multiple subkeys and key transition
Ben McGinnes
ben at adversary.org
Thu Dec 9 21:26:51 CET 2010
On 10/12/10 6:17 AM, Robert J. Hansen wrote:
> On 12/9/10 1:30 PM, Ben McGinnes wrote:
>> Ah, a debate, excellent. Now let's make it a little more
>> entertaining, where do you see RIPEMD-160 in the scheme of things?
>
> My suspicion is RIPEMD-160 is broken, we just don't know how. It
> has an awful lot of mathematical similarities to hashes that have
> been broken: it is my suspicion existing attacks will be successful
> when tweaked to apply to RIPEMD-160.
Okay, I can't say I've been overjoyed at having it as the only
apparent alternative to SHA-1. I think, however, that the
"enable-dsa2" option you mentioned is working, so that's a much better
solution.
>> Is it possible that this current transition push is partially aimed
>> at reigniting the WG's discussion by creating a new de-facto
>> standard?
>
> Dunno, ask the WG.
As soon as I find them ...
>>> This statement seems to assume that the RFC can't or won't be
>>> updated in a way that people could make the transition using the
>>> same key material, assuming they were using strong enough keys and
>>> digests in the first place.
>>
>> What is the likelihood of that actually being the case?
>
> IMO, quite high. If you use the same key material, then if the old
> OpenPGP certificate format ever becomes weak an attacker can simply
> take an old certificate of yours, upgrade it to the new format, and
> bang they're off to the races.
Nasty.
> If/when the time comes for SHA-1 to be completely removed from
> OpenPGP, the migration path will quite likely involve new keys --
> the same way that the V3/V4 migration path in the past necessitated
> new keys.
That sounds an awful lot like the reason behind creating my current
key. Actually, that's not true, there's a set from about six months
earlier that I thought I new the passphrase to, but ... you know the
rest of that tale (just about everyone does that at least once). ;)
>> Since I prefer a more long-term approach, this should eventually
>> lead to 8,192-bit encryption keys when 4,096-bit becomes the
>> default.
>
> It is unlikely it ever will. 3K RSA keys are believed to be
> equivalent to a 128-bit symmetric key. If computational power ever
> develops to that point, the solution is going to involve moving to
> entirely different algorithms instead of just tacking on another
> couple of bits.
Well, I have rather enjoyed the fact that the 4096-bit Elgamal key I
created a dozen years ago is still considered practically impossible
to defeat (not counting if I ever managed to piss off the NSA/DSD).
Any larger would start getting a bit ridiculous (although I do know
which bit of keygen.c to tweak to make it possible).
Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101210/7e531002/attachment.pgp>
More information about the Gnupg-users
mailing list