On 06/11/2009 01:40 PM, Daniel Kahn Gillmor wrote: > However, once such an attack exists, the responsible course of action > will be to promptly deprecate all keys that rely on SHA1 (in > self-signatures, etc).
Before this gets misinterpreted, let me clarify: i understand that
pre-existing self-signatures won't become inherently less-trustworthy in
the event that the digest algorithm they're based on has a practical
flaw in its collision-resistance.
However, there's no cryptographic way to distinguish between
pre-existing self-signatures (e.g. stuff you already had a hard copy of
on your local machine before an attack was developed by someone
elsewhere) and new forged signatures that have been forged to look old.
This suggests that from a systems infrastructure point of view, it's
simplest and safest to consider suspect *all* signatures made over a
digest with significantly weakened collision-resistance. This includes
self-signatures, unfortunately, and the keys which rely on them.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Debconf-discuss mailing list Debconf-discuss@lists.debconf.org http://lists.debconf.org/mailman/listinfo/debconf-discuss
