SHA-1 deprecation timeline

[Henry de Valence]

On Tue, May 10, 2016 at 04:00:13PM -0400, Robert J. Hansen wrote:
> > What is the current plan for the complete deprecation of SHA-1 from GnuPG?
> 
> There isn't one.  GnuPG tracks the IETF OpenPGP RFC.  Once they
> deprecate SHA-1, GnuPG will follow suit probably within a couple of
> weeks.  However, until then, SHA-1 stays.
>
> If your next question is "What's the working group's plan for complete
> deprecation of SHA-1?", they're currently hammering out a major overhaul
> to the RFC.  There is no timetable yet, but it's an area of active
> development.

SHA-1 has been broken for the last 11 years, and people have been urging its
removal for at least that long: for instance, "we need to get to work replacing
SHA" from Feb. 2005 [0].  Now public cryptanalysis has produced a freestart
collision and a common-prefix collision is underway -- not by a secret agency
with billions of dollars in budget and access to custom hardware, but by a team
of academics with a credit card and access to NVidia's online store.

GPG only disabled MD5 in June 2014, with version 2.0.23 [1], eighteen years
after the first freestart collision (Dobbertin 1996), ten years after the first
full collision attack (Wang-Feng-Lai-Yu 2004), nine years after the
construction of valid X.509 certificates with the same MD5 hash
(Lenstra-Wang-de Weger 2005), eight years after the publication of software for
60-second MD5 collisions on a notebook computer (Klima 2006), six years after
MD5 collisions were used to forge TLS certificates
(Sotirov-Stevens-Appelbaum-Lenstra-Molnar-Osvik-de Weger 2008), and two years
after MD5 collisions were found in use by the Flame malware. 

How long will GPG users have to wait this time, and what has to happen to get a
concrete timetable, like there has been for TLS since 2014?  

Henry de Valence

[0]: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
[1]: https://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000342.html