Avoid recipient-compatibility SHA1

[Phil Pennock]

On 2020-11-17 at 15:47 +0000, Stefan Claas wrote:
>} Since 2005, SHA-1 has not been considered secure against well-funded
>} opponents;[4] as of 2010 many organizations have recommended its
>} replacement.[5][6][7] NIST formally deprecated use of SHA-1 in 2011
>} and disallowed its use for digital signatures in 2013.
> 
> Was this therefore ever discussed on OpenPGP Mailing Lists, between
> OpenPGP experts and Mr. Zimmermann and Werner?

It's been discussed on the standardization lists, where I would
summarize the view as "What the hell, why are people still using SHA1?"

The answer is that some people are still using tools such as GnuPGv1 and
other similarly ancient software and get upset when asked to use the
current code-bases.

If you made a key using such old software but are now using modern
software, you should re-sign your UID and check for other problems.

If anyone wants to explore working with OpenPGP message formats while
writing a standalone tool, I suggest a public key reporter tool which
will report on the use of SHA1 (or MD5) digests where there's not
also a signature with a modern digest scheme, and provide guidance about
updating the keys. There's a few places such things might creep in.
Re-reading RFC 4880 while taking notes about all the places you see such
keys would help in writing a good tool.

This strikes me as a good way for a developer to become more familiar
with the ecosystem and to create an actively useful tool to help the
community move forward away from ancient systems.

Please don't demand this tool of any other developers: I offer the idea
as a suggestion only.


> Second question:
> 
> What does it really mean for the OpenPGP ecosystem if there would be a
> SHA1 collision found in an email or detached signed document or file?
> I ask, because when one checks a GnuPG
> digitally signed message or file it usually says it comes from the key
> (owner) blah and this key has a fingerprint of blah if one checks.

If someone can knowingly construct collisions against an existing
signature, without the cooperation of the key owner, then SHA1 would be
completely useless and such signatures would be nearly meaningless.

The current state of SHA1 is "dangerously exposed, you should be
hurrying for the exits, there might still be time to grab your coat on
the way out of the door."  The history is such that when the current
attacks against a digest system are where the SHA1 attacks are now, you
really don't want to be dealing with the next revelations because you
will not be happy.

At present, using "weak-digest sha1" in your GnuPG configuration files
reveals a lot of problems and in day-to-day use you will have to
periodically comment it back out again.  I know, because I've been doing
this since January.  It has helped me with pushing people I need to
exchange private mail with to update their keys.

-Phil