Re: [openpgp] Deprecating SHA1
Phil Pennock <ietf-phil-openpgp@spodhuis.org> Sun, 25 October 2020 01:19 UTC
Return-Path: <ietf-phil-openpgp@spodhuis.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D0A93A0B29 for <openpgp@ietfa.amsl.com>; Sat, 24 Oct 2020 18:19:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=spodhuis.org header.b=CSib/2EA; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=spodhuis.org header.b=Svbz+Mhz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QejVlJaW0fll for <openpgp@ietfa.amsl.com>; Sat, 24 Oct 2020 18:19:31 -0700 (PDT)
Received: from mx.spodhuis.org (smtp.spodhuis.org [IPv6:2a02:898:31:0:48:4558:736d:7470]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03AFA3A0B22 for <openpgp@ietf.org>; Sat, 24 Oct 2020 18:19:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d202008; h=OpenPGP:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:From:Reply-To:Subject:Date:To: Cc:Content-Transfer-Encoding:Content-ID:Content-Description:OpenPGP: Organization; bh=RKHKYk/I/tcKYjJbYA8swJDPfnWC9wbLI5FPKmgghec=; t=1603588771; x=1604798371; b=CSib/2EAW3rRxsU7C/nxHU9Gzsq5HtUUGIRvc0nyppgNoapNe+lfRENWUBUj atrKF/BZ9eL42qJr1mHNiqP66TgGTquB/d7No42L4NV6fGe0o5fH052b7Og02tYinIKq5EgckK2ma 3DKb3pKFdS2k7jhBWb9Y3fIdIbxWNKGEMhd3pMTFEVuFm/N4bJbYMF1mtxomYH4LmpB6G0Vk3fa65 MxeZ7ekQqKLyn7D8ljmrKqjNkl9ktdRmadWWVjmVD9eFedHBOpFeKwKE7DUy72P1z4bOBqLHaO5Ho 8N8OJyQNZeAM+AQubLrQ2DgBUt3eYyFIp51cwiF2Dw9EmnWatxA==;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d202008e2; h=OpenPGP:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:From:Reply-To:Subject:Date:To: Cc:Content-Transfer-Encoding:Content-ID:Content-Description:OpenPGP: Organization; bh=RKHKYk/I/tcKYjJbYA8swJDPfnWC9wbLI5FPKmgghec=; t=1603588771; x=1604798371; b=Svbz+Mhzvwh7aLxZLACUlxSo4O+8r0UgCh+/Buau7umrQ0s1zFmx4JxOz4dF i4oWQc+bqjp29HDcqvROPNX1Cw==;
Received: from authenticated user by smtp.spodhuis.org with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) id 1kWUgx-0007Ll-E1; Sun, 25 Oct 2020 01:19:27 +0000
Date: Sat, 24 Oct 2020 21:19:24 -0400
From: Phil Pennock <ietf-phil-openpgp@spodhuis.org>
To: Jonathan McDowell <noodles@earth.li>
Cc: openpgp@ietf.org
Message-ID: <20201025011924.GB1089002@fullerene.field.pennock-tech.net>
Mail-Followup-To: Jonathan McDowell <noodles@earth.li>, openpgp@ietf.org
References: <87sga5xg03.wl-neal@walfield.org> <20201023192317.GA444398@fullerene.field.pennock-tech.net> <20201024085725.GB2594@earth.li>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20201024085725.GB2594@earth.li>
OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/keys-2013rsa-2020cv25519.asc
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/kDXKlaq44ywstS_M-C-57YxXZJk>
Subject: Re: [openpgp] Deprecating SHA1
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Oct 2020 01:19:32 -0000
On 2020-10-24 at 09:57 +0100, Jonathan McDowell wrote: > On Fri, Oct 23, 2020 at 03:23:17PM -0400, Phil Pennock wrote: > > gpg --expert --cert-digest-algo SHA256 --sign-key $YourKeyId > > I'm one of the people with a SHA1 self signature. I've been aware of it > for some time, and it's been on my todo list to sort out, but when I > last tried GPG did not make it possible. What version of GPG is > necessary for the above to work? The somewhat aged versions on the > airgapped machine my master key lives on do not seem to want to update > the type of the self sig with that command. [ not to list-cop, just to make sure that I'm not blindly taking this down a rat-hole not germane to the IETF list, since I'm the one who raised GnuPG in the first place: ] Since this affects the ease of a deprecation, I'm considering this on-topic enough for me to reply here; if the follow-ups are specific to GnuPG, then gnupg-users might be a better mailing-list? If it's about the real-world practicalities of migrating and the impact on IETF standardization then perhaps not. I see commit messages about "Honor --cert-digest-algo when recreating a cert." from 2012: commit 2b3cb2ee94625498e7a7f939216c9bcddef6ec20 Author: David Shaw Date: Tue Jan 31 21:30:05 2012 -0500 commit 60c58766aeb847b769372fa981f79abac6014500 Author: Christian Aistleitner Date: Sun Oct 14 20:30:20 2012 +0200 Using `git tag --contains $COMMIT_SHA`, it looks like gnupg-2.1.0 onwards include it. If memory serves, there's an "odd minor is dev, even minor is release" pattern used here, so 2.2 would have been the first "real release" even though lots of places had 2.1 packaged. <https://gnupg.org/download/> has an EOL table; GnuPG 1.4 is dead-end with no support for modern algorithms; 2.0 started on 2006-11-11 and reached EOL on 2017-12-31. GnuPG 2.2 cites 2014-11-06. If the modern GnuPG approach to partitioning up the work in managing a keyring is of concern, then I suspect Neal will be happy to help with a migration to Sequoia PGP. :) -Phil
- [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Paul Wouters
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Guillem Jover
- Re: [openpgp] Deprecating SHA1 Guillem Jover
- Re: [openpgp] Deprecating SHA1 Jonathan McDowell
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 brian m. carlson
- Re: [openpgp] Deprecating SHA1 Jon Callas
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Peter Gutmann
- Re: [openpgp] Deprecating SHA1 Benjamin Kaduk
- Re: [openpgp] Deprecating SHA1 Ángel
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Tobias Mueller
- Re: [openpgp] Deprecating SHA1 heikostamer
- Re: [openpgp] SHA1 Linter & Fixer Neal H. Walfield