Re: [openpgp] Deprecating SHA1
"Neal H. Walfield" <neal@walfield.org> Fri, 30 October 2020 09:51 UTC
Return-Path: <neal@walfield.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC06D3A0D7E for <openpgp@ietfa.amsl.com>; Fri, 30 Oct 2020 02:51:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ud-CAAp8HwCl for <openpgp@ietfa.amsl.com>; Fri, 30 Oct 2020 02:51:05 -0700 (PDT)
Received: from mail.dasr.de (mail.dasr.de [217.69.77.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3336F3A0D7C for <openpgp@ietf.org>; Fri, 30 Oct 2020 02:51:02 -0700 (PDT)
Received: from pd9e79cc0.dip0.t-ipconnect.de ([217.231.156.192] helo=forster.huenfield.org) by mail.dasr.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from <neal@walfield.org>) id 1kYR3k-0005vm-5v for openpgp@ietf.org; Fri, 30 Oct 2020 09:51:00 +0000
Received: from grit.huenfield.org ([192.168.20.9] helo=grit.walfield.org) by forster.huenfield.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <neal@walfield.org>) id 1kYR3j-0005ej-L6; Fri, 30 Oct 2020 10:50:59 +0100
Date: Fri, 30 Oct 2020 10:50:59 +0100
Message-ID: <87d010vy7w.wl-neal@walfield.org>
From: "Neal H. Walfield" <neal@walfield.org>
To: "Neal H. Walfield" <neal@walfield.org>, openpgp@ietf.org
In-Reply-To: <20201025010343.GA1089002@fullerene.field.pennock-tech.net>
References: <87sga5xg03.wl-neal@walfield.org> <20201023192317.GA444398@fullerene.field.pennock-tech.net> <87lffvy6kf.wl-neal@walfield.org> <20201025010343.GA1089002@fullerene.field.pennock-tech.net>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (Gojō) APEL/10.8 EasyPG/1.0.0 Emacs/26 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-SA-Exim-Connect-IP: 192.168.20.9
X-SA-Exim-Mail-From: neal@walfield.org
X-SA-Exim-Scanned: No (on forster.huenfield.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/lk7wJ3IAE2no7__3BN8Qp_d7Wtw>
Subject: Re: [openpgp] Deprecating SHA1
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2020 09:51:09 -0000
On Sun, 25 Oct 2020 02:03:43 +0100, Phil Pennock wrote: > For myself, even with the oldest key, using expiring subkeys and > refreshing periodically with newer subkeys, everything _except_ the > self-sig had updated automatically by the time I went looking. Right. User ID self signatures are the worse offenders, but subkey binding signatures are also a problem. I collected some statistics about different projects. You can find them here: https://gitlab.com/sequoia-pgp/sequoia/-/issues/595 It seems that there are 19 certificates in the Debian keyring that have non-revoked, live signing-capable subkeys that rely on SHA-1 in someway. 10 use SHA1 for the subkey binding signature, and 9 only use it for the primary key binding signature (the backsig). That's just over 2% of the certificates in the Debian keyring. Arch is about the same (2 of 76 certificates). Although it is possible to fix the subkey binding signature by adjusting the subkey's expiration time, using gpg, this won't update the backsig, see: https://dev.gnupg.org/T5110 > I think really we need some nice pgpkey-sanitycheck command-line tool, > from any project, which looks purely at public key information, so > doesn't need to care about internals (private keys, keyboxes, etc). > > Such a tool might then report on outdated algorithms used in important > places, while avoiding getting into the political mess of which > algorithm order preferences should be included in a key. > > Deprecating X without tools to make it _trivial_ for people to tell if > they're affected by X is going to be frustrating. In my previous email, > I didn't mention the diagnostics I used to show people that their key > was affected, but it involved `gpg --list-packets` and it was not > pretty. Indeed. Unfortunately, `gpg --list-packets` doesn't show the content of the backsig: $ gpg --export FPR | gpg --list-packets ... # off=806 ctb=89 tag=2 hlen=3 plen=346 :signature packet: algo 1, keyid A23C95250F66162A version 4, created 1603438577, md5len 0, sigclass 0x18 digest algo 10, begin of digest e9 34 hashed subpkt 27 len 1 (key flags: 02) hashed subpkt 33 len 21 (issuer fpr v4 2...) hashed subpkt 2 len 4 (sig created 2020-10-23) hashed subpkt 9 len 4 (key expires after 3y0d0h5m) ** subpkt 32 len 156 (signature: v4, class 0x19, algo 1, digest algo 2) subpkt 16 len 8 (issuer key ID A...) data: [1024 bits] For what it is worth, `pgpdump` `sq packet dump` (also at https://dump.sequoia-pgp.org), and `rnp --list-packets` do show that information. > I held off on "asking others to write software for me" in the previous > post, keeping it to "this exists now". This time around, I'm throwing > out a "Hey, pgpkey-sanitycheck would be a nice tool to have, folks" and > running away. The tool that I used to conduct my analysis is available here: https://gitlab.com/sequoia-pgp/keyring-linter (Eventually we plan to integrate a linter into `sq`.) Justus was nice enough to upload it to crates.io: https://crates.io/crates/sequoia-keyring-linter So it should be just a `cargo install sequoia-keyring-linter` away. And, if I understood dkg correctly, he is in the process of packaging it for Debian. :) Neal
- [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Paul Wouters
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Guillem Jover
- Re: [openpgp] Deprecating SHA1 Guillem Jover
- Re: [openpgp] Deprecating SHA1 Jonathan McDowell
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 brian m. carlson
- Re: [openpgp] Deprecating SHA1 Jon Callas
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Phil Pennock
- Re: [openpgp] Deprecating SHA1 Peter Gutmann
- Re: [openpgp] Deprecating SHA1 Benjamin Kaduk
- Re: [openpgp] Deprecating SHA1 Ángel
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Neal H. Walfield
- Re: [openpgp] Deprecating SHA1 Tobias Mueller
- Re: [openpgp] Deprecating SHA1 heikostamer
- Re: [openpgp] SHA1 Linter & Fixer Neal H. Walfield