Ian G writes:
I'm curious on this point. Other than the fact that
"it's broken" why is it that you see it important to
repair the DSA in OpenPGP?
I'm not sure if you are asking why we worry about using SHA-1 at all given
that the attack is theoretical, or why we don't just abandon DSA keys.
For the first question, my main concern is that the SHA-1 attack
may get worse so that it becomes computationally feasible to find
collisions. If that happens we could be vulnerable to attacks like
http://eprint.iacr.org/2005/067 which showed two X.509 certificates
with the same hash. The attacks could become even stronger to where
different userids could collide.
For the second, DSA key users do not presently have the options RSA
key users do to move to other hashes. As I argued, the additional risk
of giving DSA users more options is not that large. Letting them use
other hashes would allow them to continue to use their existing keys
and benefit from the signatures they have acquired on those keys.
Hal