Werner Koch wk at
Mon Jun 25 16:50:17 CEST 2012

On Mon, 25 Jun 2012 16:18, johanw at said:

> That depends on your threat model. If signing messages is not so
> important to you but encrypting is, this advice is understandable. So
> let MD5 be broken, it matters not for encryption. Not that I would

Sure it matters.  The self-signatures are bound using MD5 based
signatures and thus the user id and the web of trust signatures are
prone to MD5 attacks.

> Did anyone study the effect this has in using pgp 2 on modern Linux of

I don't care about PGP2 nor do the majority of crypto users.  The RNG
from PGP2 is usually used as an early example on the design of a RNG.

> This suggests a threat model where your oponent has almost Stuxnet like
> capabilities. Since the pgp 2 days we get warnings about adapted

You seem to have that threat model: You created a 2k RSA key back in
2000.  Even today it is not possible for any public institution to break
a 1024 bit key.  Thus why are you still advocationg MD5?

> compilers, but I've never seen something like that surfacing. I'm not
> saying it is impossible but I doubt it is practically doable on a large

The business is that it shall not be visible on the surface.  Kernel
based key loggers are a standard feature of most trojans.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list