On 12/9/10 4:02 PM, Daniel Kahn Gillmor wrote: > Maybe we're not talking about the same thing, but i don't understand the > attack you describe. Why would a weakness in the old certificate > format would be able to invalidate the same key under a new format?
I did not communicate the idea well. In retrospect, I communicated it quite poorly. Imagine a certificate that depends on a trivially weak hash -- say MD5 was used instead of SHA-1 for self-signatures, etc. Fine: that certificate is now out there in the wild. The signatures it makes are quite suspect. A new certificate standard comes out. You migrate your old certificate material to a new cert. You want to continue using it, after all. (Why, I don't know: it isn't as if it's hard to generate new certs.) Great, except that your old cert is, in many jurisdictions, legally enforceable against you. You haven't revoked it: in fact, you continue to assert that it is usable (albeit in a new cert format). Someone else exploits the old, insecure cert format in a way you don't like. Now you're stuck arguing, "wait, that's not my cert... well, it /is/ my cert, it's the same cert material, but it's /not/ my cert, because that's an old insecure format..." So far I've handwaved all different kinds of interesting issues and questions -- and I've *still* gone over the heads of the vast majority of lawyers and judges who would be arguing over the question of, "is this signature enforceable?" Remember, in the eyes of the U.S. federal court system, MD5 is considered a strong hash with no known attacks against it. I don't trust the courts to understand these subtle nuances. There is a big difference between something that is possible and harmless in a technical sense, and something that is possible but not recommended in a human sense. Technically, yes, it's possible. From a human factors perspective I would revoke the old cert, create a new one, make a clean break with the past and move forward. Less opportunities for human factors to bite me in the posterior. > Could you point to a reference that explains why a person with a v3 key > considered sufficiently-strong by that day's estimation (say, 1024-bit > RSA) would have had to create an entirely new key instead of just > migrating their old key to v4? *Have* to? None. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
