Confusion with signature digest type.

Thu May 2 06:48:44 CEST 2013

On 5/2/2013 12:33 AM, Daniel Kahn Gillmor wrote:
> if it was a preimage attack (even for SHA1), then yeah, it'd be game
> over in a lot of horrible ways i don't want to think about in detail
> right now :)

I think I can make a compelling argument this is a preimage attack and
not a collision attack, and I think I can sum it up in one sentence:

> So Eve's work is to manipulate both X (the data repository) and Y (the
> self-sig she's crafting) until she can coax them into a collision.  She
> doesn't care what the collision is, so she's not involved in a pre-image
> attack.

She cares what the collision is: it has to be a valid OpenPGP signature
sequence.

I concur that this scenario is deeply troubling.  However, I think the
scenario as you've described it depends on a preimage attack and at that
point, as we've agreed, we're all screwed.

(As a comment for people who may be thinking Daniel and I are vehemently
disagreeing: sure, we don't agree, but I think we're far, far closer to
agreement than discord.)

> I still maintain that encouraging people to use SHA-1 for any
> certification (including self-sigs) is leaving the coffeepot on, but the
> house is not yet on fire.  Let's turn off the coffeepot :)

Oh, please don't misunderstand me, I'm not encouraging the continued use
of SHA-1.  I'm simply not encouraging the wholesale migration to SHA256,
not at this point in time.  (Encouraging people to have a plan, though,
sure.)

As a general rule, I've found the GnuPG developers to be quite capable
of coding sensible default behaviors.  I expect that Werner has been
thinking of these problems, and if-and-when Werner and g10 Code decide
to shift the default behaviors I'm certain it will be towards a stronger
hash algorithm.

In my experience, there is no such thing as a painless tradeoff.  The
instant you encourage someone to deviate from the defaults you open the
door to a flood of questions.  Some of them are quite reasonable ("why
should I use SHA256 when SHA512 is available?") and some show their
authors started sniffing glue at a tender age.  The only constant is
that the instant you tell someone to mess with the defaults, any and all
future problems they have are suddenly your fault and your
responsibility to solve.

I don't see the situation with SHA-1 is so dire that we need to jump the
gun on GnuPG's natural migration towards stronger hash algorithms.
Given that, and given that I don't want to field a ton of "I changed my
.gnupg file just the way you said and it doesn't work" type of
questions, well --

I concur that moving to better hash algorithms is the way to go.  I'm
unconvinced that the situation right now is so dire that we need to
leapfrog GnuPG's development process.