multiple subkeys and key transition

Robert J. Hansen rjh at
Thu Dec 9 22:33:06 CET 2010

On 12/9/10 4:02 PM, Daniel Kahn Gillmor wrote:
> Maybe we're not talking about the same thing, but i don't understand the
> attack you describe.   Why would a weakness in the old certificate
> format would be able to invalidate the same key under a new format?

I did not communicate the idea well.  In retrospect, I communicated it
quite poorly.

Imagine a certificate that depends on a trivially weak hash -- say MD5
was used instead of SHA-1 for self-signatures, etc.  Fine: that
certificate is now out there in the wild.  The signatures it makes are
quite suspect.

A new certificate standard comes out.  You migrate your old certificate
material to a new cert.  You want to continue using it, after all.
(Why, I don't know: it isn't as if it's hard to generate new certs.)
Great, except that your old cert is, in many jurisdictions, legally
enforceable against you.  You haven't revoked it: in fact, you continue
to assert that it is usable (albeit in a new cert format).

Someone else exploits the old, insecure cert format in a way you don't
like.  Now you're stuck arguing, "wait, that's not my cert... well, it
/is/ my cert, it's the same cert material, but it's /not/ my cert,
because that's an old insecure format..."

So far I've handwaved all different kinds of interesting issues and
questions -- and I've *still* gone over the heads of the vast majority
of lawyers and judges who would be arguing over the question of, "is
this signature enforceable?"  Remember, in the eyes of the U.S. federal
court system, MD5 is considered a strong hash with no known attacks
against it.  I don't trust the courts to understand these subtle nuances.

There is a big difference between something that is possible and
harmless in a technical sense, and something that is possible but not
recommended in a human sense.  Technically, yes, it's possible.  From a
human factors perspective I would revoke the old cert, create a new one,
make a clean break with the past and move forward.  Less opportunities
for human factors to bite me in the posterior.

> Could you point to a reference that explains why a person with a v3 key
> considered sufficiently-strong by that day's estimation (say, 1024-bit
> RSA) would have had to create an entirely new key instead of just
> migrating their old key to v4?

*Have* to?  None.

More information about the Gnupg-users mailing list