Re: How to Calculate Signatures?
Ian G <iang@systemics.com> Mon, 04 April 2005 15:33 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA19035 for <openpgp-archive@lists.ietf.org>; Mon, 4 Apr 2005 11:33:27 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j34FCkxO036867; Mon, 4 Apr 2005 08:12:46 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j34FCkJo036866; Mon, 4 Apr 2005 08:12:46 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from www.enhyper.com (mailgate.enhyper.com [62.49.250.18]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j34FCg8l036852 for <ietf-openpgp@imc.org>; Mon, 4 Apr 2005 08:12:43 -0700 (PDT) (envelope-from iang@systemics.com)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id j34FCKU08395; Mon, 4 Apr 2005 16:12:31 +0100
X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol
Message-ID: <42515A30.3060204@systemics.com>
Date: Mon, 04 Apr 2005 16:16:00 +0100
From: Ian G <iang@systemics.com>
Organization: http://financialcryptography.com/
User-Agent: Mozilla Thunderbird 1.0 (X11/20050219)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ietf-openpgp@imc.org
CC: Hal Finney <hal@finney.org>
Subject: Re: How to Calculate Signatures?
References: <20050404043638.42B3F57EBA@finney.org>
In-Reply-To: <20050404043638.42B3F57EBA@finney.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit
Hal Finney wrote: > Ian G writes: > >>I'm curious on this point. Other than the fact that >>"it's broken" why is it that you see it important to >>repair the DSA in OpenPGP? > > > I'm not sure if you are asking why we worry about using SHA-1 at all given > that the attack is theoretical, or why we don't just abandon DSA keys. I'd say it is an open question, so either or both. > For the first question, my main concern is that the SHA-1 attack > may get worse so that it becomes computationally feasible to find > collisions. If that happens we could be vulnerable to attacks like > http://eprint.iacr.org/2005/067 which showed two X.509 certificates > with the same hash. The attacks could become even stronger to where > different userids could collide. I think now I understand this as more an issue for WoT than documents - is that right? (I think I'm deriving that from the last sentance above...) In that people who have DSA keys and have lots of sigs are faced with losing their 'investment'. OK, I agree that is potentially a larger concern than document sigs as key signing represents something of an institution. > For the second, DSA key users do not presently have the options RSA > key users do to move to other hashes. As I argued, the additional risk > of giving DSA users more options is not that large. Letting them use > other hashes would allow them to continue to use their existing keys > and benefit from the signatures they have acquired on those keys. OK. In risk terms it might not be that high. But in cost terms, it is significant. Any changes to the way signatures have to be dealt with would have to be promulgated through the community, as, if the signature verification wasn't standard and acceptable to all code bases, it loses its value rapidly. So the analysis needs to question not only the risks but also the costs and benefits. The number of people who need to have DSA and keep using their existing keys for signatures seems to be quite small. In order for these people to benefit, they must be able to create the sigs, and everyone else must be able to at least read the sigs. So any change will take a year or two to filter through until there is wide enough distribution of verification, and during that time, I suspect the slow uptake will be over taken by events. To me, I don't see the cost-benefit analysis coming out as favourable; far better to suggest that people use RSA keys if they are really very keen to have the best security in signatures, until the DSS-2 situation settles out. (in the 90s, this would have been a very different situation, as RSA faced patent and cryptoexport problems, so there would have been a group that might have been limited to using DSA.) All IMHO of course! iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/
- How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? "Hal Finney"
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? Konrad Rosenbaum
- Re: How to Calculate Signatures? Ian G
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? "Hal Finney"
- Re: How to Calculate Signatures? "Hal Finney"
- Re: How to Calculate Signatures? Ian G
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? Ian G
- Re: How to Calculate Signatures? Ian G
- Re: How to Calculate Signatures? "Hal Finney"
- Re: How to Calculate Signatures? Jon Callas
- Re: How to Calculate Signatures? Jon Callas
- Re: How to Calculate Signatures? Ian G
- Re: How to Calculate Signatures? Jon Callas
- Re: How to Calculate Signatures? Ben Laurie
- Re: How to Calculate Signatures? "Hal Finney"
- Re: How to Calculate Signatures? David Shaw
- Re: How to Calculate Signatures? Jon Callas
- Re: How to Calculate Signatures? David Shaw
- Re: How to Calculate Signatures? Konrad Rosenbaum