Re: SHA1 collision found

2017-11-25 Thread Matthias Apitz
On Saturday, 25 November 2017 14:24:29 CET, Jerry wrote: On Fri, 24 Nov 2017 00:10:44 -0800, Brent Small stated: What’s up up ADVERB ... Maybe the OP wanted to sent this to What's Ape. matthias -- Sent from my Ubuntu phone http://www.unixarea.de/

Re: SHA1 collision found

2017-11-25 Thread Jerry
On Fri, 24 Nov 2017 00:10:44 -0800, Brent Small stated: >What’s up up ADVERB toward the sky or a higher position: "he jumped up" · [more] synonyms: up · higher · uphill · upslope · to the top · skyward · heavenward to the place where someone is: "Dot didn't hear Mrs.

Re: SHA1 collision found

2017-02-25 Thread Daniel Kahn Gillmor
On Sat 2017-02-25 09:09:20 -0500, MFPA wrote: > On Friday 24 February 2017 at 3:15:23 PM, in > , ved...@nym.hush.com wrote:- > >> Even for v3 keys, which were not SHA1 hashed, the only way to >> generate a new key with the same fingerprint, would

Re: SHA1 collision found

2017-02-25 Thread MFPA
Hi On Friday 24 February 2017 at 3:15:23 PM, in , ved...@nym.hush.com wrote:- > Even for v3 keys, which were not SHA1 hashed, the > only way to > generate a new key with the same fingerprint, would > be to allow the > key size to vary (usually to

Re: SHA1 collision found

2017-02-24 Thread Glenn Rempe
If you read the announcement Google never uses the words "completely broken" that you attribute to them. I believe that was someone else's characterization. Mis-attribution and name calling can also be unhelpful. Google's security team has been the driving force behind two major security

Re: SHA1 collision found

2017-02-24 Thread Melvin Carvalho
On 23 February 2017 at 19:24, wrote: > Today was announced that SHA1 is now completely broken > https://security.googleblog.com/2017/02/announcing-first- > sha1-collision.html This is nonsense. Google security team calling sha1 "completely broken" simply means google's security

Re: SHA1 collision found

2017-02-24 Thread vedaal
On 2/23/2017 at 4:52 PM, si...@web.de wrote:... Not sure about you but I am not able to see the difference between a valid pgp key and "gibberish" ;) ... = In the example of the 2 pdf's, they started with one pdf, made another pdf, then multiple (more than billions) trials of adding a

Re: SHA1 collision found

2017-02-24 Thread Ingo Klöcker
On Thursday 23 February 2017 23:38:36 Leo Gaspard wrote: > On 02/23/2017 09:00 PM, Robert J. Hansen wrote: > > [...] > > > > To which I said, "Create two keys with the same fingerprint. Sign a > > contract with one, then renege on the deal. When you get called > > into court, say "I never

Re: SHA1 collision found

2017-02-23 Thread Christoph Anton Mitterer
On Thu, 2017-02-23 at 13:58 -0500, Robert J. Hansen wrote: > > "Migrating to SHA256" > section in > the FAQ? What I always kinda wonder is, why crypto or security experts, at least in some sense never seem to learn. When MD5 got it's first scratches, some people started to demanded for it's ASAP

Re: SHA1 collision found

2017-02-23 Thread sivmu
Am 23.02.2017 um 20:09 schrieb ved...@nym.hush.com: > The Openpgp standards group is working on this. Yes but who know how many years it will take until a new standard is accepted... > > The link you give for the collision used 2 PDF's. > Using a PDF is sort-of 'cheating', and does not

Re: SHA1 collision found

2017-02-23 Thread vedaal
On 2/23/2017 at 1:27 PM, si...@web.de wrote:Today was announced that SHA1 is now completely broken https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html A few weeks back it was mentioned that there is a new proposal for a openpgp standart including a new algorithm for pgp

RE: SHA1 collision found

2017-02-23 Thread Robert J. Hansen
(I originally sent this off-list by mistake. Peter was kind enough to respond off-list and to suggest we take it back on-list. This email is a distillation of three different emails: my original, Peter's response, and a response to Peter.) = > I already answered that here[1]. The use of

RE: SHA1 collision found

2017-02-23 Thread Robert J. Hansen
> Today was announced that SHA1 is now completely broken > https://security.googleblog.com/2017/02/announcing-first-sha1- > collision.html SHA-1 is broken *for some purposes*. That's scary enough, trust me. Let's not overstate things. For the last ten years I've been saying, "The smoke alarm

Re: SHA1 collision found

2017-02-23 Thread Peter Lebbing
On 23/02/17 19:24, si...@web.de wrote: > As this is currently not applicable in practice, I would like to know > what this new development means for pgp-gnupg and the use of SHA1 for > key identification. I already answered that here[1]. The use of SHA-1 in fingerprints is not susceptible to a

SHA1 collision found

2017-02-23 Thread sivmu
Today was announced that SHA1 is now completely broken https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html A few weeks back it was mentioned that there is a new proposal for a openpgp standart including a new algorithm for pgp fingerprints. As this is currently not