As i'm thinking about hash function transitions right now, it occurs to
me that i'm not sure how to specify something like "The holder of this
key will never issue signatures using digest algorithm $foo"
In RFC 4880, section 126.96.36.199 the digest algorithm preferences subpacket
says something similar:
Message digest algorithm numbers that indicate which algorithms the
key holder prefers to receive. Like the preferred symmetric
algorithms, the list is ordered. Algorithm numbers are in Section 9.
This is only found on a self-signature.
But this is semantically something fairly different from stating what
kind of use the keyholder expects to pursue.
Consider the case where a user has in the past made and published
MD5-based signatures, and no longer believes that hash algorithm is
secure for the purposes used (or if you like, think into the near
future, and imagine the same situation with SHA1).
It seems to me that it would be useful to have a way that a keyholder
could explicitly state "I no longer make signatures over digest X.
Please consider any signatures from this key using digest X to be invalid."
This does lead to the possibility of an explicit "impedance mismatch",
where Alice says "I never issue MD5, SHA1, or RIPEMD160 digests" and Bob
says "I prefer to receive only SHA1, RIPEMD160, or MD5 digests" -- in
this case, Alice's key is useless to Bob. But this impedance mismatch
exists implicitly anyway, if these are the actual policies. It seems
like it would be useful to know that the conflict exists at that level.
Note: *could* a user say "i never issue SHA1 signatures" and remain
4880-compliant? I think so; the spec says that implementations MUST
implement SHA1, but it does not say that they must force the user to use
it or trust it.
Is there interest in being able to explicitly state such a policy?
Would this be worth a new subpacket type? If so, would it make sense
for ciphers as well as digests?
Description: OpenPGP digital signature