Hal Finney wrote:
Ian G writes:
I'm curious on this point. Other than the fact that
"it's broken" why is it that you see it important to
repair the DSA in OpenPGP?
I'm not sure if you are asking why we worry about using SHA-1 at all given
that the attack is theoretical, or why we don't just abandon DSA keys.
I'd say it is an open question, so either or both.
For the first question, my main concern is that the SHA-1 attack
may get worse so that it becomes computationally feasible to find
collisions. If that happens we could be vulnerable to attacks like
http://eprint.iacr.org/2005/067 which showed two X.509 certificates
with the same hash. The attacks could become even stronger to where
different userids could collide.
I think now I understand this as more an issue for
WoT than documents - is that right? (I think I'm
deriving that from the last sentance above...) In
that people who have DSA keys and have lots of sigs
are faced with losing their 'investment'.
OK, I agree that is potentially a larger concern than
document sigs as key signing represents something of
an institution.
For the second, DSA key users do not presently have the options RSA
key users do to move to other hashes. As I argued, the additional risk
of giving DSA users more options is not that large. Letting them use
other hashes would allow them to continue to use their existing keys
and benefit from the signatures they have acquired on those keys.
OK. In risk terms it might not be that high. But
in cost terms, it is significant. Any changes to
the way signatures have to be dealt with would have
to be promulgated through the community, as, if the
signature verification wasn't standard and acceptable
to all code bases, it loses its value rapidly.
So the analysis needs to question not only the risks
but also the costs and benefits.
The number of people who need to have DSA and keep
using their existing keys for signatures seems to be
quite small. In order for these people to benefit,
they must be able to create the sigs, and everyone
else must be able to at least read the sigs. So
any change will take a year or two to filter through
until there is wide enough distribution of verification,
and during that time, I suspect the slow uptake will
be over taken by events.
To me, I don't see the cost-benefit analysis coming
out as favourable; far better to suggest that people
use RSA keys if they are really very keen to have the
best security in signatures, until the DSS-2 situation
settles out.
(in the 90s, this would have been a very different
situation, as RSA faced patent and cryptoexport
problems, so there would have been a group that
might have been limited to using DSA.)
All IMHO of course!
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/