ietf-openpgp
[Top] [All Lists]

Re: [openpgp] v5 in the crypto-refresh draft

2021-06-05 13:04:30
On Sat 2021-06-05 11:20:48 +0000, Peter Gutmann wrote:
The first thing to do when "fixing" SHA1 fingerprints, meaning breaking all
existing fingerprints on the planet,

The draft as it stands doesn't "break all existing fingerprints on the
planet" -- it just says "when you're making a new OpenPGP key, make it
v5 and you and your peers won't have to think about SHA-1 any more when
using this key".  By using a v5 key an implementation would also be
effectively signalling its compatibilty with any updated MTI choices
(which we haven't gotten to yet, because we're still wallowing here).

This is a change that, granted, should have been made a decade ago so
that we could have some deployment by now.  But better late than never.

is to define what properties they need to have.  I can't think of
anything for which SHA-256 is OK but SHA-1 isn't, so before
arbitrarily throwing SHA-256 in there we'd need to define what's
needed for a fingerprint algorithm to see why -1 doesn't meet the
requirements, and whether -256 does.

We've been over this ground before in the WG, and i don't think anyone
who thinks about it deeply will disagree with you re: collision
resistance.

Nonetheless, fingerprints show up in many places, and many
implementations use them as unique identifiers, and can display
weird/broken behavior when encountering collisions, even if they're
sourced from the same (potentially malicious) actor.  Do we want to
encourage that kind of booby trap?  Furthermore, having to constantly
defend the use of SHA-1 when it is known to be deprecated *in other
contexts* is a tiresome exercise, and i think it'd be great if the
OpenPGP community could move past it.

We settled in the past iteration of this WG on SHA-256 as a
non-controverisal replacement, which is why it was re-merged into the
crypto-refresh draft.  If folks really want to re-litigate it, i suppose
that's possible, but i think we have bigger fish to fry (can we get to
those MTI changes, for example?) and I hope folks will think clearly
about whether such a detour is worthwhile.

     --dkg

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp