howto secure older keys after the recent attacks

[Robert J. Hansen]

On Thu, 2009-09-10 at 14:02 +0200, Philippe Cerfon wrote:
> Uhm,.. what a pity. What would happen if SHA1 gets fully broken? Would
> we have to create a new OpenPGP and new keys?

Probably.  However, if SHA-1 gets totally broken we'll have a lot bigger
things to worry about than OpenPGP.

> > Well, yes and no.  Old signatures are certainly available to both friend and
> > foe, but the real question is: use them for what?  What attack are you
> > concerned about here?
> 
> Well.. not sure...
> But perhaps it could be used to do some forgery with User IDs?

As soon as you find an attack, then we can discuss it.  Unfortunately,
we can't really talk intelligently about vague fears.

> I thought the key ID is only used for humans to short check the
> keys,.. but not in the system itself?!

Nope, it's pretty pervasive in the system.

> So this would basically mean, once SHA1 is broken, we're totally screwed?!

If SHA-1 gets totally broken, pretty much everyone with a computer more
powerful than a pocket calculator is screwed.  We won't be the only
ones.

> At least at the moment you mean? I mean we had the "same" thing with
> MD4, MD5 and so on,... so probably it will hit us with SHA1, too?

Hans Dobbertin proved MD5 was weak in 1996.  In 1997, Network Associates
(who then were pretty much the only game in town, as far as PGP goes)
decided the Dobbertin attack was worrisome and that MD5 needed to go.
By the time the MD5 attacks became practical, PGP had _long_ since
migrated to SHA-1 and RIPEMD160.

The same thing is happening today with OpenPGP.  Everyone knows about
the SHA-1 attacks.  For right now, the SHA-1 attacks are impractical.
The people behind OpenPGP are working on a new OpenPGP proposal that
will use a stronger, better hash algorithm.

They're on it.  Relax.  :)

If you want to follow the discussion yourself on the official mailing
list for the RFC4880 standard, feel free.  It's a public list and
everyone's welcome.