Re: [openpgp] Deprecating SHA1
Guillem Jover <guillem@hadrons.org> Fri, 23 October 2020 20:15 UTC
Return-Path: <guillem@hadrons.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 935233A0B1D for <openpgp@ietfa.amsl.com>; Fri, 23 Oct 2020 13:15:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Level:
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hadrons.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oGBztshf09K for <openpgp@ietfa.amsl.com>; Fri, 23 Oct 2020 13:15:07 -0700 (PDT)
Received: from pulsar.hadrons.org (2.152.178.181.dyn.user.ono.com [2.152.178.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C0E93A0B1C for <openpgp@ietf.org>; Fri, 23 Oct 2020 13:15:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=hadrons.org ; s=201908; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:From:Reply-To:Subject: Content-ID:Content-Description:X-Debbugs-Cc; bh=1NeovW51ENATG6TfvjYlr9wnGGpQVQq1X+gH28sAUno=; b=k1M3oM9MmPtbKdmsFvCApMIEqb +0KC7extV9jx7ZOm0RVIT4NC5dQoW1EppsdiWDT+///uDV73EgAFgAG+xYKI+JBG4TaB5Q/kmYHTa fO4WhqsGqgyG6y9Mg4jyRGB+4Wc3tpiTWlm74k/jfivWq1OeLra59PrEPJidg5aLmIz8uow0xULj/ BOh/9VCZSEtBnHRySi8X2qcFYQq3hOzNXauRtUzrz2wupOeWgvhwEUPmomSvTvLNnv5UY8yY1zLk1 6kupUq00+EpkYGiitugrrUtF1q60suMCcpvmZlcjIPkL5h8A/MesGoBNCKd7V6pdC7/9PeHSs6Id+ O+GnKN6w==;
Received: from guillem by pulsar.hadrons.org with local (Exim 4.92) (envelope-from <guillem@hadrons.org>) id 1kW3dr-000438-JK; Fri, 23 Oct 2020 22:26:27 +0200
Date: Fri, 23 Oct 2020 22:15:04 +0200
From: Guillem Jover <guillem@hadrons.org>
To: "Neal H. Walfield" <neal@walfield.org>
Cc: "openpgp@ietf.org" <openpgp@ietf.org>, keyring-maint@debian.org
Message-ID: <20201023201504.GB72347@thunder.hadrons.org>
References: <87sga5xg03.wl-neal@walfield.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87sga5xg03.wl-neal@walfield.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Yhk7hn6M5F1L_7seI1sw2v7m7Qk>
Subject: Re: [openpgp] Deprecating SHA1
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2020 20:15:10 -0000
Hi! [ CCing the Debian keyring maintainers, that I'm not sure whether they are subscribed, and leaving enough quoted text for context. ] [ And forgot to actually CC the first time around, sorry! :) ] On Fri, 2020-10-23 at 14:51:08 +0200, Neal H. Walfield wrote: > I'm turning to this mailing list to seek advice about how to deal with > SHA1-based self signatures. I have two concrete questions, which are > at the bottom of the email. But first, I want to present the concrete > problem and my thoughts so far. > > > Based on the "SHA-1 is a Shambles" paper [1] we decided to change > Sequoia to reject signatures that use SHA1 by default [2]. This > includes both signatures over data, as well as self signatures of all > kinds including primary key binding signatures (aka backsigs). > > [1] https://sha-mbles.github.io/ > [2] https://docs.sequoia-pgp.org/sequoia_openpgp/policy/struct.StandardPolicy.html#method.reject_hash_at > > A Secure Drop developer recently contacted us, and indicated that our > policy was too strict: some of the Secure Drop installations have > offline keys that use SHA1, and the users have no easy way (or lack > the will) to update those keys. > > This prompted me to investigate the use of SHA1 in general. > Unfortunately, it appears that many actively used certificates from > technically sophisticated users still rely on SHA1. The results of my > investigation are here: > > https://gitlab.com/sequoia-pgp/sequoia/-/issues/595 > […] > > Looking at the Debian Keyring, I found that: > > - 106 of the 884 certificate (12%) use SHA1 for all User ID binding > signatures and direct key signatures > > - 63 more (7%) use SHA1 to protect at least one non-revoked User ID. > > - 234 have a non-revoked, live signing capable subkey > > - 19 of those have binding signatures that use SHA1 in some way > (8%). > > - 9 use something stronger for the subkey binding signature, but > SHA1 for the backsig. (This appears to be a bug in GnuPG, which > I reported [4].) > > [4] https://dev.gnupg.org/T5110 > > As Debian Developers are perhaps the most sophisticated OpenPGP users, > this is pretty damning. > […] > > Given these results, we decided to reevaluate our bad listing of SHA1. > As the SHA1 paper indicates that SHA1's preimage resistance is not > broken, I thought that we might be able to accept SHA1 for self > signatures, and not for documents [6]. But, Azul pointed out [7] that > Mallory could create a collision for a document and a self-signature, > and then convince Alice to sign the document. This could work in > practice because Mallory can predict everything in the signature, but > the timestamp, and if Alice is an automated signing service, there is > a good chance that Mallory would be able to get Alice to sign the > document at the right time. > > [6] https://gitlab.com/sequoia-pgp/sequoia/-/issues/595 > [7] https://gitlab.com/sequoia-pgp/sequoia/-/issues/595#note_433768966 > […] > > So, two questions: > > - Does anyone see a safe way to accept SHA1 self-signatures today? > Or (ouch!), if we want to be safe, do we have to convince ~10% of > the sophisticated OpenPGP users to re-sign or regenerate their > keys? […] Regards, Guillem
- [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Paul Wouters
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Guillem Jover
- Re: [openpgp] Deprecating SHA1 Guillem Jover
- Re: [openpgp] Deprecating SHA1 Jonathan McDowell
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 brian m. carlson
- Re: [openpgp] Deprecating SHA1 Jon Callas
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Peter Gutmann
- Re: [openpgp] Deprecating SHA1 Benjamin Kaduk
- Re: [openpgp] Deprecating SHA1 Ángel
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Tobias Mueller
- Re: [openpgp] Deprecating SHA1 heikostamer
- Re: [openpgp] SHA1 Linter & Fixer Neal H. Walfield