On 12/12/2010 11:03 PM, David Shaw wrote: > The fingerprint issue is more than just making a new packet for a new MDC > or revocation subpacket, though. There is no concept in OpenPGP of a flag > telling an implementation how to calculate the fingerprint - or rather > there IS a flag: the version field, but its hardcoded :)
In the discussion last year on the IETF list, the general consensus seemed to be that the fingerprints of primary keys were not endangered by a weakening of SHA-1's collision resistance. (This is in stark contrast to digital signatures and certifications, where weakened collision resistance in an algorithm represents a real threat [0]). But as far as i know, no one has yet reported a significant practical concern about SHA-1's resistance to a pre-image attack, which suggests that reliance on SHA-1 for fingerprints is probably reasonable until SHA-3 is selected. Nonetheless, the purpose of the fingerprint is just to help humans identify and communicate keys. It is not embedded in the parts of the spec for any part of the certificate format (aside from desig-revoker, an acknowledged flaw in RFC 4880). So i see no reason that when SHA-3 comes out, we couldn't define a new form of fingerprint (call it v5 if you want) based on SHA-3, produce/consume that fingerprint alongside the traditional v4 fingerprint for a reasonable time period, stop producing v4 fingerprints, and then ultimately stop consuming v4 fingerprints. Presumably when rolling out the new fingerprint format, we'd also specify that SHA-3 is the new "must-implement" digest for compliant implementations. Clearly, anyone capable of providing an SHA-3-based fingerprint has a tool capable of calculating SHA-3. These strike me as updates to the specification, certainly ("we now calculate fingerprints in the following way; We now require SHA-3 as the lowest-common-denominator digest"). But this is not a change of the certificate format. Can you help me understand why a change in the choice of fingerprint technique and a change in the must-implement-digest-algorithm would require a change in the certificates themselves? --dkg [0] http://www.win.tue.nl/hashclash/rogue-ca/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users