Real-world current impact of disabling SHA1

2017-02-24 Thread Phil Pennock
There are various claims going around about how GnuPG should be disabling SHA1 now; the competent cryptographers I know are pointing out that a collision is not a second pre-image, don't panic and cargo-cult (but also yes it's time and past time to be making sure we have a clear path away). I'm

Re: SHA1 collision found

2017-02-24 Thread Glenn Rempe
If you read the announcement Google never uses the words "completely broken" that you attribute to them. I believe that was someone else's characterization. Mis-attribution and name calling can also be unhelpful. Google's security team has been the driving force behind two major security

Re: SHA1 collision found

2017-02-24 Thread Melvin Carvalho
On 23 February 2017 at 19:24, wrote: > Today was announced that SHA1 is now completely broken > https://security.googleblog.com/2017/02/announcing-first- > sha1-collision.html This is nonsense. Google security team calling sha1 "completely broken" simply means google's security

Re: Announcing paperbackup.py to backup keys as QR codes on paper

2017-02-24 Thread Peter Lebbing
On 23/02/17 13:36, Gerd v. Egidy wrote: > So I think that this would move the bar for a possible user of paperbackup.py > higher than I want to. Yes, it should be easy to use. In fact, I've sometimes heard the complaint that "paperkey is not easy to install and/or use". That's really too bad

Re: SHA1 collision found

2017-02-24 Thread vedaal
On 2/23/2017 at 4:52 PM, si...@web.de wrote:... Not sure about you but I am not able to see the difference between a valid pgp key and "gibberish" ;) ... = In the example of the 2 pdf's, they started with one pdf, made another pdf, then multiple (more than billions) trials of adding a

Re: SHA1 collision found

2017-02-24 Thread Ingo Klöcker
On Thursday 23 February 2017 23:38:36 Leo Gaspard wrote: > On 02/23/2017 09:00 PM, Robert J. Hansen wrote: > > [...] > > > > To which I said, "Create two keys with the same fingerprint. Sign a > > contract with one, then renege on the deal. When you get called > > into court, say "I never

Re: Announcing paperbackup.py to backup keys as QR codes on paper

2017-02-24 Thread Peter Lebbing
On 23/02/17 11:00, Gerd v. Egidy wrote: > Seems you are trusted by much more people than me ;) More people trust that that key is mine, they don't trust me as a person, my actions or my certifications. dkg already answered that bit :-). These are mostly people I've met at a keysigning party. They