Hi,
On Wed, Mar 01, 2017 at 12:30:14PM -0500, Phillip Hallam-Baker wrote:
The issue we are seeing the the SHA-1 break is that a LOT of software is
based on the assumption that SHA-1 is unique. And this is causing software
to crash in real world applications.
Not entirely sure what a standard change can do about that, except from
using a collision-resistant hash function which is expected to stay so
for the forseeable future, and have the ability to switch to a new
fingerprint format.
The proposal I made introduces a context into the fingerprint so that
S/MIME, OpenPGP, etc. can all use the same fingerprint format without
semantic substitution attacks being possible.
This seems sensible to me, but I don't see how it would protect against
a future weakness of the hash function.
However, it is useful to stop attacks where a single document would be
valid as a v5 key and as S/MIME (for instance), with both interpretations
having identical fingerprints.
I don't see an immediate attack vector there, but I'm very much not an
expert on polyglots.
##V5 Fingerprint calculation and presentation
A V5 fingerprint value is a sequence of bits that provides a sufficiently
unique identifier for a public key. In addition to generating and accepting
the text string presentation used in earlier versions of OpenPGP
applications
MAY support such additional presentation formats as are found to be useful.
Conforming V5 OpenPGP implementations MUST support the V5 Fingerprint
text presentation format for display and entry of fingerprint values.
Support for all other fingerprint values is optional.
###V5 Fingerprint value calculation
The OpenPGP V5 fingerprint value is calculated as follows
Fingerprint = <Version-ID> + H (<Content-ID> + ‘:’ + H(<data>))
Why a colon, rather than a NUL byte?
(It's not obvious that Content-Type strings, esp. auxiliary parameters,
cannot contain colons)
Best,
Keller
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp