ietf-openpgp
[Top] [All Lists]

Re: New results against SHA-1

2009-05-04 14:38:55
On 05/04/2009 01:38 PM, Werner Koch wrote:
Using a number (2) and, say, a dot as a prefix would be a better choice.
We use algorithnm numbers anyway and OpenPGP users are used tp spell a
large row of hex digits; we would only confuse them with an S and an H..

ok, that works for me.  would the prefix be in hex or decimal?  for
example, would an SHA512 fingerprint look like
 
a.3dd7a2cb8f9e51f2fc096e7022a8192099aa89e10c699e46223851cc36f406b1beb734d5a7da0d8ebc08cc37e30088300c7a9ae81ba7ab758047a89cfa191aff

or

10.3dd7a2cb8f9e51f2fc096e7022a8192099aa89e10c699e46223851cc36f406b1beb734d5a7da0d8ebc08cc37e30088300c7a9ae81ba7ab758047a89cfa191aff

Ugh.  that's horrifically long either way.  Is a base64 encoding worth
considering?  it would shave off a third of the length, but it seems
like it would introduce significant ambiguity (0 vs O, A vs a, etc)

 e) allow injection of arbitrary key material at the head of signatures
to allow signers to to avoid a chosen-prefix attack?  This would make it
significantly more difficult to predict the hash that someone will sign,

and gives more bandwidth for a subliminal channel...

True, but some room for the subliminal channel already exists (e.g.
notations can be injected in the signed material).  This would simply
allow signers to better control what they actually sign, rather than
being compelled into signing a given text.  Daniel Franke's recent
message on gnupg-devel about this is interesting:

 http://lists.gnupg.org/pipermail/gnupg-devel/2009-May/024967.html

Another approach would be to formally prefer digest algorithms that do
not exhibit the same single-pass behavior of SHA-1 -- is that feasible?

 f) explicit introduction of new hashes/ciphers/asymmetric algorithms?

We should defer such a discussion until there are semi final results
from the SHA-3 contest.

SHA-3 finalizes in the end of 2012, though first-round candidates have
already been selected.  Third quarter of 2010 should have finalists
selected:

  http://csrc.nist.gov/groups/ST/hash/timeline.html

Which phase of the timeline would be sufficient for you?

Right, we should re-establish the WG to no rely on I-Ds by individuals.

So what's the process to do this?

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

<Prev in Thread] Current Thread [Next in Thread>