multiple subkeys and key transition
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Dec 9 22:02:30 CET 2010
On 12/09/2010 02:17 PM, Robert J. Hansen wrote:
> IMO, quite high. If you use the same key material, then if the old
> OpenPGP certificate format ever becomes weak an attacker can simply take
> an old certificate of yours, upgrade it to the new format, and bang
> they're off to the races.
Maybe we're not talking about the same thing, but i don't understand the
attack you describe. Why would a weakness in the old certificate
format would be able to invalidate the same key under a new format?
Note: i am *not* talking about a weakness in the underlying ciphers,
digests, or asymmetric algorithms involved.
A weakness in the certificate format itself would certainly make me wary
of relying on certificates in the weak format, but why would it mandate
re-keying?
Could you give a more detailed example of such an attack?
> If/when the time comes for SHA-1 to be completely removed from OpenPGP,
> the migration path will quite likely involve new keys -- the same way
> that the V3/V4 migration path in the past necessitated new keys.
Could you point to a reference that explains why a person with a v3 key
considered sufficiently-strong by that day's estimation (say, 1024-bit
RSA) would have had to create an entirely new key instead of just
migrating their old key to v4?
Thanks for clarifying,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101209/20f1fc66/attachment-0001.pgp>
More information about the Gnupg-users
mailing list