ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: how to specify "trust no signatures over hash X from this key"?

2009-05-05 18:41:03
from [Ian G] [Permanent Link] 

On 5/5/09 15:20, Daniel Kahn Gillmor wrote:

On 05/05/2009 02:58 AM, Ian G wrote:

Simplify, simplify, simplify.  One hash is good enough
for 99.99% of the users, and the rest should be implementing not
eulogising.

  [...]

If it was updated today for IETF, it would say:  always insist on the
right to variations in protocols, for future-proofing.


I've seen you express this sentiment before, Ian, and i can appreciate
where you're coming from.  Variable ciphers and digests are messy,
difficult to get right, and alienating arcana to most users.
And, anything that slows users slows usage. Unusability is the killer, not the number of bits in the algorithm. 


But i
don't understand what your concrete proposal is here.

Say OpenPGP had Just One Hash, and it was SHA-1 -- what would be the
best approach for us 0.01% of the users/implementors to take in response
to the news that SHA-1's collision-resistance was insufficient against
well-resourced organizations, and seems likely to get worse before SHA-3
is settled?



Wait until SHA-3.  Meanwhile, design how to use SHA-3 from 2012 to 2022.
The predictions of the end of the world are premature. Note that nobody has stolen money through an MD5 as yet, and nobody has stolen money because of an RSA-512, either. Nor, has 40 bit secret keys been embarrassed as yet. 

(All my humble opinion of course :)
The business problem here is that the crypto guys are far too far away from the real business to realise that business leakages are around the 50-80% level. In such an environment, nobody much cares about the difference between 99.99 and 99.999%. 



How would we help facilitate the transition for the 99.99% of the users
to a safer hash?  Or would we simply tell them "OpenPGP is done, go find
something else before the year is up if you want to maintain
private/authenticated communications"?
I think it is best treated as a complete transition from packet types. E.g., "It's time to create a complete new key. V5 is ready." With not as much compatibility between the types as expected, but facilitated by tools. Once per decade. A bit like the transition from 2.6 to 5.0 if you recall. Again, what I believe, others think differently. 




iang
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Non-SHA-1 fingerprints, Ingo Klöcker
Next by Date:  Re: I don't think that collides the way you think it does, Daniel A. Nagy
Previous by Thread:  Re: how to specify "trust no signatures over hash X from this key"?, Daniel Kahn Gillmor
Next by Thread:  Re: how to specify "trust no signatures over hash X from this key"?, Lionel Elie Mamane
Indexes:  [Date] [Thread] [Top] [All Lists]