Best Practices
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Dec 13 05:50:24 CET 2010
On 12/12/2010 11:03 PM, David Shaw wrote:
> The fingerprint issue is more than just making a new packet for a new MDC
> or revocation subpacket, though. There is no concept in OpenPGP of a flag
> telling an implementation how to calculate the fingerprint - or rather
> there IS a flag: the version field, but its hardcoded :)
In the discussion last year on the IETF list, the general consensus
seemed to be that the fingerprints of primary keys were not endangered
by a weakening of SHA-1's collision resistance. (This is in stark
contrast to digital signatures and certifications, where weakened
collision resistance in an algorithm represents a real threat [0]).
But as far as i know, no one has yet reported a significant practical
concern about SHA-1's resistance to a pre-image attack, which suggests
that reliance on SHA-1 for fingerprints is probably reasonable until
SHA-3 is selected.
Nonetheless, the purpose of the fingerprint is just to help humans
identify and communicate keys. It is not embedded in the parts of the
spec for any part of the certificate format (aside from desig-revoker,
an acknowledged flaw in RFC 4880). So i see no reason that when SHA-3
comes out, we couldn't define a new form of fingerprint (call it v5 if
you want) based on SHA-3, produce/consume that fingerprint alongside the
traditional v4 fingerprint for a reasonable time period, stop producing
v4 fingerprints, and then ultimately stop consuming v4 fingerprints.
Presumably when rolling out the new fingerprint format, we'd also
specify that SHA-3 is the new "must-implement" digest for compliant
implementations. Clearly, anyone capable of providing an SHA-3-based
fingerprint has a tool capable of calculating SHA-3.
These strike me as updates to the specification, certainly ("we now
calculate fingerprints in the following way; We now require SHA-3 as the
lowest-common-denominator digest"). But this is not a change of the
certificate format.
Can you help me understand why a change in the choice of fingerprint
technique and a change in the must-implement-digest-algorithm would
require a change in the certificates themselves?
--dkg
[0] http://www.win.tue.nl/hashclash/rogue-ca/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101212/b3cb75d0/attachment.pgp>
More information about the Gnupg-users
mailing list