Re: [Sam Hartman] Openpgp comments

Werner Koch <> Wed, 20 September 2006 13:25 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1GQ24j-0001wi-2U for; Wed, 20 Sep 2006 09:25:17 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1GQ24h-0005jk-Gz for; Wed, 20 Sep 2006 09:25:17 -0400
Received: from (localhost []) by (8.13.5/8.13.5) with ESMTP id k8KCrTuF091703; Wed, 20 Sep 2006 05:53:29 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.13.5/8.13.5/Submit) id k8KCrTPW091702; Wed, 20 Sep 2006 05:53:29 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( []) by (8.13.5/8.13.5) with ESMTP id k8KCrRj9091696 for <>; Wed, 20 Sep 2006 05:53:28 -0700 (MST) (envelope-from
Received: from uucp by with local-rmail (Exim 4.50 #1 (Debian)) id 1GQ1i4-0006Pp-Cm for <>; Wed, 20 Sep 2006 15:01:52 +0200
Received: from wk by localhost with local (Exim 4.62 #1 (Debian)) id 1GQ1TB-0005kg-Qp; Wed, 20 Sep 2006 14:46:29 +0200
From: Werner Koch <>
To: Anton Stiglic <>
Cc: "'Daniel A. Nagy'" <>, 'OpenPGP' <>
Subject: Re: [Sam Hartman] Openpgp comments
References: <>
Organisation: g10 Code GmbH
OpenPGP: id=5B0358A2;
Date: Wed, 20 Sep 2006 14:46:29 +0200
In-Reply-To: <> (Anton Stiglic's message of "Wed, 20 Sep 2006 07:40:35 -0400")
Message-ID: <>
User-Agent: Gnus/5.110006 (No Gnus v0.6)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
X-Spam-Score: 1.8 (+)
X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9

On Wed, 20 Sep 2006 13:40, Anton Stiglic said:

> NIST is planning to phase out SHA-1 by 2010, they are going with SHA-224,
> SHA-256, SHA-384 and SHA-512.  
> In Canada, CSE will phase out SHA-1 for protected C information by 2008.

A note to describe why we use SHA-1 with the MDC would really be
appropriate.  We are not using it for authentication but to detect
manipulation of data.  This is commonly known as a checksum.  Thus,
the acronym MDC and not MAC.  To me detection and authentication have
different semantics.

It has been said a few times: The MDC is not what we need to care
about when thinking of SHA-1 vulnerabilities.  There are other usages
of SHA-1 we need to rethink.

Over the last 8 years since rfc2440 we have talked several times about
things we want to address in the future.  There is actually a long
list.  We can't keep important OpenPGP features - which address actual
vulnerabilities - any longer in an I-D state just for the sake of
getting rid of SHA-1 now.  We need time to address all these items
properly and not do some ad-hoc solutions.  In the meantime 2440bis
needs to get out.  Whether with or without an MDCv2 political option, I
don't care.

> I don't know what is going on in Europe and the rest of the world, but I
> would be surprised if they were going with SHA-1 in the long term.
> You cannot ignore these decisions if you want openpgp to be successful.

I have not heard about any plans to switch to SHA-2.  At least Germany
is still using RIPME-MD160 out of fear that SHA-1 has been developed
in the U.S.  I don't think that this algorithm is any better than
SHA-1 but some people decided in the past to use an European algorithm
(another layer 9 issue).