On 12/09/2010 02:17 PM, Robert J. Hansen wrote: > IMO, quite high. If you use the same key material, then if the old > OpenPGP certificate format ever becomes weak an attacker can simply take > an old certificate of yours, upgrade it to the new format, and bang > they're off to the races.
Maybe we're not talking about the same thing, but i don't understand the
attack you describe. Why would a weakness in the old certificate
format would be able to invalidate the same key under a new format?
Note: i am *not* talking about a weakness in the underlying ciphers,
digests, or asymmetric algorithms involved.
A weakness in the certificate format itself would certainly make me wary
of relying on certificates in the weak format, but why would it mandate
re-keying?
Could you give a more detailed example of such an attack?
> If/when the time comes for SHA-1 to be completely removed from OpenPGP,
> the migration path will quite likely involve new keys -- the same way
> that the V3/V4 migration path in the past necessitated new keys.
Could you point to a reference that explains why a person with a v3 key
considered sufficiently-strong by that day's estimation (say, 1024-bit
RSA) would have had to create an entirely new key instead of just
migrating their old key to v4?
Thanks for clarifying,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
