ietf-openpgp
[Top] [All Lists]

Re: [openpgp] Deprecating SHA1

2020-10-23 10:17:32
Hi Paul,

Thanks for following up.

On Fri, 23 Oct 2020 16:52:35 +0200,
Paul Wouters wrote:
Could you give implementers some guidance?

- donąt allow creating sha1 signatures 

I suspect that most implementations already do this.

- donąt allow verification with sha1 to pass for data time time
  stamped after 2020 (eg based on email headers or signature time
  stamps)
- allow verification of old data with sha1 to pass

The Sequoia library does pretty much already what you are suggesting
(although we set the cutoff for SHA1 to 2013, not 2020): when an
application developer configures a policy, they can specify a
timestamp.  The timestamp is then used to select algorithms that were
safe as of the specified time.

  
https://docs.sequoia-pgp.org/sequoia_openpgp/struct.Cert.html#method.with_policy

The difficulty for the application developer is to find a timestamp
and authenticate it.  Consider: Alice encrypts an email to Bob.  If
Bob's certificate uses SHA1 for all of the self signatures, should
Alice accept the self signatures?  She has no email headers to extract
a time stamp from (she's sending him a mail, not verifying a signature
in a message that Bob sent her).  As for the time stamp in the self
signature, it's not clear to me why it should be trusted.  Say Mallory
collides a document sig and a self sig for Alice, and gets Alice to
sign the document at the right time.  He can set the self sig's
timestamp to whatever he wants, including just far enough in the past
that it gets by your proposed filter.

Thanks for your thoughts,

Neal

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp

<Prev in Thread] Current Thread [Next in Thread>