Re: [openpgp] Deprecating SHA1
Guillem Jover <guillem@hadrons.org> Fri, 23 October 2020 20:14 UTC
Return-Path: <guillem@hadrons.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 047893A0B1D for <openpgp@ietfa.amsl.com>; Fri, 23 Oct 2020 13:14:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Level:
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hadrons.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J4_ADKq2Ip1n for <openpgp@ietfa.amsl.com>; Fri, 23 Oct 2020 13:14:01 -0700 (PDT)
Received: from pulsar.hadrons.org (2.152.178.181.dyn.user.ono.com [2.152.178.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4660C3A0B1C for <openpgp@ietf.org>; Fri, 23 Oct 2020 13:14:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hadrons.org ; s=201908; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:From:Reply-To:Subject: Content-ID:Content-Description:X-Debbugs-Cc; bh=HS/thiCxE6Fbwz00+SjYmjD2fIWV+WYMvrkC8MapsPA=; b=cNpX0NMx0xH0hYTwt14iBAYhr5 /dz5wFcLsngFjIfdlC24JUkiBObrCX4YSpSd1Rh4C5OFOA33Xg30ixOG4eJZJt3EFU2SMHNdsxyOw 7OWLLoWY9Re/uiVTXAvoft4CJc+PC4Ii2hfyGYgbk42zBdZRghW2vBBh+MuWdxCB+u0Ncj1vt8p5a ltFe+uMGhVmKAVymmGrvE/mwOmEjHN5+cT6BgnMHX4xntaoHVlmoPlsrcInPIp54B59151gQCp0Ch S1QkJumcMJdgUmCDNljSsPf+kmd0NuSmylfRISu5DpKQouFIQCHVlwpgFUZawnTVOnJ63zKv61NOr sqJM3Qfg==;
Received: from guillem by pulsar.hadrons.org with local (Exim 4.92) (envelope-from <guillem@hadrons.org>) id 1kW3ck-00042c-Rf; Fri, 23 Oct 2020 22:25:18 +0200
Date: Fri, 23 Oct 2020 22:13:55 +0200
From: Guillem Jover <guillem@hadrons.org>
To: "Neal H. Walfield" <neal@walfield.org>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>
Message-ID: <20201023201355.GA72347@thunder.hadrons.org>
References: <87sga5xg03.wl-neal@walfield.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87sga5xg03.wl-neal@walfield.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Ff8Zs-13OMM6Xk7QpgjQmgcA0H4>
Subject: Re: [openpgp] Deprecating SHA1
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2020 20:14:04 -0000
Hi! [ CCing the Debian keyring maintainers, that I'm not sure whether they are subscribed, and leaving enough quoted text for context. ] On Fri, 2020-10-23 at 14:51:08 +0200, Neal H. Walfield wrote: > I'm turning to this mailing list to seek advice about how to deal with > SHA1-based self signatures. I have two concrete questions, which are > at the bottom of the email. But first, I want to present the concrete > problem and my thoughts so far. > > > Based on the "SHA-1 is a Shambles" paper [1] we decided to change > Sequoia to reject signatures that use SHA1 by default [2]. This > includes both signatures over data, as well as self signatures of all > kinds including primary key binding signatures (aka backsigs). > > [1] https://sha-mbles.github.io/ > [2] https://docs.sequoia-pgp.org/sequoia_openpgp/policy/struct.StandardPolicy.html#method.reject_hash_at > > A Secure Drop developer recently contacted us, and indicated that our > policy was too strict: some of the Secure Drop installations have > offline keys that use SHA1, and the users have no easy way (or lack > the will) to update those keys. > > This prompted me to investigate the use of SHA1 in general. > Unfortunately, it appears that many actively used certificates from > technically sophisticated users still rely on SHA1. The results of my > investigation are here: > > https://gitlab.com/sequoia-pgp/sequoia/-/issues/595 > […] > > Looking at the Debian Keyring, I found that: > > - 106 of the 884 certificate (12%) use SHA1 for all User ID binding > signatures and direct key signatures > > - 63 more (7%) use SHA1 to protect at least one non-revoked User ID. > > - 234 have a non-revoked, live signing capable subkey > > - 19 of those have binding signatures that use SHA1 in some way > (8%). > > - 9 use something stronger for the subkey binding signature, but > SHA1 for the backsig. (This appears to be a bug in GnuPG, which > I reported [4].) > > [4] https://dev.gnupg.org/T5110 > > As Debian Developers are perhaps the most sophisticated OpenPGP users, > this is pretty damning. > […] > > Given these results, we decided to reevaluate our bad listing of SHA1. > As the SHA1 paper indicates that SHA1's preimage resistance is not > broken, I thought that we might be able to accept SHA1 for self > signatures, and not for documents [6]. But, Azul pointed out [7] that > Mallory could create a collision for a document and a self-signature, > and then convince Alice to sign the document. This could work in > practice because Mallory can predict everything in the signature, but > the timestamp, and if Alice is an automated signing service, there is > a good chance that Mallory would be able to get Alice to sign the > document at the right time. > > [6] https://gitlab.com/sequoia-pgp/sequoia/-/issues/595 > [7] https://gitlab.com/sequoia-pgp/sequoia/-/issues/595#note_433768966 > […] > > So, two questions: > > - Does anyone see a safe way to accept SHA1 self-signatures today? > Or (ouch!), if we want to be safe, do we have to convince ~10% of > the sophisticated OpenPGP users to re-sign or regenerate their > keys? […] Regards, Guillem
- [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Paul Wouters
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Guillem Jover
- Re: [openpgp] Deprecating SHA1 Guillem Jover
- Re: [openpgp] Deprecating SHA1 Jonathan McDowell
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 brian m. carlson
- Re: [openpgp] Deprecating SHA1 Jon Callas
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Peter Gutmann
- Re: [openpgp] Deprecating SHA1 Benjamin Kaduk
- Re: [openpgp] Deprecating SHA1 Ángel
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Tobias Mueller
- Re: [openpgp] Deprecating SHA1 heikostamer
- Re: [openpgp] SHA1 Linter & Fixer Neal H. Walfield