Uri Blumenthal <uri(_at_)watson(_dot_)ibm(_dot_)com> writes:
b. There have been no practical cases of signature spoofing with MD5--it
hasn't been broken.
I agree, in the general case it has not. I'll discuss a better
user migration path below.
Excuse me, gentlemen, were there any practical cases of signature
spoofing with MD4?
Also, since this is an IETF forum, let me remind you, that the
official IETF security guideline is: "For all the new standards
MD5 shall not be used - but SHA-1".
MD5 is in the draft as a MAY. You want to change that to a MUST NOT?
I don't think the situation with MD5 is serious enough currently to
warrant the loss of backwards compatibility as an implementation
option.
However, as an algorithm starts showing cracks, a cryptographer with
brains replaces it before the "practical" cases start piling up.
Of course, that much is a given.
Where we came in to this discussion was that by having backwards
compatibility more people migrate to new algorithms more quickly.
Well, the only compatibility concerns that *I* have as a user are
related to the broken *interface*. I.e. I APPLAUD the move to DSS
and EG (would like to see ECC too, BTW) - but I absolutely hate
the fact that I can no longer use Mailcrypt-3.4 from XEmacs.
Well I use mailcrypt also, so I can share on that one. However I keep
getting emails from people with pgp5.x which are addressed to my RSA
key, and yet which pgp2.x simply can't read. I think this must either
be the bug Hal described, or people are signing the message with a DSS
key which I thought pgp5.x was supposed to warn against when the
recipient is using an RSA key.
Now the discussion of a better migration path. It seems to me that a
nice thing to do would be to generate two keys at key gen time: an RSA
key and an DSS/EG pair.
What if I *don't* want to generate RSA keys. Why cramming those down my
throat? Make it possible to geterate DSS *or* DSS+RSA, if you REALLY
insist...
Default operation. Same as you get a default operation with pgp5.x of
using cooked primes.
Largely transparent interoperability on all versions
would I suspect paradoxically have meant many more people made the
switch.
Yes and no. Of course transparency will help. HOWEVER, many of PGP
users have either no time, or no skills (or "no" both) to modify
the software that interfaces between their favorite whatever
and PGP. For me it is Mailcrypt/XEmacs. Until *that* part
is taken care of - don't expect people to switch.
I think mailcrypt users are small in number. We should ask Pat
LoPresti if he wants to hack in pgp5.x support.
Adam