Re: DEADBEEF vs SHA1

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 17 February 2011 20:08 UTC

Received: from hoffman.proper.com (localhost [127.0.0.1]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p1HK8Ih2029543 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Feb 2011 13:08:18 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by hoffman.proper.com (8.14.4/8.13.5/Submit) id p1HK8IIr029542; Thu, 17 Feb 2011 13:08:18 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: hoffman.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p1HK8Iu8029537 for <ietf-openpgp@imc.org>; Thu, 17 Feb 2011 13:08:18 -0700 (MST) (envelope-from dkg@fifthhorseman.net)
Received: from [192.168.23.207] (dsl254-070-154.nyc1.dsl.speakeasy.net [216.254.70.154]) by che.mayfirst.org (Postfix) with ESMTPSA id 740F6F970 for <ietf-openpgp@imc.org>; Thu, 17 Feb 2011 15:08:15 -0500 (EST)
Message-ID: <4D5D8025.6080000@fifthhorseman.net>
Date: Thu, 17 Feb 2011 15:08:05 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Reply-To: IETF OpenPGP Working Group <ietf-openpgp@imc.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101213 Icedove/3.1.7
MIME-Version: 1.0
To: IETF OpenPGP Working Group <ietf-openpgp@imc.org>
Subject: Re: DEADBEEF vs SHA1
References: <D8E81788-AF18-448F-BA39-56185C1F0672@jabberwocky.com>
In-Reply-To: <D8E81788-AF18-448F-BA39-56185C1F0672@jabberwocky.com>
X-Enigmail-Version: 1.1.2
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enigA597F855B6E5B26FE30070B4"
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On 02/17/2011 02:12 PM, David Shaw wrote:
> I wonder if it would also be useful for implementations to
> simply refuse (or at least give the option to refuse) to
> import any V3 keys.

I think this seems like a reasonable step to take.  As a user, given the
option between:

 a) losing communication with v3 users

 b) allowing anyone to lock me out of communications with v4 users

i would prefer (a).

	--dkg