[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PGP evolving, improving
Adam Back says:
> > b. There have been no practical cases of signature spoofing with MD5--it
> > hasn't been broken.
> I agree, in the general case it has not. I'll discuss a better
> user migration path below.
Excuse me, gentlemen, were there any practical cases of signature
spoofing with MD4?
Also, since this is an IETF forum, let me remind you, that the
official IETF security guideline is: "For all the new standards
MD5 shall not be used - but SHA-1".
Of course, Security Area folks don't have the depth of knowledge
tat David has been exhibiting on the Net for quite a while (:-).
However, as an algorithm starts showing cracks, a cryptographer
with brains replaces it before the "practical" cases start
piling up. For a commercial product to get into such a
situation would mean death, I think (unless you are
Micro$oft, of course :-).
> > c. PGP Inc. has made no attempt to remove MD5 in pay PGP 5.0
> It is possible that Will was talking about the fingerprint spoofing
> attack, which you are probably aware of. This flaw is nothing to do
> with MD5 or RSA per se, but more to do with a flaw introduced in the
> way that the fingerprint is calculated in pgp2.x.
It was possibly to ease the upgrade path for paying customers. Like:
"Yes, we strongly suggest you move to SHA-1, but to make sure your
traffic isn't interrupted, here's 'bilingual' PGP for you."
> > Brave talk, but if you had any integrity you would have explained
> > any concerns and left it up to users by preserving all options--not
> > crammed it down the free user's throats.
> I think that unencumbered algorithms are a good thing, however I think
> the method of "encouraging" migration to DSS/EG algorithms has largely
> backfired. I did a survey of pgp users, which I'll colate shortly,
> and several commented that they scrapped 5.0 and went back to 2.x when
> they discovered the various compatibility problems (eg. not being able
> to generate RSA keys).
Well, the only compatibility concerns that *I* have as a user are
related to the broken *interface*. I.e. I APPLAUD the move to DSS
and EG (would like to see ECC too, BTW) - but I absolutely hate
the fact that I can no longer use Mailcrypt-3.4 from XEmacs.
This is my "compatibility problem", not the ability or
inability to generate RSA keys (which you can take
with you on your way out :-).
> Now the discussion of a better migration path. It seems to me that a
> nice thing to do would be to generate two keys at key gen time: an RSA
> key and an DSS/EG pair.
What if I *don't* want to generate RSA keys. Why cramming those down my
throat? Make it possible to geterate DSS *or* DSS+RSA, if you REALLY
> Largely transparent interoperability on all versions
> would I suspect paradoxically have meant many more people made the
Yes and no. Of course transparency will help. HOWEVER, many of PGP
users have either no time, or no skills (or "no" both) to modify
the software that interfaces between their favorite whatever
and PGP. For me it is Mailcrypt/XEmacs. Until *that* part
is taken care of - don't expect people to switch.