To add in my two cents to this, I'm going to channel an old Security AD, Jeff
There's a huge difference between Mandatory To Implement (a MUST) and Mandatory
As perhaps the best example, the X.509 RFCs list DSA as the MUST algorithm, but
it's not clear that there are as many real-world DSA certificates as I have
fingers. Or noses. Everyone uses RSA or ECC.
Thus, I agree with what you're saying, that implementations really need to stop
using SHA-1, except by some explicit override, and maybe not even then. In PGP,
we stopped using SHA-1 by default back in 2004 when Wang's attacks came out. We
moved right to SHA-256, and just started marking all keys as wanting SHA-256 or
Similarly, PGP started guiding people early on to longer RSA keys. You could
make one if you wanted, but you had to go into advanced key creation etc. Also
similarly, it had opinions about symmetric algorithms and these were in the
You don't need to change any documents, you need to get software to change.
Now, there are plenty of other things that could be useful. I might, for
example, do an individual draft for SHA3, or even SHA-512/z in a few relevant
values of z.
As for DSA, there's no reason you can't use any of a number of protected DSAs.
Werner noted that GnuPG uses RFC-6979 to protect it. PGP always used a keyed
hash, where the key was the DSA private key to improve the nonce. If you wonder
why PGP didn't use an HMAC, it's because in those days there was no HMAC. These
days, HMAC is Simply What Is Done.
In short -- it's a lot easier to fix software than documents. Remember, (again,
channeling Schiller) standards exist for interoperability.
openpgp mailing list