On 5/1/2013 10:16 PM, Daniel Kahn Gillmor wrote: > It doesn't facilitate a collision attack against that specific > certification; but if a collision attack is possible against a > particular digest, then *any* signature made over that digest becomes > suspect.
First, thank you for a thorough reply. I appreciate it a great deal. I think we may be using two different definitions of collision attack. > That is, should a collision attack become viable against a particular > digest, there's no way to tell whether any given signature that uses > that digest was made before or after the collision attack was possible. In the absence of a trusted timestamp, yes. (Of course, then this becomes a question of whether the trusted timestamp is susceptible to attack. I concede that this isn't a solution but just a reification one level deeper.) > Eve manages to inject data into your collection that makes the > data collection have the same digest as a particularly weird User ID > when bound to your primary key (i'm handwaving past the details of the > OpenPGP boilerplate involved in a self-sig here). Are you sure that this is a collision attack? It seems to me you've created a preimage scenario here. And if so, I stand by my statement of "then I'm completely screwed on a dozen different fronts simultaneously and my certificate is the least of my worries." :) (For those confused by the difference -- I'm certain Daniel isn't -- all preimage attacks are collision attacks, but relatively few collision attacks are preimage attacks. Wikipedia defines a collision attack as being able to "find two arbitrary different messages m1 and m2 such that hash(m1) = hash(m2)." The 'arbitrary' is important: you only care about finding a collision, but you don't care one whit what that collision is over. By comparison, a preimage attack means finding a specific message that hashes out to a specific value. By manipulating the data I'm signing, Eve is finding a specific message: by specifying "it must hash out to the same as a signature he made in the past", Eve is specifying a particular hash value. This is why his scenario seems to me to be a preimage attack in disguise, rather than a collision attack.) (However, it is certainly possible that I've misunderstood his scenario.) > There is no good reason for anyone interacting with modern > infrastructure to make their default certifications with anything weaker. I continue to think that you're worrying about how you're going to turn the coffeepot off as you're fleeing a house fire. :) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users