multiple subkeys and key transition

Robert J. Hansen rjh at
Thu Dec 9 20:17:02 CET 2010

On 12/9/10 1:30 PM, Ben McGinnes wrote:
> Ah, a debate, excellent.  Now let's make it a little more
> entertaining, where do you see RIPEMD-160 in the scheme of things?

My suspicion is RIPEMD-160 is broken, we just don't know how.  It has an
awful lot of mathematical similarities to hashes that have been broken:
it is my suspicion existing attacks will be successful when tweaked to
apply to RIPEMD-160.

> Is it possible that this current transition push is partially aimed at
> reigniting the WG's discussion by creating a new de-facto standard?

Dunno, ask the WG.

>> This statement seems to assume that the RFC can't or won't be
>> updated in a way that people could make the transition using the
>> same key material, assuming they were using strong enough keys and
>> digests in the first place.
> What is the likelihood of that actually being the case?

IMO, quite high.  If you use the same key material, then if the old
OpenPGP certificate format ever becomes weak an attacker can simply take
an old certificate of yours, upgrade it to the new format, and bang
they're off to the races.

If/when the time comes for SHA-1 to be completely removed from OpenPGP,
the migration path will quite likely involve new keys -- the same way
that the V3/V4 migration path in the past necessitated new keys.

> Since I prefer a more long-term approach, this should eventually lead
> to 8,192-bit encryption keys when 4,096-bit becomes the default.

It is unlikely it ever will.  3K RSA keys are believed to be equivalent
to a 128-bit symmetric key.  If computational power ever develops to
that point, the solution is going to involve moving to entirely
different algorithms instead of just tacking on another couple of bits.

More information about the Gnupg-users mailing list