ietf-openpgp
[Top] [All Lists]

Re: [openpgp] SHA-2 support should be mandatory – change defaults

2014-08-13 22:04:50
To add in my two cents to this, I'm going to channel an old Security AD, Jeff 
Schiller.

There's a huge difference between Mandatory To Implement (a MUST) and Mandatory 
to Use.

As perhaps the best example, the X.509 RFCs list DSA as the MUST algorithm, but 
it's not clear that there are as many real-world DSA certificates as I have 
fingers. Or noses. Everyone uses RSA or ECC.

Thus, I agree with what you're saying, that implementations really need to stop 
using SHA-1, except by some explicit override, and maybe not even then. In PGP, 
we stopped using SHA-1 by default back in 2004 when Wang's attacks came out. We 
moved right to SHA-256, and just started marking all keys as wanting SHA-256 or 
better.

Similarly, PGP started guiding people early on to longer RSA keys. You could 
make one if you wanted, but you had to go into advanced key creation etc. Also 
similarly, it had opinions about symmetric algorithms and these were in the 
defaults.

You don't need to change any documents, you need to get software to change.

Now, there are plenty of other things that could be useful. I might, for 
example, do an individual draft for SHA3, or even SHA-512/z in a few relevant 
values of z.

As for DSA, there's no reason you can't use any of a number of protected DSAs. 
Werner noted that GnuPG uses RFC-6979 to protect it. PGP always used a keyed 
hash, where the key was the DSA private key to improve the nonce. If you wonder 
why PGP didn't use an HMAC, it's because in those days there was no HMAC. These 
days, HMAC is Simply What Is Done.

In short -- it's a lot easier to fix software than documents. Remember, (again, 
channeling Schiller) standards exist for interoperability.

        Jon

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp