multiple subkeys and key transition

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Dec 9 22:02:30 CET 2010


On 12/09/2010 02:17 PM, Robert J. Hansen wrote:
> IMO, quite high.  If you use the same key material, then if the old
> OpenPGP certificate format ever becomes weak an attacker can simply take
> an old certificate of yours, upgrade it to the new format, and bang
> they're off to the races.

Maybe we're not talking about the same thing, but i don't understand the
attack you describe.   Why would a weakness in the old certificate
format would be able to invalidate the same key under a new format?
Note: i am *not* talking about a weakness in the underlying ciphers,
digests, or asymmetric algorithms involved.

A weakness in the certificate format itself would certainly make me wary
of relying on certificates in the weak format, but why would it mandate
re-keying?

Could you give a more detailed example of such an attack?

> If/when the time comes for SHA-1 to be completely removed from OpenPGP,
> the migration path will quite likely involve new keys -- the same way
> that the V3/V4 migration path in the past necessitated new keys.

Could you point to a reference that explains why a person with a v3 key
considered sufficiently-strong by that day's estimation (say, 1024-bit
RSA) would have had to create an entirely new key instead of just
migrating their old key to v4?

Thanks for clarifying,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101209/20f1fc66/attachment-0001.pgp>


More information about the Gnupg-users mailing list