, Oct 25, 2014 at 12:39 PM, Werner Koch <wk at gnupg.org> wrote:
> On Sat, 25 Oct 2014 15:39, coruus at gmail.com said:
>
>> I would like to avoid seeing the Ed25519 part too widely deployed
>> before this is fixed.
>
> Sorry, there is nothing to fix.  Ed25519 is an algorithms which you
> should not split up into hashing and signing part.  For OpenPGP we need
> to be able to separate this.
>
> Further, and probably most important, you won’t be able to do this with
> a smartcard or any other token - passing the entire data to be signed
> through the token is not possible due to limited I/O bandwidth.

There is a very simple way to fix any problems: Require that a
specific digest algorithm be used. (Just pick SHA-2-256 or SHA-2-512
at your preference; SHA-2-256 is faster in JS, SHA-2-512 is obviously
stronger.)

This remains compatible with hardware tokens with limited bandwidth,
it avoids any possibility of crossgrade attacks, and it simplifies
implementations. (It is not clear to me the relevance of hardware
tokens here, however: Do any support Ed25519?)

(There is a slightly more complicated way as well: let the input to
Ed25519 be HASH_OID||DIGEST.)



More information about the Gnupg-devel mailing list