Re: [Sam Hartman] Openpgp comments

Werner Koch <wk@gnupg.org> Wed, 20 September 2006 13:25 UTC

From: Werner Koch <wk@gnupg.org>
To: Anton Stiglic <astiglic@okiok.com>
Cc: "'Daniel A. Nagy'" <nagydani@epointsystem.org>, 'OpenPGP' <ietf-openpgp@imc.org>
Subject: Re: [Sam Hartman] Openpgp comments
References: <20060920115146.9E8981683A9@mail.okiok.com>
Organisation: g10 Code GmbH
OpenPGP: id=5B0358A2; url=finger:wk@g10code.com
Date: Wed, 20 Sep 2006 14:46:29 +0200
In-Reply-To: <20060920115146.9E8981683A9@mail.okiok.com> (Anton Stiglic's message of "Wed, 20 Sep 2006 07:40:35 -0400")
Message-ID: <874pv24sey.fsf@wheatstone.g10code.de>
User-Agent: Gnus/5.110006 (No Gnus v0.6)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk

On Wed, 20 Sep 2006 13:40, Anton Stiglic said:

> NIST is planning to phase out SHA-1 by 2010, they are going with SHA-224,
> SHA-256, SHA-384 and SHA-512.  
> http://csrc.nist.gov/hash_standards_comments.pdf
>
> In Canada, CSE will phase out SHA-1 for protected C information by 2008.

A note to describe why we use SHA-1 with the MDC would really be
appropriate.  We are not using it for authentication but to detect
manipulation of data.  This is commonly known as a checksum.  Thus,
the acronym MDC and not MAC.  To me detection and authentication have
different semantics.

It has been said a few times: The MDC is not what we need to care
about when thinking of SHA-1 vulnerabilities.  There are other usages
of SHA-1 we need to rethink.

Over the last 8 years since rfc2440 we have talked several times about
things we want to address in the future.  There is actually a long
list.  We can't keep important OpenPGP features - which address actual
vulnerabilities - any longer in an I-D state just for the sake of
getting rid of SHA-1 now.  We need time to address all these items
properly and not do some ad-hoc solutions.  In the meantime 2440bis
needs to get out.  Whether with or without an MDCv2 political option, I
don't care.

> I don't know what is going on in Europe and the rest of the world, but I
> would be surprised if they were going with SHA-1 in the long term.
> You cannot ignore these decisions if you want openpgp to be successful.

I have not heard about any plans to switch to SHA-2.  At least Germany
is still using RIPME-MD160 out of fear that SHA-1 has been developed
in the U.S.  I don't think that this algorithm is any better than
SHA-1 but some people decided in the past to use an European algorithm
(another layer 9 issue).


Salam-Shalom,

   Werner

[Sam Hartman] Openpgp comments Derek Atkins
Re: [Sam Hartman] Openpgp comments "Hal Finney"
Re: [Sam Hartman] Openpgp comments Jon Callas
Re: [Sam Hartman] Openpgp comments David Shaw
Re: [Sam Hartman] Openpgp comments Ian G
Re: [Sam Hartman] Openpgp comments Werner Koch
Re: [Sam Hartman] Openpgp comments Ian G
Re: [Sam Hartman] Openpgp comments David Shaw
Re: [Sam Hartman] Openpgp comments Werner Koch
Re: [Sam Hartman] Openpgp comments David Shaw
Re: [Sam Hartman] Openpgp comments Ian G
Re: [Sam Hartman] Openpgp comments Jon Callas
Re: [Sam Hartman] Openpgp comments Daniel A. Nagy
Re: [Sam Hartman] Openpgp comments David Shaw
Re: [Sam Hartman] Openpgp comments Daniel A. Nagy
RE: [Sam Hartman] Openpgp comments Anton Stiglic
Re: [Sam Hartman] Openpgp comments Werner Koch
Re: [Sam Hartman] Openpgp comments Lutz Donnerhacke
Re: [Sam Hartman] Openpgp comments Marko Kreen