On Mar 23, 2017, at 9:49 AM, Werner Koch <wk(_at_)gnupg(_dot_)org> wrote:
On Thu, 23 Mar 2017 15:00, tony(_at_)att(_dot_)com said:
I’m with Jon on this one – if you’re going to do truncation, then use
a scheme that’s DESIGNED to generate a truncated value. And the only
one that’s been discussed that meets that criteria is SHA2-512/t.
OpenPGP has always used a truncated hash for the keyid. The change is
that with v5 we will use use the leftmost 64 bits instead of the
rightmost 64 bit.
I explained in the original proposal the reasons why truncating certain
uses of the fingerprint makes sense.
I don't have any objection to truncating the fingerprint to get the KeyID. The
KeyID is merely a database key (as in key-value, not crypto) and has no
security value. Implementations already need to consider the possibility that
there could be a collision in the KeyID.
Jon's suggestion of using SHA2-512/t does not work: if we ever need to
switch to the full fingerprint for the two signature subpackets, we
would need to define a v6 key format because the fingerprint changes by
using a different t with SHA2-512/t.
You don't need a new format, you'd just specify the new fingerprint. You can
consider SHA512/t to be a family of hashes of output 't'.
If you're mentioning using SHA512/64 for a key id — no, no, that's just
unnecessary.
What we put into the signature subpackets is an abbreviation of the
fingerprint and this can be changed easily by introducing new signature
subpackets. This would be the same as our migration from the /Issuer/
to the /Issuer Fingerprint/ subpacket. This is an non-intrusive change
to fix the problems with the use of the 64 bit truncated fingerprint in
the /Issuer/ subpacket.
But I also find Derek’s desire to use SHA2-256 to be compelling because of
performance.
Noted.
For the record, I don't object to using SHA-256. I observe that there are a set
of cases where someone finds problems in SHA2 that would have a longer runway
for replacement if we're using SHA-512, and *that* is either a bug or a feature
since arguably once someone finds some actual problem in SHA-256 (e.g. of the
sort that has plagued SHA-1 since 2004), that should be the event that leads to
tossing all of SHA2.
I also observe that the performance issue is real, but hardly fatal — small
devices will be with us always and fingerprints can be computed once and cached
no matter what. This is why I didn't bring up the counter-argument which is
that ARM64 is already sub- one euro per core.
The real reason to use a wider hash is that every time we've compromised on
security for the sake of small devices, it bites us in the ass. This will also
bite us in the ass. It's a small bite in the grand scheme of things, but it's
going to happen and it will be inconvenient.
Do we have a meta-strategy for an upgrade? For example, if we know that you'd
pick whatever hash at that time the cool kids recommend, change a couple of
parameters (like simply bump the key version to v6 and go), that could be a
recommendation in the RFC.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp