SHA-1 deprecation timeline
Henry de Valence
hdevalence at riseup.net
Fri Feb 24 03:43:45 CET 2017
On Fri, May 13, 2016 at 01:04:15AM -0400, Robert J. Hansen wrote:
> > SHA-1 has been broken for the last 11 years...
> No. In fact, it still hasn't been broken today. Don't scaremonger.
> Scaremongering about crypto is one of the quickest ways to make me angry.
Just to circle back on this, actually SHA-1 has been broken today.
> SHA-1 has failed to meet its cryptographic goals. It is 'broken' in an
> extremely narrow cryptanalytic sense. There has been no break in it
> which would result in OpenPGP messages being forgeable. We definitely
> need to migrate away from it (my first "please migrate away" message was
> August 19, 2005; I've been banging this drum a *long* time), but we also
> need to not spread misinformation and fear.
It is 'broken' in the extremely broad and practical sense that there are two
PDF files with the same SHA-1 hash. You can download them from Google.
> As far as the OpenPGP use case, SHA-1 is not yet broken.
> > and people have been urging its removal for at least that long
> Yes, people who don't understand a bloody thing about cryptographic
> systems. The people who write them for a living have instead understood
> that SHA-1 needs to be supported for at least the next decade just to
> interoperate with legacy systems and traffic.
> Deprecating an optional algorithm (like MD5) is pretty easy. Removing a
> required algorithm (like SHA-1) is pretty tough. And it starts by
> editing the RFC to make the required algorithm optional, and then it
> gets deprecated.
> > GPG only disabled MD5 in June 2014...
> It was deprecated long, *long* before that.
> > How long will GPG users have to wait this time, and what has to happen to get a
> > concrete timetable, like there has been for TLS since 2014?
> Unless you've got a support contract with g10 Code, you've got no cause
> to be talking like this. Nobody here owes you a blessed thing.
> You've already been told what has to happen. Once the IETF OpenPGP
> Working Group publishes a new RFC with guidance for what should be done
> about SHA-1, GnuPG will implement that RFC in short order -- my guess is
> within weeks. The delay is in the Working Group, *not* GnuPG.
What has the IETF OpenPGP working group done since last May? The TLS ecosystem
has been hard at work deprecating SHA-1 for several years now.
Henry de Valence
More information about the Gnupg-devel