Best Practices

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Dec 13 00:37:36 CET 2010 

On 12/12/2010 03:51 PM, Robert J. Hansen wrote:
> On 12/12/2010 3:03 PM, Daniel Kahn Gillmor wrote:
>> what do you mean by "V4 certificate checksums"?
> 
> Read the RFC.  It's in there, and does a better job than I can do of
> explaining it.  Section 5.5.3.

i thought that you might be referring to 5.5.3, but that is also not
part of the OpenPGP certificate format.

It's part of the secret key packet format, and it's not a part that is
cryptographically-signed either.  It looks to me like that checksum is a
way to verify that you've decrypted the key properly, and it's made over
material that you generated yourself.   If you've retained physical
control over your secret key material, this is certainly not a
cryptographic concern.

>> yeah, this is serious, but it's not embedded in the certificate.  if we
>> were to come up with a new fingerprint format, it would not invalidate
>> any existing certificates -- it would just change how we refer to them.
> 
> I am very skeptical of this claim you seem to be making, that we can
> just upgrade-in-place.

We can (and some of us do) use OpenPGP certificates and exchange
encrypted and signed material without relying on SHA-1 already.

The *fingerprint* format probably will need to change eventually (though
i haven't seen any indication of preimage attacks against SHA1 yet), and
the designated revoker subpacket is acknowledged to need an overhaul.
But you still haven't pointed to anything within the OpenPGP
*certificate* format itself that embeds SHA-1.

RFC 4880 mandates SHA-1 as a "must-implement" for compliant
implementations, but (aside from the rarely-used designated-revoker
subpacket) it doesn't require you to actually use it anywhere in the
certificates, as far as i can tell.  If i'm wrong about that, i
certainly hope to be made aware of it.

Again, the entire reason i'm engaging in this thread is to encourage
people to move to stronger cryptographic algorithms *today*.  I see no
good reason to wait for a new revision of the OpenPGP specification to
take advantage of stronger algorithms now.

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101212/cb21920c/attachment.pgp>

More information about the Gnupg-users mailing list