Ben Laurie wrote:
Would it be a good idea to put in a statement
explicitly limiting OpenPGP's view of DSS to be
SHA1 only? And add a comment perhaps that in the
light of weaknesses in SHA1, that RSA with a fatter
digest be used instead as a workaround?
The cost of that is that anyone with a DSA key is screwed. Seems like a
last resort to me.
Anyone who has a DSA key now is screwed if:
* the SHA1 hash is shown to be breached for:
- pre-images, or
- they have a collision-sensitive signature system,
and,
* the attacks are within reach by their attackers, and
* they cannot change their document format, and
* they cannot change to RSA, and
* they cannot simply repudiate any false dox, and
* they actually use DSA sigs for something important.
Seems like a tough list to me. My systems use OpenPGP
sigs for real stuff (as opposed to just signing mail
because it exists there) and none of the above are
even remotely a threat that I can see. Maybe I am
screwed, but seeing as I don't see how, I'm willing to
run that risk and maybe I'll find out :)
I personally don't see much merit in changing the situation
until something decent comes along.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/