ietf-openpgp
[Top] [All Lists]

Re: PGP evolving, improving

1997-11-24 16:22:58


Uri Blumenthal wrote:

Adam Back says:
b. There have been no practical cases of signature spoofing with MD5--it
hasn't been broken.

I agree, in the general case it has not.  I'll discuss a better
user migration path below.

Excuse me, gentlemen, were there any practical cases of signature
spoofing with MD4?

Also, since this is an IETF forum, let me remind you,  that the
official IETF security guideline is: "For all the new standards
MD5 shall not be used - but SHA-1".

Of course, Security Area folks don't have the depth of knowledge
tat David has been exhibiting on the Net for quite a while (:-).

Your gratuitous slam comes with ill grace from someone who apparently doesn't
understand the meaning of "for all the new standards". We were talking about
PGP's pulling RSA key generation from free PGP 5.0, and pulling RSA entirely
from free PGP 5.5.2, neither of which is a new IETF standard or even a standard
in work.. What is more, they didn't pull it from pay PGP 5.0 at the same time,
so your argument fails doubly.

However, as an algorithm starts showing cracks, a cryptographer
with brains replaces it before the "practical" cases start
piling up. For a commercial product to get into such a
situation would mean death, I think (unless you are
Micro$oft, of course :-).

They didn't replace it in pay PGP 5.0.



c. PGP Inc. has made no attempt to remove MD5 in pay PGP 5.0

It is possible that Will was talking about the fingerprint spoofing
attack, which you are probably aware of.  This flaw is nothing to do
with MD5 or RSA per se, but more to do with a flaw introduced in the
way that the fingerprint is calculated in pgp2.x.

It was possibly to ease the upgrade path for paying customers. Like:
"Yes, we strongly suggest you move to SHA-1, but to make sure your
traffic isn't interrupted, here's 'bilingual' PGP for you."

And free PGP users didn't deserve an eased upgrade path, but rather to forcibly
obsolete all their keys, signatures and web of trust in the new version?
Especially since the RSA-key Free PGP user base is where PGP Inc. made their
reputation and the size of that base is constantly cited to the IETF and in
press releases as PGP's "customer base". Don't be ridiculous. And watch who you
throw stones at--can you say "glass house"?

David

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

<Prev in Thread] Current Thread [Next in Thread>