Adam Back says:
b. There have been no practical cases of signature spoofing with MD5--it
hasn't been broken.
I agree, in the general case it has not. I'll discuss a better
user migration path below.
Excuse me, gentlemen, were there any practical cases of signature
spoofing with MD4?
Also, since this is an IETF forum, let me remind you, that the
official IETF security guideline is: "For all the new standards
MD5 shall not be used - but SHA-1".
Of course, Security Area folks don't have the depth of knowledge
tat David has been exhibiting on the Net for quite a while (:-).
However, as an algorithm starts showing cracks, a cryptographer
with brains replaces it before the "practical" cases start
piling up. For a commercial product to get into such a
situation would mean death, I think (unless you are
Micro$oft, of course :-).
c. PGP Inc. has made no attempt to remove MD5 in pay PGP 5.0
It is possible that Will was talking about the fingerprint spoofing
attack, which you are probably aware of. This flaw is nothing to do
with MD5 or RSA per se, but more to do with a flaw introduced in the
way that the fingerprint is calculated in pgp2.x.
It was possibly to ease the upgrade path for paying customers. Like:
"Yes, we strongly suggest you move to SHA-1, but to make sure your
traffic isn't interrupted, here's 'bilingual' PGP for you."
Brave talk, but if you had any integrity you would have explained
any concerns and left it up to users by preserving all options--not
crammed it down the free user's throats.
I think that unencumbered algorithms are a good thing, however I think
the method of "encouraging" migration to DSS/EG algorithms has largely
backfired. I did a survey of pgp users, which I'll colate shortly,
and several commented that they scrapped 5.0 and went back to 2.x when
they discovered the various compatibility problems (eg. not being able
to generate RSA keys).
Well, the only compatibility concerns that *I* have as a user are
related to the broken *interface*. I.e. I APPLAUD the move to DSS
and EG (would like to see ECC too, BTW) - but I absolutely hate
the fact that I can no longer use Mailcrypt-3.4 from XEmacs.
This is my "compatibility problem", not the ability or
inability to generate RSA keys (which you can take
with you on your way out :-).
Now the discussion of a better migration path. It seems to me that a
nice thing to do would be to generate two keys at key gen time: an RSA
key and an DSS/EG pair.
What if I *don't* want to generate RSA keys. Why cramming those down my
throat? Make it possible to geterate DSS *or* DSS+RSA, if you REALLY
Largely transparent interoperability on all versions
would I suspect paradoxically have meant many more people made the
Yes and no. Of course transparency will help. HOWEVER, many of PGP
users have either no time, or no skills (or "no" both) to modify
the software that interfaces between their favorite whatever
and PGP. For me it is Mailcrypt/XEmacs. Until *that* part
is taken care of - don't expect people to switch.