Re: NIST publishes new DSA draft

hal@finney.org ("Hal Finney") Tue, 14 March 2006 23:49 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FJJH5-0003hb-NL for openpgp-archive@lists.ietf.org; Tue, 14 Mar 2006 18:49:59 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FJJH4-000245-BZ for openpgp-archive@lists.ietf.org; Tue, 14 Mar 2006 18:49:59 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2ENPEb4019847; Tue, 14 Mar 2006 16:25:14 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k2ENPEdl019846; Tue, 14 Mar 2006 16:25:14 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from finney.org (226-132.adsl2.netlojix.net [207.71.226.132]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k2ENPC4B019840 for <ietf-openpgp@imc.org>; Tue, 14 Mar 2006 16:25:12 -0700 (MST) (envelope-from hal@finney.org)
Received: by finney.org (Postfix, from userid 500) id 1B3AF57FB0; Tue, 14 Mar 2006 15:31:08 -0800 (PST)
To: james.couzens@electricmail.com
Subject: Re: NIST publishes new DSA draft
Cc: ietf-openpgp@imc.org
Message-Id: <20060314233108.1B3AF57FB0@finney.org>
Date: Tue, 14 Mar 2006 15:31:08 -0800
From: hal@finney.org
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab

James Couzens writes:
> I had thought it a bit strange that someone writing so comprehensively
> about something related to digital signatures and to then make the
> statement as you did at the end of the paragraph I quoted.  Did you have
> some other intended meaning, such as broken by draft explicit
> prohibition or otherwise declared deprecated in a future draft?

Yes, sorry, my language was not as precise as it might have been.
I said we should be ready in case SHA-1 were broken, but as you note
it has been officially "broken" for over a year.  However that is just
a theoretical break and no actual examples of SHA-1 message collisions
have yet been published.  So at this point SHA-1 is in a bit of a limbo
state, theoretically broken but still in widespread use.

If the attack should get worse so that SHA-1 collisions could be found
in a practical amount of time, then we would have a much more urgent
need to switch to another hash.  That is what I really meant when I
said we should be ready if SHA-1 should be broken.

Hal Finney