There are several known attacks against SHA-1 reducing its effective
security (without breaking it).
The question is whether these attacks reduce SHA-1's effectiveness as it
is used in OpenPGP, and if so, to what extent. (My belief is they do,
but not to the extent doomsayers fear.)
2. Make AES-256 the default (mandatory) symmetric-key algorithm
instead of TripleDES (which is quite weak anyway)
The best attack on 3DES requires 315 yottabytes (!!) of memory just to
reduce it to complexity 2**112. For any reasonable assumption about
computing power, 3DES is as solid as a rock and offers an effective key
length comparable to more modern ciphers.
There are many reasons to dislike 3DES. It's slow, ungainly, hard to
implement correctly, has a relatively small block size, and so on... but
"quite weak" is not one of them.
I would not mind replacing 3DES as the mandatory symmetric cipher, but
there needs to be better justification than this.
3. Replace DSA as default public-key algorithm (since it relies on
good random which is often not available/ensured) by RSA.
A good PRNG is required for the overwhelming majority of OpenPGP uses.
(I mean, sure, technically you could send everything unencrypted and
unsigned in an OpenPGP packet, but...) If you don't have a good PRNG
then pretty much the entire protocol falls apart, so I don't understand
why it's important to make RSA the default key selection because it's
less dependent on having a good PRNG. What am I missing here?
I have nothing against making RSA the default, but again, we need better
justification.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp