Re: [openpgp] New fingerprint: to v5 or not to v5

ianG <> Sat, 19 September 2015 15:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8167A1B5E7A for <>; Sat, 19 Sep 2015 08:19:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lTtgePKpfrNa for <>; Sat, 19 Sep 2015 08:19:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7FDA11B5E77 for <>; Sat, 19 Sep 2015 08:19:22 -0700 (PDT)
Received: from tormenta.local ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 65E856D74A; Sat, 19 Sep 2015 11:19:20 -0400 (EDT)
References: <>
From: ianG <>
Message-ID: <>
Date: Sat, 19 Sep 2015 16:19:12 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [openpgp] New fingerprint: to v5 or not to v5
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 19 Sep 2015 15:19:24 -0000

Hi Werner,

On 17/09/2015 19:41 pm, Werner Koch wrote:
> I'd like to get opinions on one specific aspect of a new fingerprint
> format in 4880bis.
> In the past we bound the fingerprint format to the key packet version:
> v3 keys used MD5 and v4 keys SHA-1 fingerprints.  This gained us the
> benefit of having a bijective connection between fingerprint and key.

I'm hugely on that side.  I'll always vote for that.  I even staked my 
rep on it :)

Which came directly from the experience of hacking PGP & OpenPGP in 
Perl/Java as part of Cryptix.  The tears, the fears, the costs.

So:  the only choice for me is which hash you pick for v5.  If you want 
another one, start planning for v6.

> For X.509 and ssh (OpenSSH), there has always been an uncertainty which
> fingerprint to use because there is no well established standard for it.
> For a long time MD5 was used but then some users switched to SHA-1, and
> meanwhile SHA-256 is also seen more often.  These fingerprint formats
> can easily be distinguished by their length and thus the format itself
> is not a problem.  However, if you ask users to verify the fingerprint
> of a certificate and you given them SHA-1 but they have only access to
> the MD5 fingerprint things starts to get wrong.  Complicated (human)
> reasoning about the identity of a certificate needs to be done.
> With OpenPGP is is easier: The specs say that a key is described by one
> and only one fingerprint.  There is no way to assign a different
> fingerprint to the the same key.
> If we want to introduce a, say, SHA-256 fingerprint, the straightforward
> way is to define a v5 key packet format which will be identical to the
> v4 format with the exception of the packet version number (and maybe
> rules on what algorithms to use with a v5 key) [1].
> Such a v5 format also means that it is not possible to switch to the new
> fingerprint format for existing v4 keys.  The v4 keys would continue to
> use SHA-1 fingerprints.


> Some people claim that a SHA-1 fingerprint might soon be problematic due
> to collision attacks.  If we assume that this is indeed the case, the
> question is whether switching to SHA-256 for the very same key does
> actually help: The mix of different fingerprints for the same key will
> lead to the same confusion we have seen with X.509 and ssh.  Further, if
> there is a need to switch to a stronger fingerprint format for the same
> key, should the user not also assume that the use of the key has already
> been compromised and it is time to create a new key?

The message is clear to me:  "Start upgrading to v5."

Put your energy in the future.  Put your users' energy into the future...

> Given that we are expecting to soon switch from RSA to ECC for improved
> security and that the current base of OpenPGP implementations supporting
> ECC is quite small, I would recommend not to allow a second fingerprint
> format for v4 keys but to bind a new fingerprint format to a v5 key
> packet version.
> Shalom-Salam,
>     Werner
> [1] I recently talked to the guy who asked a long time ago for a hard
> expiration time in a future key packet format.  He is not anymore
> interested in this and thus other technical changes to the key packet
> format a not needed.

iang, who not everyone agrees with...