Re: [openpgp] New fingerprint: which hash algo

ianG <iang@iang.org> Thu, 08 October 2015 22:48 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B19B41A1EF7 for <openpgp@ietfa.amsl.com>; Thu, 8 Oct 2015 15:48:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QqCIwM2z07q9 for <openpgp@ietfa.amsl.com>; Thu, 8 Oct 2015 15:48:17 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D7D61A1EF6 for <openpgp@ietf.org>; Thu, 8 Oct 2015 15:48:17 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by virulha.pair.com (Postfix) with ESMTPSA id A73836D769; Thu, 8 Oct 2015 18:48:15 -0400 (EDT)
To: openpgp@ietf.org
References: <878u84zy4r.fsf@vigenere.g10code.de> <55FD7CF0.8030200@iang.org> <87io742kz7.fsf@latte.josefsson.org> <87mvw4ctv5.fsf_-_@vigenere.g10code.de> <CA+cU71n1OUq4TtmY+8S2yfu2bvjAr+=DwtN-4xRW4xitjDpFXg@mail.gmail.com> <20151006110330.38b38ea4@latte.josefsson.org>
From: ianG <iang@iang.org>
Message-ID: <5616F2AE.5050106@iang.org>
Date: Thu, 8 Oct 2015 23:48:14 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <20151006110330.38b38ea4@latte.josefsson.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/acUIv9AB1fgzsAuJDtSv7G7890Y>
Subject: Re: [openpgp] New fingerprint: which hash algo
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2015 22:48:18 -0000

On 6/10/2015 10:03 am, Simon Josefsson wrote:
>> On 30 September 2015 at 01:18, Werner Koch <wk@gnupg.org>; wrote:
>>> On Mon, 21 Sep 2015 11:13, simon@josefsson.org said:
>>>
>>>> Regarding which hash to use, SHA-256 is probably the simplest
>>>> choice From a practicallity and consensus point of view.  Are
>>>> there any strong reasons to favor something else?
>>
>> I have a small preference to see the fingerprint algorithm match what
>> we believe the most popular signature (hash) algorithm will be. I've
>> been working with a number of embedded folks and code size can often
>> be a big concern. More Algorithms, More Code.
>
> My perception is that the most popular signature hash algorithms right
> now are SHA-256 and SHA-512.

Err... A few minor quibbles here about the notions of cryptographic 
democracy:


1.  Popularity?  Why is that interesting?  Surely we can do a bit better 
than democracy or fashion or votes on cat pictures?

Engineering or planning, anyone?

2.  The reason SHA-256 is the most popular these days is that, in the 
wake of the 2004 Shandong hashquake, we've made a stunning amount of 
progress in upgrading.  We've almost decided against SHA1 in 
certificates.  We're almost serious about it.  And now that freestart 
collisions are chewing it down to its last 4 bits, we might actually ... 
do it.

(Which is to say, popularity got us to a situation where *11* years 
after the shots were fired, and 15 years after the new version was 
delivered, we're still using lots and lots of SHA1.  We want to improve 
that with 15 year old tech?)

3.  It's certainly a stunning indictment on algorithmic agility that 
SHA1 is still an issue, which is another process by which popularity 
makes its objective mark.


> While SHA-256 and SHA-512 have somewhat
> different characteristics on different platforms, I believe we are
> approaching the limit of where a lot of additional comparisons are
> worth the time and effort compared to just pick one of them.  I'm fine
> with SHA-256 for the reasons that Werner presented.  Does someone
> else want to promote another option?  Can we get closure on this?
>
> /Simon