Re: DEADBEEF vs SHA1
vedaal@nym.hush.com Fri, 18 February 2011 00:23 UTC
Received: from hoffman.proper.com (localhost [127.0.0.1]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p1I0NXfo039192 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Feb 2011 17:23:33 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by hoffman.proper.com (8.14.4/8.13.5/Submit) id p1I0NXNB039191; Thu, 17 Feb 2011 17:23:33 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: hoffman.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from smtp12.hushmail.com (smtp12.hushmail.com [65.39.178.135]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p1I0NWu9039185 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-openpgp@imc.org>; Thu, 17 Feb 2011 17:23:32 -0700 (MST) (envelope-from vedaal@nym.hush.com)
Received: from smtp12.hushmail.com (localhost.localdomain [127.0.0.1]) by smtp12.hushmail.com (Postfix) with SMTP id DB2E7C011A for <ietf-openpgp@imc.org>; Fri, 18 Feb 2011 00:23:31 +0000 (UTC)
X-Hush-Verified-Domain: nym.hush.com
Received: from smtp.hushmail.com (w4.hushmail.com [65.39.178.50]) by smtp12.hushmail.com (Postfix) with ESMTP for <ietf-openpgp@imc.org>; Fri, 18 Feb 2011 00:23:31 +0000 (UTC)
Received: by smtp.hushmail.com (Postfix, from userid 99) id 644C410E2B7; Fri, 18 Feb 2011 00:23:31 +0000 (UTC)
MIME-Version: 1.0
Date: Thu, 17 Feb 2011 19:23:31 -0500
To: ietf-openpgp@imc.org
Subject: Re: DEADBEEF vs SHA1
From: vedaal@nym.hush.com
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20110218002331.644C410E2B7@smtp.hushmail.com>
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
On Thu, 17 Feb 2011 14:12:20 -0500 David Shaw <dshaw@jabberwocky.com> wrote: >The problem is that the issuer subpacket doesn't >differentiate between V3 and V4, so it's possible to make a >DEADBEEF V3 key and use it to do a version rollback / denial of >service attack against a V4 key. .... >In terms of the issue that originally started this thread, the >proposal to include and compare the complete fingerprint resolves >this attack as well (slightly better in this case, in fact, since >a V3 fingerprint can't even accidentally collide with a V4 one). ..... >I wonder if it would also be useful for >implementations to simply refuse (or at least give the option to >refuse) to import any V3 keys. But if there is an effective solution that offers inclusion, and doesn't require any additional work, (and probably needs to be implemented anyway independent of v3 keys), then why choose a path of exclusion of V3 keys? (Even if only for Ian's point, that there are lots of v3 encrypted and signed material out there, that should be accessable.) When Senderek described the ADK flaw, people could have argued similarly to exclude V4 keys, (but wisely chose to keep subkey capability and simple just fixed the ADK problem). vedaal
- Re: DEADBEEF vs SHA1 Daniel A. Nagy
- Re: DEADBEEF vs SHA1 vedaal
- Re: DEADBEEF vs SHA1 Ian G
- Re: DEADBEEF vs SHA1 David Shaw
- Re: DEADBEEF vs SHA1 Lutz Donnerhacke
- Re: DEADBEEF vs SHA1 David Shaw
- Re: DEADBEEF vs SHA1 Jon Callas
- Re: DEADBEEF vs SHA1 Daniel Kahn Gillmor
- Re: DEADBEEF vs SHA1 Werner Koch
- Re: DEADBEEF vs SHA1 David Shaw
- Re: DEADBEEF vs SHA1 David Shaw
- Re: DEADBEEF vs SHA1 Daniel Kahn Gillmor
- DEADBEEF vs SHA1 David Shaw