New results against SHA-1

[David Shaw]

On May 4, 2009, at 6:16 AM, Nicholas Cole wrote:

> On Mon, May 4, 2009 at 9:24 AM, Werner Koch <wk at gnupg.org> wrote:
>> On Fri,  1 May 2009 05:58, atom at smasher.org said:
>>
>>> so... when is the open-pgp spec moving beyond SHA1 hashes to  
>>> identify
>>> public keys? what's next? will it have to be a bigger hash?
>>
>> OpenPGP does not claim that the fingerprint is a unique way to  
>> identify
>> a key.
>
> How does GPG cope if two keys on the keyring have the same FP?  AFAICS
> that would make things very difficult for most of the front-ends,
> especially if they had been relying on the uniqueness (in practice) of
> the FP to specify which key to operate on.

In theory, OpenPGP implementations should cope just fine with multiple  
keys having the same fingerprint.  What to do depends on the context,  
but you could for example try all of the same-FP keys to verify a  
signature, etc.

In practice, however, I suspect that most, if not all, OpenPGP  
programs would exhibit strange behavior of one sort or another.  This  
sort of thing is hard to test for since it essentially implies  
creating a SHA-1 collision (which even with the recent discoveries is  
not a trivial thing).  It's possible to fake a collision in the code,  
but again, they're so absurdly rare there are other bugs that would  
hit first.

In the computer urban legend department, I actually heard a story once  
about someone who claimed to have (completely accidentally) generated  
a key with a colliding fingerprint.  Unfortunately he deleted it  
because he thought it was a bad key when his client didn't behave well  
with it....  You may draw from that what you will!

David