On 2020-11-17 at 15:47 +0000, Stefan Claas wrote: >} Since 2005, SHA-1 has not been considered secure against well-funded >} opponents;[4] as of 2010 many organizations have recommended its >} replacement.[5][6][7] NIST formally deprecated use of SHA-1 in 2011 >} and disallowed its use for digital signatures in 2013. > > Was this therefore ever discussed on OpenPGP Mailing Lists, between > OpenPGP experts and Mr. Zimmermann and Werner?
It's been discussed on the standardization lists, where I would summarize the view as "What the hell, why are people still using SHA1?" The answer is that some people are still using tools such as GnuPGv1 and other similarly ancient software and get upset when asked to use the current code-bases. If you made a key using such old software but are now using modern software, you should re-sign your UID and check for other problems. If anyone wants to explore working with OpenPGP message formats while writing a standalone tool, I suggest a public key reporter tool which will report on the use of SHA1 (or MD5) digests where there's not also a signature with a modern digest scheme, and provide guidance about updating the keys. There's a few places such things might creep in. Re-reading RFC 4880 while taking notes about all the places you see such keys would help in writing a good tool. This strikes me as a good way for a developer to become more familiar with the ecosystem and to create an actively useful tool to help the community move forward away from ancient systems. Please don't demand this tool of any other developers: I offer the idea as a suggestion only. > Second question: > > What does it really mean for the OpenPGP ecosystem if there would be a > SHA1 collision found in an email or detached signed document or file? > I ask, because when one checks a GnuPG > digitally signed message or file it usually says it comes from the key > (owner) blah and this key has a fingerprint of blah if one checks. If someone can knowingly construct collisions against an existing signature, without the cooperation of the key owner, then SHA1 would be completely useless and such signatures would be nearly meaningless. The current state of SHA1 is "dangerously exposed, you should be hurrying for the exits, there might still be time to grab your coat on the way out of the door." The history is such that when the current attacks against a digest system are where the SHA1 attacks are now, you really don't want to be dealing with the next revelations because you will not be happy. At present, using "weak-digest sha1" in your GnuPG configuration files reveals a lot of problems and in day-to-day use you will have to periodically comment it back out again. I know, because I've been doing this since January. It has helped me with pushing people I need to exchange private mail with to update their keys. -Phil _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
