On Dec 12, 2010, at 11:21 AM, Robert J. Hansen wrote: > On 12/12/2010 10:23 AM, Daniel Kahn Gillmor wrote: >> What part of OpenPGP certificates require SHA-1? > > ... At first blush, V4 certificate checksums, symmetrically encrypted > integrity protected data packets, the MDC system in general, certificate > fingerprints, etc. I just grepped through the RFC looking for any > hardcoded SHA-1; David is probably a much better reference than I am on > this. > > Probably the most annoying -- to me, at least -- is the fingerprint > requirement. If a preimage collision is discovered in SHA-1 then it's > all over. I can take your signature on my enemy's key, graft it onto my > own impersonator of my enemy's key, and then get others to believe it.
Yes. The other uses of SHA-1 are not nearly as significant as the fingerprint (and thus key ID). For example, it's true that the MDC uses SHA-1, but no big deal - just make a new MDC that uses whatever you like, and repeat as needed. Virtually all deployed code will handle this correctly (for example, a feature flag indicating the existence of the "mdc2" capability), and use it only when all participants can handle it. The fingerprint issue is more than just making a new packet for a new MDC or revocation subpacket, though. There is no concept in OpenPGP of a flag telling an implementation how to calculate the fingerprint - or rather there IS a flag: the version field, but its hardcoded :) David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
