SHA-1 deprecation timeline

Henry de Valence hdevalence at riseup.net
Fri Feb 24 03:43:45 CET 2017 

On Fri, May 13, 2016 at 01:04:15AM -0400, Robert J. Hansen wrote:
> > SHA-1 has been broken for the last 11 years...
> 
> No.  In fact, it still hasn't been broken today.  Don't scaremonger.
> Scaremongering about crypto is one of the quickest ways to make me angry.

Just to circle back on this, actually SHA-1 has been broken today.

> SHA-1 has failed to meet its cryptographic goals.  It is 'broken' in an
> extremely narrow cryptanalytic sense.  There has been no break in it
> which would result in OpenPGP messages being forgeable.  We definitely
> need to migrate away from it (my first "please migrate away" message was
> August 19, 2005; I've been banging this drum a *long* time), but we also
> need to not spread misinformation and fear.

It is 'broken' in the extremely broad and practical sense that there are two
PDF files with the same SHA-1 hash.  You can download them from Google.

> As far as the OpenPGP use case, SHA-1 is not yet broken.
> 
> > and people have been urging its removal for at least that long
> 
> Yes, people who don't understand a bloody thing about cryptographic
> systems.  The people who write them for a living have instead understood
> that SHA-1 needs to be supported for at least the next decade just to
> interoperate with legacy systems and traffic.
>
> Deprecating an optional algorithm (like MD5) is pretty easy.  Removing a
> required algorithm (like SHA-1) is pretty tough.  And it starts by
> editing the RFC to make the required algorithm optional, and then it
> gets deprecated.
> 
> > GPG only disabled MD5 in June 2014...
> 
> It was deprecated long, *long* before that.
> 
> > How long will GPG users have to wait this time, and what has to happen to get a
> > concrete timetable, like there has been for TLS since 2014?
> 
> Unless you've got a support contract with g10 Code, you've got no cause
> to be talking like this.  Nobody here owes you a blessed thing.
> 
> You've already been told what has to happen.  Once the IETF OpenPGP
> Working Group publishes a new RFC with guidance for what should be done
> about SHA-1, GnuPG will implement that RFC in short order -- my guess is
> within weeks.  The delay is in the Working Group, *not* GnuPG.

What has the IETF OpenPGP working group done since last May?  The TLS ecosystem
has been hard at work deprecating SHA-1 for several years now.

Cheers,
Henry de Valence

More information about the Gnupg-devel mailing list