Re: [openpgp] Disadvantages of Salted Signatures

Justus Winter <justus@sequoia-pgp.org> Mon, 11 December 2023 17:09 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED10BC14F60E for <openpgp@ietfa.amsl.com>; Mon, 11 Dec 2023 09:09:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A6Nhl-20xZLF for <openpgp@ietfa.amsl.com>; Mon, 11 Dec 2023 09:09:48 -0800 (PST)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 774DDC48CB15 for <openpgp@ietf.org>; Mon, 11 Dec 2023 09:09:18 -0800 (PST)
Received: (qmail 7320 invoked by uid 500); 11 Dec 2023 17:09:16 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Mon, 11 Dec 2023 18:09:16 +0100
From: Justus Winter <justus@sequoia-pgp.org>
To: Stephan Verbücheln <verbuecheln@posteo.de>, openpgp@ietf.org
In-Reply-To: <87bd4895386b3a0cd0c62429b0b85df6f1860da2.camel@posteo.de>
References: <077dd27cef0c7d3968967fc4c3a880081b8bd9dd.camel@posteo.de> <87jzplrtfy.wl-neal@walfield.org> <87bd4895386b3a0cd0c62429b0b85df6f1860da2.camel@posteo.de>
Date: Mon, 11 Dec 2023 18:09:15 +0100
Message-ID: <87a5qgd5tw.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: ----
X-Rspamd-Report: BAYES_HAM(-2.265776) SIGNED_PGP(-2) MIME_GOOD(-0.2)
X-Rspamd-Score: -4.465776
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from; bh=uRs8OhDzb2+t4DbMJFedB31vdM65mYNeTyvi2TFjddk=; b=j1tKXswOPSTd+FKmW9LIYl48Ex1h+xgjsVacDiKZ1FJ8jZSOjXeA0BMvTb7FdGJP008I0anpkm H8Vt/A5texyDXG7htOZUsJMO7K295BYqRQLr4vcqmpBFkkmmEOkn2GH9zMV0Dw5RRJhsbPXiZ/Ey n+TuaigYC8g0pOS38b7NUpFjHophdzzHvady4gI2Dgx33loStAeg9Z2Ok2xPMqClC7bXQv/kvgv9 TmFKJqAxUiiDlD29L1guamgU90jyQtlwZRTWtOCA77FjsuSb+azGndTpatBb96ztGhoz/Wc9TWmw 1lOjt2N3ORBS5fxCF7KADvpdJHpBFS7HZLp6PkfP/7MZ+G4RVB6g9oMqZ0SLHZoCTac0H73cGRjA 5xoQPTiNuyST3qdCfLwd0uwkvKHdqxqY+lV0LYaJv6Qx6a7frTsvRecOLeyFixgOkLfx5cmrnwI+ 4ioM2Fza/VGWeKj1vUSOWNmWaVurJDKqSVE4SHFw1h5LK2Dz+j6X/0usdA+vh8nSJN53oL8jz7tQ OH30aTlVSuKFSOijm7RFSnn3cu0DQYUkH/5We36xWQU31mX5IEYuHm5SJ9A6vvBkXQ9HF0+NHSqb WirGww0FHbkfmdfMd/3T6xq6VqJ/PTqbhySvJAgMlIU6qqCT3uUhD5Ce6objQrflLHmR2UAcL9kR w=
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/6UwQW3Yfy8ARgkib1urSFjih27w>
Subject: Re: [openpgp] Disadvantages of Salted Signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2023 17:09:54 -0000

Stephan Verbücheln <verbuecheln@posteo.de> writes:

> Is it practically relevant?
> Hash algorithms which are vulnerable to collisions should not be used
> anyway. SHA-1 was deprecated in 2011, a long time before that attack
> was demonstrated.

Yes.  Depressingly, SHA-1 is still widely used.  We have an issue
listing many examples:

  https://gitlab.com/sequoia-pgp/sequoia/-/issues/595

And, we're still discovering new certs.  For example, this is the cert
used by the German Federal Police, created in 2019, using SHA-1-based
binding signatures:

  https://www.bundespolizei.de/Web/DE/Service/Impressum/pgp-schluessel_file.asc?__blob=publicationFile&v=2

> Does it make sense to have it mandatory or default?
> In most cases, PGP users sign their own data (e-mails, software
> tarballs etc.). It could nevertheless be default for “certify”
> operations.

Adding knobs to OpenPGP has a cost too, and giving that choice to
downstream users has an even greater cost.

Best,
Justus