Re: [openpgp] Deprecating SHA1

"Neal H. Walfield" <neal@walfield.org> Sat, 24 October 2020 15:41 UTC

Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AE2F3A0CC0 for <openpgp@ietfa.amsl.com>; Sat, 24 Oct 2020 08:41:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P36Dsf_YEWoQ for <openpgp@ietfa.amsl.com>; Sat, 24 Oct 2020 08:41:55 -0700 (PDT)
Received: from mail.dasr.de (mail.dasr.de [217.69.77.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 905AE3A0CB0 for <openpgp@ietf.org>; Sat, 24 Oct 2020 08:41:55 -0700 (PDT)
Received: from pd9e79cc0.dip0.t-ipconnect.de ([217.231.156.192] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from <neal@walfield.org>) id 1kWLg1-0005Bm-4b for openpgp@ietf.org; Sat, 24 Oct 2020 15:41:53 +0000
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1kWLg0-0005wt-MV for openpgp@ietf.org; Sat, 24 Oct 2020 17:41:52 +0200
Date: Sat, 24 Oct 2020 17:41:52 +0200
Message-ID: <87lffvy6kf.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: openpgp@ietf.org
In-Reply-To: <20201023192317.GA444398@fullerene.field.pennock-tech.net>
References: <87sga5xg03.wl-neal@walfield.org> <20201023192317.GA444398@fullerene.field.pennock-tech.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 EasyPG/1.0.0 Emacs/26 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/5uLOdRx89YAM0vGXhr-6bPeiDBI>
Subject: Re: [openpgp] Deprecating SHA1
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Oct 2020 15:41:57 -0000

Hi Phil,

On Fri, 23 Oct 2020 21:23:17 +0200,
Phil Pennock wrote:
> 
> On 2020-10-23 at 14:51 +0200, Neal H. Walfield wrote:
> >   - Does anyone see a safe way to accept SHA1 self-signatures today?
> >     Or (ouch!), if we want to be safe, do we have to convince ~10% of
> >     the sophisticated OpenPGP users to re-sign or regenerate their
> >     keys?
> 
> At the start of this year, I reached out individually to maintainers
> signing releases of some security critical software and had good luck
> getting them to re-sign, by including instructions on how to do so.
> 
> I never got around to producing a blog-post, but the messaging worked,
> everyone I reached out to followed through and fixed.  It's a small
> sample set of about 5, and population biased towards caring about
> security.  So while I wouldn't extrapolate to "everyone will do it", I
> think with pressure "many people will".

Thanks for the report.  I think your hope is well founded.

> The TLDR for folks using the widespread GnuPG software is that GnuPG
> defaults to protecting you against a new self-sig, but expert-mode makes
> it easy:
> 
>     gpg --expert --cert-digest-algo SHA256 --sign-key $YourKeyId

I wasn't aware of this, thanks for pointing it out.  Unfortunately,
for many keys it is not enough.

There are three types of signatures that we should worry about:

  1. User ID (and User Attribute) self signatures
  2. Subkey binding signatures
  3. Primary key binding signatures (a signing-capable subkey's "backsig")

Your suggestion causes gpg to update the User ID self signatures (1).
It is possible to update subkey binding signatures (2) by changing
their expiration time.  I'm not aware of a way using gpg to simply
say: refresh the current subkey binding signature.  As for the backsig
(3), it would make sense to update this when updating the subkey
binding signature (2), however, gpg doesn't currently do this.  See:

  https://dev.gnupg.org/T5110

> If services such as keys.openpgp.org started showing big scary red
> warnings above keys which lack a sane self-sig, or warning on upload,
> we'd get some pressure that way.

Thats a good idea.

:) Neal